Role overview
A role, also termed an organizational role, is a modeling concept that serves as a convenience in administering policy.
A role, also termed an organizational role, is a modelling concept that serves as a convenience in administering policy.
The descriptive properties of a role, particularly its name, are significant and imply the purpose of the role. For example, a role might be named manager, designer, or auditor. In Verify Identity Governance, a role is used to support user and access provisioning.
Organizational Role can be associated with the Service Group Accesses directly without the need for defining a Provisioning Policy.
A role can be defined as Application Role. Application Roles are associated with the Service. The role composition is restricted to Accesses and other Application roles associated with this Service.
- Role-based
-
To automate and to accelerate the process of granting access to resources.
A role-based model lowers the risk of individuals who might gain more system access than required by their job or other relationship to a company.
The operational needs of an enterprise determine the assignment of users to roles. For example, a user might have a role as a help desk assistant or auditor. In a role-based model, users receive a specific set of accounts and access rights based on role membership. When a user is removed from a role, the entire set of accounts and access rights are also removed.
The role might be a child role of another organizational role, which then becomes a parent role. The parent role is composed of all permissions of Child Role
- Request-based provisioning
-
Here, a role represents an access to an IT resource that can be directly searched and requested by a user.
The access entitlements of the role are defined by a provisioning policy/ Role Itself. Approval processing can be supported for a role request; the user is assigned to the role after the request is approved. When the user is a member of a role, access rights are granted. Removing a user from that role also removes the entire set of access that the role granted.
If a role is a child role of another organizational role in a provisioning policy, then that child role also inherits the permissions of provisioning policy.
If a role is a parent role of another organizational role in a provisioning policy, then that parent role also includes the permissions of provisioning policy.