Understanding Relationships Between Roles and Entitlements / Permissions

Roles bundle sets of access (entitlements and permissions) together so that access can be more easily managed and governed. Entitlements, which typically take the form of an account on an application or membership in a group, control access to a system or application, and encompass actions the user with the entitlement can take in the application. Permissions represent direct access, independent of account or group membership, to an action a user can take in a system or application.

The access allowed by roles can be direct or indirect. For example, an Accountant role can give direct access to the Accounting system, in the form of an account on the system. Indirect access is typically granted through nested groups or a set of inherited roles; for example, an Accounting Supervisor role may inherit the Accountant role, and thereby be indirectly granted all the access an Accountant would have on the Accounting system.

Part of maintaining an efficient and functional role model is understanding and monitoring the connections between roles and the entitlements and permissions they allow.

For example, if you are making changes to the set of entitlements defined in your Active Directory application, it's important to understand which roles will be affected by those changes. Or, if you want to examine your role model to see where different roles may overlap in terms of the access they grant, it's useful to be able to see exactly which entitlements and permissions are included within multiple roles. If an application is going to be retired, it's useful to review ahead of time which roles include access to the application, so that the role can be changed accordingly.

IdentityIQ provides many tools to help you monitor and manage the relationships between roles and entitlements / permissions. You can examine roles to discover which entitlements and permissions they grant, and you can also examine entitlements and permissions to see which roles include them.

Establishing Connections Between Roles and Access

An IdentityIQ task called Role-Entitlement Associations builds a table of relationships between roles and access, ensuring referential integrity in your role model. This task only needs to be run one time to establish role associations to entitlements and permissions; once it has been run, IdentityIQ automatically updates the relationship table any time changes are made to role profiles.

This task is run by default when upgrading from an earlier version of IdentityIQ to the current version; in an upgrade scenario, you do not need to run the task independently of the upgrade process in order to establish these relationships.

Although there is no requirement to run the Role-Entitlement Associations task again after it is first run, you can choose to run it if you want to – for example, if you have onboarded many applications in a short timeframe and want to take extra care to ensure that your relationship table is up to date.

Examining Roles: What Access Do They Provide?

The Role Profiles Composition report lets you see which entitlements and permissions are included in specific roles. See Role Profiles Composition Report.

The Advanced Analytics Role search includes criteria to search for roles by access profile, for entitlements, permissions, or both. See Role Search Criteria.

The Role Viewer (Setup > Roles) lets you drill into Role Statistics details about individual entitlements; the detail view lists Associated Roles where relevant. See Role Viewer Tab.

Examining Entitlements and Permissions: Which Roles Include Them?

The Roles by Entitlement report lists all roles that grant particular entitlements or permissions. See Roles by Entitlement Report.

The Role Member report includes entitlement and permission criteria, that lets you see which users are members of roles that grant specific access.  See Role Members Report.

The Advanced Analytics Role search includes criteria to search for roles by access profile, for entitlements, permissions, or both. See Role Search Criteria.

You can drill down to Role Association information for entitlements and permissions in these areas of IdentityIQ:

  • The Entitlement Catalog includes an Associated Roles tab listing the roles that provide direct access to the entitlement. See Entitlement Catalog.

  • In the Identity Warehouse, you can click on individual entitlements to see Associated Roles that provide direct access to the entitlement for this user. See the Identity Warehouse Page.

  • In the Application Definition, the Accounts tab for the application lists users with accounts on the application. You can click the arrow next to a user to see specific entitlements, then click on an entitlement to see details that include Associated Roles where applicable. See Configuring an Application.

  • Work items for access review challenges or decisions include an option to drill down into specific entitlements to see Associated Roles where applicable. See Work Items.

  • In Targeted Certifications, the What do you want to certify? section lets you enter criteria for selecting roles. Source Application, Source Attribute, and Source Value filtering attributes let you refine which roles are included in the certification by the entitlement access granted by the roles. See Targeted Certification: What to Certify.

  • When adding or removing access using the Manage User Access Quicklink, you can filter access based on the Role Source Application, Role Source Attribute, or Role Source value. You can also click the Details button on access items and drill down into the Entitlement Profile to see Associated Roles for the item.

  • When approving access, you can click the information icon (?) for any access item, and drill down into the Role Hierarchy's Entitlement Profiles, to see Associated Roles for the access item.