Role Types

Organizational roles are designed for organizing the role hierarchy in the IdentityIQ UI for easier management. By default, they do not perform any function other than creating a nesting structure in the Role Modeler. Organizational roles can be defined in any hierarchical structure desired. Possible structures could include:

• A hierarchy matching the corporate org structure for organizing business roles into easily managed groupings

• A set of container roles for holding collections of IT roles based on commonalities between them

• A set of container roles grouping other roles by application

• A set of container roles grouping other roles alphabetically

• Any combination of these structures (or others)

The key is to use organizational roles to simplify navigation through the role structure for administrators who will be tasked with managing the roles.

Business roles generally represent job functions, titles, or responsibilities. They are usually tied to the organizational structure and are assigned to users based on their functions in the business – such as Treasury Analyst or Accounts Payable Clerk. Business roles define the desired state for a user's access: what do you want someone with this job function to be able to do, or not do?

For example, within the Accounts Payable department, there might be an AP Supervisor, 3 AP Lead Accountants, and 30 Accounting Clerks. This would require the creation of 3 business roles:

• AP Supervisor

• AP Lead Accountant

• AP Clerk

However, if all clerks don't do the same basic job, it may help to create additional roles to further divide them into sub-units. For example, perhaps the mailroom clerks are tasked with opening, stamping, and digitally scanning invoices while other clerks are responsible for accounting system data entry and reporting. In that case, the department might implement four business roles:

• AP Supervisor

• AP Lead Accountant

• AP Entry Clerk

• AP Mailroom Clerk

In some cases, business roles may be defined by the managerial hierarchy in place at the company. For example, there may be a strict hierarchy of managerial and supervisory job titles that is replicated within any division or department, such as

• Vice President

• Director

• Manager

• Supervisor

• Lead

Business roles are assigned to users directly, either automatically via attribute matching on things like job title or department, or via request, which may come from the user himself or from someone else, like a manager or an application owner.

IT Roles encapsulate sets of system entitlements. They are tied to actual permissions within an application or target system. IT roles represent the actual state of the user's access, such as an account, entitlement, or permission. IT roles should encapsulate groups of related entitlements that are shared by one or more business roles. If too many entitlements are grouped together, each IT role may only apply to one business role and lose any potential reuse benefits. If too few are grouped into each IT role, each business role will have to be connected to large numbers of IT roles to provide the required system access for the job; this can also result in role proliferation that makes role management an overly cumbersome activity, reducing their value to the organization. The goal therefore is to encapsulate as many entitlements into each role as possible without over-grouping.

A user's IT roles can be detected in IdentityIQ based on the entitlements that user has. Access can also be provisioned in IdentityIQ through IT roles.

Entitlement roles were originally created to represent a single entitlement on a single application; currently, Entitlement Roles exist for backward compatibility with versions 5.x and earlier of IdentityIQ, and are not recommended for current/new installations.

Custom role types can be created to model a structure that doesn't easily fit into the IdentityIQ default model. In addition, existing role types can be configured to function differently from their default behaviors. Because there are so many ways roles can be customized, this document only discusses IdentityIQ's role structure in the default configuration.