Benefits of Roles

A major benefit of implementing roles is using them to translate entitlement data into terms that can be more clearly understood by business managers and other employees, as they request, assign, and review access. Through roles, entitlements can be grouped together and presented as a logical unit, such as a job function, rather than as a detailed and often difficult-to-interpret list of access rights.

In some cases, the way entitlements are named or described can make it difficult for a reviewer to understand what the entitlement means. For example, groups names may use acronyms or numeric values which do not offer a great deal of contextual information to the layperson; even when names are more descriptive, inclusion of DN data in the group name may obscure the important values, at least at first glance. Roles can be used to simplify and clarify how the data is presented to the business user.

Sometimes a single job function may require multiple system entitlements, either all on the same application, or across multiple resources. Without roles, the reviewing manager needs to know about all of the required pieces – both to understand why an employee has access to each of these, and to ensure that employees have all the access they need to do the job. With roles, all of these permissions can be encapsulated in a single role and presented to the reviewer as a unit, both clarifying and simplifying the reviewing process.

Similarly, encapsulating entitlements into roles also makes it possible for a manager to automatically provision the required entitlements for a new employee, simply by assigning that person the appropriate role.