Creating and Managing Business Roles
Uploaded by
vicky8595Creating and Managing Business Roles
Uploaded by
vicky859517 17
Creating and Managing Business Roles
Business roles are roles whose users have common access requirements within your organization.
The set of users is defined by the membership policy of each role.
Section 17.1, “Overview of Roles,” on page 185
Section 17.2, “Understanding Business Roles,” on page 186
Section 17.3, “Creating and Defining Business Roles,” on page 193
Section 17.4, “Adding a Business Role Approval Policy,” on page 200
Section 17.5, “Publishing or Deactivating Business Roles,” on page 200
Section 17.6, “Analyzing Business Roles,” on page 202
Section 17.7, “Editing Business Roles,” on page 202
Section 17.8, “Approving Business Roles,” on page 203
Section 17.9, “Automated Access Provisioning and Deprovisioning,” on page 204
Section 17.10, “Downloading and Importing Business Roles and Approval Policies,” on page 215
17.1 Overview of Roles
Identity Governance enables you to manage both the technical and business roles in your
organization. To enable easier management of these roles, Identity Governance assigns technical
role administrators and business role administrators with separate but overlapping responsibilities.
Business roles organize people by business function, and user-based attributes to determine what
users should have access to, or if they can request that access without additional approval. Business
roles authorize resources (permissions, technical roles, and applications) for users who are members
of the business role. These authorizations also specify whether resources are to be auto-granted to
users, auto-revoked from users, or should not be auto-granted and auto-revoked.
Technical roles organize lower-level permissions into sets of permissions that offer enough business
value to be reviewed and assigned as a unit or requested as a unit. Technical roles are designed to
limit the number of review items and surface permissions in ways that can be presented to typical
non-administrator users.
Figure 17-1 illustrates how the different types of roles overlap. In this example, company policies
authorize all full-time employees to have access to the HR Tools, Exchange Mailboxes, Lync, and My
Meeting. Accounting clerks are authorized to have access to Document Control and Account
Administration, a technical role that the technical role administrator created in Identity Governance.
When you include a user as a member of a business role of Full-time Employee and Accounting
Clerk, Identity Governance authorizes the user to have any of the mandatory or optional technical
roles or permissions listed for the given role. Identity Governance could potentially automatically
provision mandatory permissions, while it could assign optional permissions at a later time without
further approval, because they are pre-approved by the policy. This example illustrates how you can
save time, effort, and error, and enable controlled access through business roles. To understand how
Creating and Managing Business Roles 185
your entitlement assignments conform to your business policies, you can view the Role Effectiveness
widget on the Governance Overview dashboard. For more information, see “Viewing Entitlement
Assignments Statistics to Leverage Roles” on page 330.
Figure 17-1 Detailed Example of the Overlap between Business Roles and Technical Roles
Technical Roles
Document Control
View Documents
Business Role Manage Documents
Job Code = 5400
Account Administration
Accounting Clerk
View Bank Accounts
is authorized to have Manage Bank Accounts
View Payment Terms
Manage Payment Terms
Technical Roles
HR Tools
View Bank Accounts
Manage Bank Accounts
Business Role View Payment Terms
Manage Payment Terms
Full-time Employee
Status = Full time Permissions
is authorized to have
Exchange Mailbox
Lync
My Meetings
NOTE: This chapter primarily discusses business role policy concepts and procedures. For
information about technical roles, see Chapter 16, “Creating and Managing Technical Roles,” on
page 171.
17.2 Understanding Business Roles
Business roles specify a set of applications, roles, and permissions that each member of a business
role is authorized to access. The set of authorized resources is defined by the authorization policy of
the business role. A business role authorizes resources and generates requests, but does not assign
resources.
Figure 17-2 shows the business role workflow in Identity Governance.
186 Creating and Managing Business Roles
Figure 17-2 Business Role Workflow
Section 17.2.1, “Understanding Business Role Access Authorizations,” on page 187
Section 17.2.2, “Understanding Business Role Mining,” on page 188
Section 17.2.3, “Understanding Role Hierarchy with Role Mining,” on page 190
Section 17.2.4, “Understanding Business Role States,” on page 191
17.2.1 Understanding Business Role Access Authorizations
The Customer, Global, or Business Roles Administrator creates, modifies, and defines business roles,
and manages business role policies. They can delegate administrative actions by specifying a
Business Role Owner or a Business Role Manager for each business role. Business Role Owners can
view and approve business roles but cannot edit business roles. Business Role Managers can edit
business role membership and resource authorizations, submit business roles for approval, promote
role candidates, publish roles, and deactivate roles. If the administrator does not specify role owners
in the business role definition, Identity Governance automatically assigns the administrator who
created the role as the role owner. For more information about access authorizations, see
Section 2.1, “Understanding Authorizations in Identity Governance,” on page 19.
