Workgroups
A Workgroup is a grouping of Identities that can be assigned activities within IdentityIQ as if the group were a single Identity. While a Role describes and manages activities and access outside of IdentityIQ, Workgroups specifically relate to activities and access within IdentityIQ.
Workgroups are primarily used in two ways: for allowing Identities to share responsibilities, and for managing IdentityIQ Access for groups of Identities as a unit.
Responsibility Sharing
IdentityIQ allows activities or responsibilities to be assigned to Workgroups just as they can be assigned to an Identity. Grouping Identities into Workgroups makes it possible for multiple people to share responsibility for certain functions, which can help with managing activities that must be performed by someone but do not necessarily need to be owned or performed by a specific person.
The following responsibilities are assignable to a workgroup:
-
Application Owner
-
Application Revoker
-
Certification Owner
-
Role Owner
-
Entitlement Owner
-
Account Group Owner
-
Policy Owner
-
Policy Violation Owner
-
Policy Violation Observers
Consider, for example, a large-application System Administration team made up of five people who share responsibility for managing access and permissions for many users. These shared responsibilities could be divided among the team members by setting different team members as the Application Owner, Revoker, Certification Owner, etc. If, however, all team members are qualified and empowered to address any of these requests, it could be substantially more efficient to create a Workgroup for this team and assign these activities to the Workgroup, rather than assigning ownership to any one of the team members. Access / Revocation / Certification requests can then be funneled to the group to be processed by the first available team member.
Managing IdentityIQ Access
System capabilities within IdentityIQ can also be managed for an entire population of Identities by assigning them to the same Workgroup. For example, if a help desk team all needs the same IdentityIQ capabilities, they can be assigned to a Workgroup and their access can be managed through the Workgroup instead of on each individual Identity. Capabilities set on individual Identities remain in effect in addition to the capabilities assigned to the Workgroup. If one person in the group, such as the team lead, requires additional IdentityIQ capabilities, the unique permissions for that person can be managed on their Identity without affecting the other group members' access.
Creating Workgroups
Workgroups are created on the Setup > Groups > Workgroups tab by clicking Create Workgroup.
A Group Email address can be specified, and emails can be configured to send to the group and/or the individual members. The group's common Capabilities and Scopes are specified in the Rights section, and Identities are added to the workgroup in the Members section at the bottom of the Edit Workgroups window.