Update access related to Roles already assigned
When an IT Manager updates access related to roles, some entitlements become assigned and some entitlements become revoked. These are the entitlements that make up the role access. In case when an Identity has already had such a role assigned, whatever the changes are made they affect the Identity’s actual capability to do something.
If it is the role that experienced the updates, then the role access the Identity has will undergo a modification. If it is the Identity who has changes in their properties, then again the role access the Identity has will undergo a modification. And if it is the IT Manager who directly does some changes in the Identity’s role access, then again the role access the Identity has will undergo a modification. Below is an overview of tools, that can be used for making changes in the role assignments.
In this section:
- Birthright Roles
- Role Update implements changes initiated in BR Role
- Identities Update implements changes initiated in Identity Properties
- IT Roles
- Role Update implements changes initiated in IT Role
- Manage Access implements changes initiated by IT Manager
Birthright Roles
There are two kinds of changes of the birthright nature that eventually lead to granting\revoking entitlements: a change in a specific Birthright Role; or a change in a specific Identity.
In the first case, the Role undergoes the update procedure performed by the Role Update workflow, and it results into a change in the birthright access, which all affected Identities would finally have. In the second case, the access updates originate from the changes in the Identity’s Additional Properties. If the properties of a specific Identity change, it can cause the respective change in the birthright access. The Birthright Roles are re-calculated for Identities; and it is determined what birthright access the Identity is eligible for. Below is an overview of the tools, using which it is possible to get the results of the first or the second kind.
Role Update implements changes initiated in BR Role
When the Role Update workflow is triggered for the BR Role, the access is automatically updated for all Identities who have been assigned with the Birthright Role. Every run of the Role Update workflow initiates access updates for all affected Identities by granting some entitlements and\or revoking other entitlements within the BR Role.
Identities Update implements changes initiated in Identity Properties
When after the analysis by the Identities Update workflow, an Identity is detected to have inconsistencies in their Birthright Role access, the workflow resolves the issue by granting or removing the needed entitlements and adding respective records about role assignments.
Each time the Integration Data coming from the HR Source integration updates the Additional Properties of Identities, the Identities' eligibility for the birthright access needs to be re-calculated. It is performed with Identities Update. If after the analysis of the changes in the Identity properties, the workflow determines that the changes are required in the Identity’s Birthright Roles, the respective assignments and\or removals are performed automatically for all detected Identities.
IT Roles
When entitlements are granted and\or revoked in association with an IT Role, the access changes are performed either automatically based on the IT Role changes, or manually by the IT Manager’s direct actions. Below are outlined what tools to use if it needed to make some changes in the Identity’s assigned role access.
Role Update implements changes initiated in IT Role
When an IT Role is updated with the Role Update workflow, it also spreads the access change across all cases of the assigned IT Role. Every run of the Role Update workflow initiates access updates for all affected Identities by granting some entitlements and\or revoking other entitlements within the IT Role.
Manage Access implements changes initiated by IT Manager
When an IT Role assignment is removed or added with the Manage Access workflow, the adjustments in the role assignments are provided only for a specific Identity and within one integration. If an IT Role assigns Entitlements for some integrations, such a Role cannot be granted or removed with the Manage Access workflow. Multiple-integration assignments are not supported by Manage Access.