Access entitlements and access control items
Access control items defined for Service, Service Group, and Account control a user's access privilege for access configuration and user access management that is based on service group.
Access control items defined for role, dynamic role, and Person control the access privilege for access management and user access management for access based on an organizational role.
IBM Verify Identity Governance provides default access control items that target access entitlements, as described in Table 1.
For more infomation on default access control items for the shared access module, see the IBM® Security Privileged Identity Manager product documentation.
Who is permitted | Default access control items related to access management | Effect |
---|---|---|
All users | Service group - read all access attributes Static role - search and modify attributes Dynamic role - search attributes Person - modify and use the erroles attribute read/write for self Account - search, add, view, and remove group member for self |
Allow users to request that new access authorization and to view and remove their own access. |
Manager or supervisor or the account owner | Service group - search and read all access
attributes Static role - search and modify attributes Dynamic role - search attributes Person - modify and use the erroles attribute read/write for subordinates Account - search, add, view, and remove group member for subordinates |
Allow a manager to view, request, or remove access of a subordinate. |
Help desk assistant | Service group - search and read all access
attributes Static role - search and modify attributes Dynamic role - search attributes Person - modify and use the erroles attribute read/write for all Account - search, add, view, and remove group member for all |
Allow all help desk users to view, request, or remove access for all users in the organization. |
Service owner or access owner of the service on which the account resides | Service group - all access control item operations Account - all access control item operations |
Allow service owners or access owners to search a group, define access, and recertify access. Allow service owners or access owners to manage accounts and group members for a service or defined access that they own on the service. |
Sponsor of the business partner organization in which the account resides | Service group - search or read all access attributes Account - search, and add, view, or remove group member |
Allow a sponsor to view, request, or remove access of a subordinate. |
Auditor group | Service group - search Account - search and read all access attributes |
Allows members of the auditor group to view access reports. |
Service owner or auditor group | Reports (access) - run an operation | Allows members of the service owner or auditor groups to view the access report. |
Auditor, manager, or service owner groups | Reports (individual, access) - run an operation | Allows members of these groups to view the individual access report. |
Privileged Administrator group | Static role - all access control item operations Dynamic role - all access control item operations Reports (individual, access) - run an operation |
Allow all privileged administrators to view, add, or remove access in the organization. Allows members of these groups to view the individual access report. |