The Access Policy feature manages and defines entitlements and policies assigned to roles in IDM, and where necessary, grants permissions for the fulfillment of the accounts/entitlements associated with defined roles and is accessed from the System Administration Console.

Each role is configured with rules for entitlements and is assigned connected resources to be granted or denied upon assignment of the role and associated process forms required for the role.

• IDM

• Manager/ Approver/ Task Performer

• Access policy is triggered and accounts/ entitlements associated with the role is fetched

• Active user in IDM

Success

• IDM grant or disable access to the associated target system
• All associated accounts and entitlements where rightly modified

Fail

• IDM could not grant or disable access to the associated target system
• All/ some entitlements and accounts were not rightly modified

The basic flow for the request failure process is explained as follows:

On Request:

• User requests role assignment/ revoke
• The request ID is generated
• The request is approved by the approver

Job Scheduler:

• IDM runs a job scheduler every 5 minutes to identify changes in user identities.
• For a role, addition/ removal access Policy is triggered automatically and accounts/ entitlements associated with the role is fetched
• A scheduler job for IDM triggers updates to the user accounts
• IDM grant or disable access on the associated target system
• IDM verifies membership conditions and provision/ revoke entitlements or accounts on the user's profile

IDM assigns roles to user identity and provisions core target system accounts based on the user's organization and Computer Access Flag from the HRMS record

• IDM

• HRMS

• New User is created in HRMS

• Active user in IDM created with Create User Process

Success

• Correct roles are assigned based on computer access flag

Fail

• Incorrect roles are assigned based on computer access flag

The process is as follows:

• New User-created by data from HRMS
• IDM performs check to identify roles for the new user
• IDM assigns roles to user identity and provisions core target system accounts based on the user's organization and Computer Access Flag from the HRMS record:
  • IDM identifies Computer Access Flag = N, and  user ID receives Physical Badge role only
  • IDM identifies a different user ID with Computer Access Flag = Y, and user ID receives Active Directory, Email, West Mainframe, Physical Badge  role
• IDM triggers provisioning in Core-Connected Systems

Role matching with entitlements 

• IDM

• Schedule job for Role Harvesting

• Active user in IDM

Success

• Correct or no mapping of Role and Entitlement found

Fail

• Incorrect mapping of role with entitlement found

The process is as follows:

• IDM runs schedule job to match roles with entitlements 
• IDM evaluates requests and determines if the requested or assigned entitlements match all entitlements of an existing role
• If there is a match to a role, the role shall be automatically assigned to the requester. 
• Metadata is added to specific roles, allowing them to be excluded from Role Harvesting