Organizational roles and access provisioning

A user role is also termed a business role or positional role. A user role represents a group of users with a particular meaning in a business model. The group might be a classification of users who share a business function.

User roles can be modeled with an organizational role in IBM Verify Identity Governance and used to support role-based provisioning. A user role can be mapped to a set of access entitlements in the provisioning policy. Access to IT resources is automatically provisioned for the users that belong to the role.

User roles are often modeled to help with user management for the business. User roles can also be used to support role-based access control and role-based provisioning. Access to IT resources might be managed by the following systems:
Central access control system
A role-based access control model grants access to resources based on a user role, such as the user's job title or work responsibility.
Distributed system for a specific resource
A role-based provisioning model automates the access entitlement provisioning process for a specific managed resource, and is based on the roles to which the user belongs.
Consider the following items when you design provisioning policies:
  • The target services to manage
  • The number of groups on each service
  • The number of user roles in the organization
  • The pattern of user roles and access entitlement mappings to the target services

An access entitlement can be mapped to an account on a service or to specific group members on a service. A provisioning policy allows a user role to map to multiple entitlements for different services. It allows multiple roles to have the same set of access entitlements. It is also possible to have multiple provisioning policies for the same role, each granting a set of accesses for the role.

An organizational role in Identity Manager can also be used to represent access to IT resources. The access can be mapped to one or multiple services that represent aggregated access to the resources. The accesses are defined by using a Identity Manager provisioning policy with both automatic and mandatory entitlement parameters.

This type of organizational role can be directly exposed to the user for access requests. The role can be categorized based on its access type, such as access to an application or a shared folder.

This type of organizational role provides request-based provisioning by enabling requests to aggregated accesses. By giving the appropriate business-oriented name and description to the access and by setting up accesses in a provisioning policy and specifying the appropriate role approval process, you can build a provisioning mechanism to support the access control models that were described in Access control models.

If the role is a child role of another organizational role, which then becomes a parent role, then that child role inherits the permissions of the parent role. In addition, if a role is a child role of another organizational role in a provisioning policy, then that child role also inherits the permissions of provisioning policy.

For more information about how to design these access control systems, see the IBM® Redbooks® that describe design activities for Identity Manager.