Role Detection
Roles are detected when an Identity Refresh task runs with the Refresh assigned, detected roles and promote additional entitlements option is selected.
In role detection, IdentityIQ compares the entitlement profiles of each role to the entitlements held by each Identity. Profiles may specify a single entitlement or may specify multiple entitlements, either in "and" relationships, requiring the identity to have all listed entitlements to have the role, or "or" relationships, meaning the identity has the role if they have any of the entitlements. When an Identity’s collection of entitlements meets an IT role profile’s requirements, the role is marked as "detected" for that Identity.
All detected roles store information about the accounts and entitlements that fulfilled the detection. Detection recognizes and persists if a detected role was part of an assignment – for example, if it was explicitly requested in a Lifecycle Manager access request.
A role can be detected more than once if there are role assignments targeting different accounts on the same application. For example, if assigned role A and assigned role B both have required role R, but different target accounts were selected for A and B, there are two detections of R. One for the accounts selected for A and one for the accounts selected for B. This model is necessary to accurately show which accounts and entitlements are included in each role assignment.
Defined IT roles can be detected for Identities based on the entitlements recorded for the Identity in IdentityIQ. Once entitlements are associated as a role for an Identity, the individual entitlements are no longer displayed on the Identity Cube's entitlements page, as they are replaced by the more concise role name. For example, if an Identity already has the time-tracking system's required entitlements for the Timesheet Approval role, this role will be detected for the Identity and will be marked on the Identity Cube in place of the entitlements encapsulated within it. The role-encapsulated entitlements can be shown or hidden in the UI based on a checkbox selection, and any role can be clicked to view the details within it.