Management of groups or access on a service
You can define access, manage group membership, or view the recertification status for the group. Groups are supported in most services managed by IBM Verify Identity Governance to allow sets of users to be administered collectively for access control purposes.
Access privileges to IT resources are based on membership of a group. In IBM Verify Identity Governance Version 4.6, groups were treated as one of the supporting data on the managed service. Group membership was an attribute on an account. In IBM Verify Identity Governance Version 5.0 and there after, groups are treated as supporting data. Groups are also a new type of entity in the IBM Verify Identity Governance model. In addition, access that is represented by a group is made available for users to directly request.
- Review the groups on the managed service
- Assign members to a group or remove members from a group
- Provide business-friendly names, categories, and descriptions of the access represented by the group
- Expose the access to users so that users can directly request or remove access
- Specify owners of access and specify approval of group access requests
- Define policies to enforce the recertification of group access
When access information for the group is defined and enabled in the access view, group membership affects the access list for a user. When a user is added to a group, the access that is granted to the user is displayed in the user's access list. When a user is removed from a group, the access is revoked from the user and removed from the access list.
Approval process for groups and accesses
The approval process might be different for managing groups or accesses, depending on how the request is initiated and submitted. When you manage group members from the Manage Services task, the request is treated as account request. Therefore, the request goes through the account approval. If the same group is exposed as an access and is requested through an access request, then the request goes through the access approval. The request does not go through account approval. Only when there is no access approval defined, the request continues to use account approval.
Define access for a group
A service owner can provide business-friendly names, categories, and descriptions of the access represented by the group. The service owner can expose the access to users so that users can directly request or remove access. Service owners can specify the owner of the access, the approval process for the access, and the notification options for access provisioning.
- Access types
- The following access types
are included with IBM Verify Identity Governance:
- Application
- Shared Folder
- Mail Group
- Role
The definition of each access is a one-to-one mapping with a group defined for the adapter type.
After an access is provisioned, the requester effectively becomes a member of the group who is defined by the access entitlement on the target. For access, this reconciliation of supporting data is critical. After the groups are reconciled, access definitions can be created.
- Access owner
- Access owner is a dedicated IBM Verify Identity Governance user who is responsible for the access. ACIs can be set up to grant privileges on the access for the owner. The access owner is often involved in the approval process.
- Access approval
- Access approval specifies the access request workflow for access request. The access request workflow is defined with the Access Request Workflow task. Typically, this workflow is used to define the approval process for the access request.
- Access notification
- Access notification defines whether the email notifications are sent to the user when access is provisioned or de-provisioned for them.