Introduction:

This process describes the application of a Role on a User in IDM

Use Case:

Role Requested

Use Case

Role Requested

Brief Description

The Access Policy feature manages and defines entitlements and policies assigned to roles in IDM, and where necessary, grants permissions for the fulfillment of the accounts/entitlements associated with defined roles and is accessed from the System Administration Console.

Each role is configured with rules for entitlements and is assigned connected resources to be granted or denied upon assignment of the role and associated process forms required for the role.

Actors

  • IDM

  • Manager/ Approver/ Task Performer

Trigger Events

  • Access policy is triggered and accounts/ entitlements associated with the role is fetched

Preconditions

  • Active user in IDM

Post-Conditions

Success

  • IDM grant or disable access to the associated target system
  • All associated accounts and entitlements where rightly modified

Fail

  • IDM could not grant or disable access to the associated target system
  • All/ some entitlements and accounts were not rightly modified
Basic Flow

The basic flow for the request failure process is explained as follows:

On Request:

  • User requests role assignment/ revoke
  • The request ID is generated
  • The request is approved by the approver

Job Scheduler:

  • IDM runs a job scheduler every 5 minutes to identify changes in user identities.
  • For a role, addition/ removal access Policy is triggered automatically and accounts/ entitlements associated with the role is fetched
  • A scheduler job for IDM triggers updates to the user accounts
  • IDM grant or disable access on the associated target system
  • IDM verifies membership conditions and provision/ revoke entitlements or accounts on the user's profile

Role Assignment

Use Case

Role Assignment

Brief Description

IDM assigns roles to user identity and provisions core target system accounts based on the user's organization and Computer Access Flag from the HRMS record

Actors

  • IDM

  • HRMS

Trigger Events

  • New User is created in HRMS

Preconditions

  • Active user in IDM created with Create User Process

Post-Conditions

Success

  • Correct roles are assigned based on computer access flag

Fail

  • Incorrect roles are assigned based on computer access flag
Basic Flow

The process is as follows:

  • New User-created by data from HRMS
  • IDM performs check to identify roles for the new user
  • IDM assigns roles to user identity and provisions core target system accounts based on the user's organization and Computer Access Flag from the HRMS record:
    • IDM identifies Computer Access Flag = N, and  user ID receives Physical Badge role only
    • IDM identifies a different user ID with Computer Access Flag = Y, and user ID receives Active Directory, Email, West Mainframe, Physical Badge  role
  • IDM triggers provisioning in Core-Connected Systems

Role Harvesting

Use Case

Role Harvesting

Brief Description

Role matching with entitlements 

Actors

  • IDM

Trigger Events

  • Schedule job for Role Harvesting

Preconditions

  • Active user in IDM

Post-Conditions

Success

  • Correct or no mapping of Role and Entitlement found

Fail

  • Incorrect mapping of role with entitlement found
Basic Flow

The process is as follows:

  • IDM runs schedule job to match roles with entitlements 
  • IDM evaluates requests and determines if the requested or assigned entitlements match all entitlements of an existing role
  • If there is a match to a role, the role shall be automatically assigned to the requester. 
  • Metadata is added to specific roles, allowing them to be excluded from Role Harvesting


Reference

https://docs.oracle.com/cd/E27559_01/user.1112/e27151/req_mangmnt_user.htm#OMUSG3752