1.2 Understanding Resources

The Identity Manager drivers maintain the permission model by collecting account IDs and permissions assignments from external systems. Identity Manager calls these permissions entitlements. Identity Manager uses entitlements to provide users with access to resources in connected systems. For more information about entitlements, see Identity Manager Entitlements Guide..

Entitlement model can become technical and difficult for business users to manage. The Identity Manager Resource model simplifies the entitlement model by providing you a convenient way to do resource-based provisioning. A resource is any digital entity such as a user account, computer, or database that a business user needs to be able to access. A resource definition can have no more than one entitlement bound to it. A resource definition can be bound to the same entitlement more than once, with different entitlement parameters for each resource.

The resource model makes it easy for business managers to make decisions about who should get access to what. The resource model also allows IT personnel to quickly see what users have access to what, what resources are available, and which rights and resources are assigned to what roles. For more information, see Introducing Roles and Resources in the User Application: User Guide.

Figure 1-1 illustrates the role administration scenario. For more information about roles, see Section 3.0, Role Administration.

Figure 1-1 Role Administration

You can leverage Catalog Administrator to create and manage roles by defining several aspects of roles such as role levels, categories, and owners. You can also define child roles and separation of duties constraints for roles. When the Role Administrator sets up a role, the Resource Administrator can associate a resource to this role.

As a Role Administrator, you can perform the following tasks in Catalog Administrator:

  • Create, remove, and modify roles

  • Modify role relationships for roles

  • Create, remove, and modify separation of duty constraints

  • Browse the list of roles

Figure 1-2 illustrates the resource administration scenario. For more information about resources, see Section 4.0, Resource Administration.

Figure 1-2 Resource Administration

As a Resource Administrator, you have the ability to create, modify, delete, browse resources or associate resources to an individual role or a role that is part of other role, group, or a container in an organization. You can associate only resources to a role.