Introduction:
This process describes the application of a Role on a User in IDM
Use Case:
Role Requested
Use Case | Role Requested |
|---|
| Brief Description | The Access Policy feature manages and defines entitlements and policies assigned to roles in IDM, and where necessary, grants permissions for the fulfillment of the accounts/entitlements associated with defined roles and is accessed from the System Administration Console. Each role is configured with rules for entitlements and is assigned connected resources to be granted or denied upon assignment of the role and associated process forms required for the role. |
|---|
Actors | IDM - Manager/ Approver/ Task Performer
|
|---|
Trigger Events | |
|---|
Preconditions | |
|---|
Post-Conditions | Success - IDM grant or disable access to the associated target system
- All associated accounts and entitlements where rightly modified
Fail - IDM could not grant or disable access to the associated target system
- All/ some entitlements and accounts were not rightly modified
|
|---|
| Basic Flow | The basic flow for the request failure process is explained as follows: On Request: - User requests role assignment/ revoke
- The request ID is generated
- The request is approved by the approver
Job Scheduler: - IDM runs a job scheduler every 5 minutes to identify changes in user identities.
- For a role, addition/ removal access Policy is triggered automatically and accounts/ entitlements associated with the role is fetched
- A scheduler job for IDM triggers updates to the user accounts
- IDM grant or disable access on the associated target system
- IDM verifies membership conditions and provision/ revoke entitlements or accounts on the user's profile
|
|---|
Role Assignment
Use Case | Role Assignment |
|---|
| Brief Description | IDM assigns roles to user identity and provisions core target system accounts based on the user's organization and Computer Access Flag from the HRMS record |
|---|
Actors | |
|---|
Trigger Events | |
|---|
Preconditions | - Active user in IDM created with Create User Process
|
|---|
Post-Conditions | Success - Correct roles are assigned based on computer access flag
Fail - Incorrect roles are assigned based on computer access flag
|
|---|
| Basic Flow | The process is as follows: - New User-created by data from HRMS
- IDM performs check to identify roles for the new user
- IDM assigns roles to user identity and provisions core target system accounts based on the user's organization and Computer Access Flag from the HRMS record:
- IDM identifies Computer Access Flag = N, and user ID receives Physical Badge role only
- IDM identifies a different user ID with Computer Access Flag = Y, and user ID receives Active Directory, Email, West Mainframe, Physical Badge role
- IDM triggers provisioning in Core-Connected Systems
|
|---|
Role Harvesting
Use Case | Role Harvesting |
|---|
| Brief Description | Role matching with entitlements |
|---|
Actors | |
|---|
Trigger Events | |
|---|
Preconditions | |
|---|
Post-Conditions | Success - Correct or no mapping of Role and Entitlement found
Fail - Incorrect mapping of role with entitlement found
|
|---|
| Basic Flow | The process is as follows: - IDM runs schedule job to match roles with entitlements
- IDM evaluates requests and determines if the requested or assigned entitlements match all entitlements of an existing role
- If there is a match to a role, the role shall be automatically assigned to the requester.
- Metadata is added to specific roles, allowing them to be excluded from Role Harvesting
|
|---|
Reference
https://docs.oracle.com/cd/E27559_01/user.1112/e27151/req_mangmnt_user.htm#OMUSG3752