Creating and Managing Business Roles 187
17.2.2 Understanding Business Role Mining
Identity Governance uses advanced analytics to mine business data and to identify role candidates.
Customer, Global, or Business Roles administrators can use role mining to reduce complexity in
defining roles, and easily select role candidates with authorized users, permissions, technical roles,
and applications to create business roles and technical roles with common permissions. Identity
Governance uses three approaches to business role mining to identify business role candidates.
Directed role mining
Enables administrators to direct the mining based on specified user attributes. If administrators
are not sure which attribute to select, they can search for recommended attributes, then select
an attribute from the recommended bar graph that displays the strength of attributes that have
data. Additionally, directed role mining enables administrators to specify a minimum
membership and coverage percentage to identify role candidates. For example, if an
administrator selects Department as the attribute to group candidates by, the mining results
display the list of items consisting of department name with the associated users, permissions,
roles, and applications as role candidates.
Automated role mining
Enables administrators to enhance business role mining in larger environments by specifying a
minimum number of attributes, a minimum number of occurrences, and the maximum number
of results. Administrators can also specify a coverage percentage to identify role candidates. In
this approach, Identity Governance uses the attributes specified in the role mining settings in
Configuration > Analytics and Role Mining Settings to calculate role candidates.
NOTE: Micro Focus recommends that you use this option if you have a large and complex
catalog, such as a catalog with a greater number of variations in extended attributes, with
multiple values of attributes, and a catalog size that slows role mining performance.
Visual role mining
Enables administrators to select role candidates from a visual representation of the user
attributes. The width of an attribute circle displays the strength of the recommendation, and
the width and darkness of the lines indicate the affinity of the attribute to other user attributes.
Administrators can customize the mining results by modifying the default maximum number of
results, the minimum potential members, and the number of automatic recommendations. In
this approach, Identity Governance uses the attributes specified in the role mining settings in
Configuration > Analytics and Role Mining Settings to calculate role candidates.
NOTE: Variations in the number of extended attributes, attributes with multiple values, or
overall catalog size may affect the performance of visual role mining. You might see invalid
results when mining larger or more complex data. You can disable this option by setting the
com.netiq.iac.analytics.role.mining.visual.hide global configuration property
to true. To optimize performance and to avoid invalid results, use the automated role mining
option to mine for roles.
Table 17-1 helps you determine the type of role mining to use.
188 Creating and Managing Business Roles
Table 17-1 Determining Which Role Mining Approach to Use
If Then
You are not sure about where to start, have a small Select Visual Role Mining or Automated Role
catalog, and want Identity Governance to mine for Mining.
roles based on attributes specified in the role mining Modify the maximum number of results to
settings in Configuration > Analytics and Role Mining display for recommended attributes and the
Settings, and automatically suggest role candidates. required minimum number of members for each
role candidate.
Save the specified values to trigger the user
catalog analysis.
(Optionally) Click the gear icon to change the
specified values to optimize results and save the
values.
(For Visual Role Mining) Click an attribute node
(circle) to select a role candidate.
WARNING: You might not see recommendations
if the Settings > Minimum potential members
value is set too high, or if the role mining
settings in Configuration > Analytics and Role
Mining Settings do not meet the required
conditions. For more information, see
“Configuring Analytics and Role Mining Settings”
on page 319.
Click the Mining Results tab.
You do not know where to start, have large and Select Automated Role Mining.
complex data to mine, want Identity Governance to Modify the minimum number of attributes,
mine the data based on the attributes specified in the minimum number of occurrences, and
role mining settings in Configuration > Analytics and maximum results.
Role Mining Settings, and want to include minimum
occurrences of attributes as mining criteria without Modify the coverage criteria.
specifying any user attributes. NOTE: Identity Governance uses the permission,
the technical role, and application coverage
fields to determine which authorizations are
automatically populated in the business role
candidate. For example, if permission coverage
is at 50%, then 50% of the members must hold
the permission for Identity Governance to add it
as an authorization in the candidate. If it is
100%, then all members must hold the
permission for Identity Governance to add it as
an authorization.
Save the specified values to trigger the user
catalog analysis.
(Optional) Click the gear icon to change values
to optimize results and save the values to
refresh the candidate suggestions.
