Linking IT Roles to Business Roles: Required and Permitted Access

When IT roles are linked to business roles, IdentityIQ uses the IT role definitions to know what access it should provision for a user when they are assigned the business role. Business roles and IT roles are linked using two types of relationships: required and permitted.

IT roles are connected to business roles through the Required Roles and Permitted Roles lists.

• Required roles refer to the set of access that someone with a given role must have. Someone with an Accounts Payable business role, for example, will always need have to have read and write access to the accounting system.

• Permitted roles mean the access is discretionary – these are permissions or entitlements a user may be allowed to have, but isn’t required to have. When permitted access is included with a business role, the entitlements are essentially “pre-screened” – we know that a user with this role is allowed to have the permitted access. For example, perhaps all employees are allowed to have VPN access but aren’t automatically given this access unless they or their manager requests it.

The required IT role connection is used as the driving force for provisioning entitlements based on role assignment. When a business role is assigned to an Identity, requiring entitlements the Identity does not have, the entitlements for the required IT roles will be provisioned for the Identity. Depending on how provisioning is configured, this process can range from entirely manual to fully automated.

These require and permitted connections also help identify missing entitlements during the certification process. When a user is missing required entitlements for the IT roles under business roles assigned to them, the access review can reflect this to bring it to the reviewer's attention. Correction of that state is not done in the certification process itself; that is left to the refresh process or some other out-of-band process.