Control access with Roles
Roles allow security administrators to control access at the functional level rather than at an identity level. Based on a functional role of an identity in the entire organization, a BR Role or IT Role is assigned. The BR Role is defined as a Birthright Role, which is provisioned to an Identity on onboarding. The IT Role is provisioned, as needed. Both Roles can provide access to a few corporate target systems simultaneously.
Bundled into a Role, the entitlements are managed within the boundaries of each specific account created on a resource. And by granting and\or revoking a role, the user manages entitlements, and also manages accounts across corporate resources.
In this section:
- Birthright Roles
- IT Role
Birthright Roles
In the access control with a Birthright Role, the entitlements are provisioned via the Onboarding or Reinstatement workflow. And by the time an Identity becomes Active, they are already equipped with all Accounts. A Birthright Role provisions access in alignment with the condition determined by the IT Manager, and allowing for granular selection of eligible Identities. Moving forward and for the lifetime of the Identity, their birthright access can be audited and adjusted in alignment with the job duties requirements, qualifications or responsibilities. The Role Creation, Update and Deletion provide the needed changes for all existing Identities and across all affected resources.
The available tools that allow IT Managers to grant and\or revoke the Birthright Roles are summarized in the table below and detailed hereinafter.
|
|
Account created |
Account updated |
Account deleted |
|
Permissions bundled into the Role GRANTED on |
Onboarding \ Reinstatement workflows |
Role Creation workflow |
n/a |
|
Role Creation workflow | |||
|
Role Update workflow | |||
|
Identities Update workflow | |||
|
Permissions bundled into the Role REVOKED on |
n/a |
Role Deletion workflow |
Offboarding workflow |
|
CHANGES performed on the Role assignment |
n/a |
Role Update workflow |
n/a |
|
Identities Update workflow |
IT Role
In the access control with an IT Role, the entitlements are provisioned ad hoc: whenever needed and whomever needed. It is a mechanism for implementing role-based access provisioning for manually selected Identities. Being granted, an IT Role can undergo access updates across all affected Identities. Once created and being Active, an Identity is eligible for an IT Role, which if changed, respectively changes entitlements within the accounts of the Identity.
The available tools that allow the IT Manager to grant and\or revoke IT Roles are summarized in the table below and detailed hereinafter.
|
|
Account created |
Account updated |
Account deleted |
|
Permissions bundled into the Role GRANTED on |
PAR workflow |
PAR workflow |
n/a |
|
Role Update workflow | |||
|
Permissions bundled into the Role REVOKED on |
n/a |
Role Deletion workflow |
Account Removal workflow |
|
Offboarding workflow | |||
|
CHANGES performed on the Role assignment |
n/a |
Manage Access workflow |
n/a |
|
Role Update workflow |