Roles

• Role Types

IdentityIQ’s Two-Tier Role Model

IdentityIQ uses a two-tier role model to facilitate matching a user’s business responsibilities to their actual access.

• Business Roles generally represent job functions, titles, or responsibilities. They are usually tied to the organizational structure and are assigned to users based on their functions in the business – such as “Treasury Analyst” or “Accounts Payable Clerk”. Business roles define the desired state for a user’s access – what do we want someone with this job function to be able to do, or not do? Business roles are assigned to users directly, either automatically via attribute matching on things like job title or department, or via request, which may come from the user himself or from someone else, like a manager or an application owner.
• IT Roles encapsulate sets of system entitlements. They are tied to actual permissions within an application or target system. They represent the actual state of the user’s access, such as an account, entitlement, or permission. A user’s IT roles can be detected in IdentityIQ based on the entitlements that user has. Access can also be provisioned in IdentityIQ via IT roles.

By default, there are four types of roles configured in IdentityIQ:

1. Organizational:      organize the roles in the IdentityIQ UI for easier management.
2. Business:     identify job functions or titles or other attributes by which users can be grouped.
3. IT:                          encapsulate sets of system entitlements
4. Entitlement:           represent individual system entitlements

Few illustrative points :

1. A role is a collection of entitlements or other roles that enables an identity to access resources and to perform certain operations within an organization. 
2. Role Mining is used to create roles based on specified criteria in an existing enterprise.
 Business role mining within IdentityIQ facilitates the creation of organizational groupings based on identity attributes – for example department, cost center or job title.
3. IT Role Mining creates roles based on the mining of entitlements within the enterprise.
4. IdentityIQ uses roles to monitor entitlements, identify separation of duty,policy violations, and compile identity risk scores to maintain compliance.
5. Role Assignment - The process of granting roles to users. Can be performed through self-service tools or via an automatic assignment rule. 
6. Modeling the company’s organizational structure in organization roles. Each of the organizational units can be created as an organizational role in IdentityIQ, configured in a hierarchical fashion to match the actual organizational structure.
7. Another common strategy is to use organizational roles as “container” roles, especially for mined business and IT roles.
8. Business roles are typically used to represent job functions or job titles.
9. In business role mining, roles are identified based on one or more Identity Attributes in IdentityIQ. For example, if Job Title is one of the identity attributes, a business role can be created based on each unique Job Title.
10. Mined business roles are created in a disabled state and must be activated before they can be assigned to any identity, either automatically or through an access request. Mined business roles also automatically contain assignment logic which will automatically assign them to identities whose attributes match the criteria used to identify the role, once the role is activated.
11. To link the business role to more than one organizational role and therefore show it multiple places in the hierarchy, add all of the organizational roles to the business role’s Inherited Roles list.
12. IT roles allow multiple entitlements from one or more applications to be grouped together into a single role.
13. Roles created from IT Role Mining are created in a disabled state and must be enabled before they will be detected for any user. Entitlement Analysis roles are created in an enabled state and will be detected for users in the next identity refresh task execution.
14. IT roles are connected to business roles through the Required Roles and Permitted Roles lists.
15. Entitlement roles, like business roles, can be assigned directly to Identities. Unlike business roles, however, they do not have an Assignment Rule in their default configuration, so they must be manually assigned to Identities. One alternative to manual assignment, though, is to link them to a business role as a Required or Permitted Role; when the business role is assigned to an Identity, the entitlement role is provisioned in the same way required/permitted IT roles are provisioned.