Creating and Managing Business Roles 189
If Then
You want to direct the mining by specifying user Select Directed Role Mining.
attributes from the catalog. Specify the user attributes by entering the user
NOTE: When using this role mining option, you are attribute names or by searching for, and
not limited to using only the attributes included in selecting, the attributes based on the strength
the role mining settings in Configuration > Analytics of the recommendation.
and Role Mining Settings. Specify a minimum number of times the
attribute value must occur across users or the
percentage of all users who must have the
attribute value.
Specify additional coverage criteria.
Save the specified values to trigger the user
catalog analysis.
(Optional) Click the gear icon to adjust the
values to optimize results, then save the values
to refresh the candidate suggestions.
NOTE: Role recommendations are dependent on your data and role mining settings. To optimize
search results, administrators can modify default role mining settings in Configuration > Analytics and
Role Mining Settings. For more information see, “Configuring Analytics and Role Mining Settings” on
page 319.
After previewing users and their associated permissions, technical roles, and applications,
administrators can analyze specified potential role candidates to see if they duplicate existing roles
by matching on membership or authorizations. Existing roles that match the membership or
authorizations are displayed in the potential candidate list after performing the analysis.
Administrators can then choose not to create those candidates. Additionally, Identity Governance
could group common permissions under a technical role, and generate a technical role candidate for
each application.
NOTE: Identity Governance creates the mined business or technical roles in a candidate state.
Administrators can edit and save role candidates, but they must promote candidates before they can
activate them as roles. Administrators can also select multiple role candidates and submit them for
approval, publish them, or delete them using the options under Actions.
Identity Governance performs role mining as a background process. If you navigate from the role
mining page, role mining will continue. When you return to the role mining page, click Load Previous
Suggestions to list the mining suggestions, then create the business role candidates. The generated
role mining suggestions are available for 96 hours. You can adjust the mining retention interval by
selecting Configuration > Analytics and Role Mining Settings.
17.2.3 Understanding Role Hierarchy with Role Mining
Business role mining in Identity Governance creates business roles for each selected candidate, but
cannot group the created roles. Role hierarchy allows you to create a hierarchy of roles, based on the
mining attributes, that allow you to assign resources either at the candidate level, or by grouping the
candidates at a higher level.
190 Creating and Managing Business Roles
NOTE: Role hierarchy is not available for visual role mining.
When you select Create business role hierarchy, you can select the attributes used in the role mining
as grouping attributes for the role hierarchy. For example, Figure 17-3 illustrates a company
organization chart in which each department includes job codes that represent positions. The
company wants to create departmental business roles for Engineering, Tours, Transportation and
Finance, as well as roles for each job code. Furthermore, they want an “All Department” role that
includes the Engineering department and all the other top-level departments. Selecting the
department attribute as the role hierarchy grouping attribute would create business roles that
mirror the organizational chart.
Figure 17-3 Company Organization with Department and Job Codes
All Employees
Engineering Tours Transportation Finance
Manager Prod Manager Dispatcher Accountant
ENG MAN TRS PM TRA DS FIN ACC
Engineer 3 Stage Manager Cleaner Analyst
ENG E3 TRS SM TRA CLN FIN ANA
Engineer 2 Publicist Coordinator Manager
ENG E2 TRS PUB TRA COR FIN MAN
Engineer 1 Promoter Driver Auditor
ENG E1 TRS PRO TRA DRV FIN AUD
Engineer IT Dispatcher Intern Compliance
ENG IT TRS DS TRA INT FIN COM
Testing Technician Mechanic Intern
ENG TST TRS TEC TRA MCH FIN INT
Intern Intern Controller
ENG INT TRS INT FIN CTL
Doc Tour Guide
ENG DOC TRS TG
Training Tour Driver
ENG TRN TRS DRV
Tour Crew
TRS CRW
17.2.4 Understanding Business Role States
After you create, or after Identity Governance mines a business role, the role goes through many
states during its life cycle, as shown in Figure 17-4.
Creating and Managing Business Roles 191
Figure 17-4 Business Role States
Business Role State Description
CANDIDATES The mining process created the business role, and the
administrators must promote it before they or others
can approve it (depending on the approval policy)
and publish it. This state corresponds to the internal
state called MINED.
DRAFT The assigned approval policy requires approval and
the administrator has not submitted the changes for
approval.
CHANGES REQUESTED The approver denies approval of a business role. This
state corresponds to the internal state called
REJECTED.
APPROVAL PENDING Pending changes are ready for approval by the
approver specified in the approval policy. This state
corresponds to the internal state called
PENDING_APPROVAL.
APPROVED The approver approved the business role, but the
business role has not yet been published.
PUBLISHED The business role is approved and the administrator
has published the role.
ARCHIVED An administrator deletes the policy or creates a new
version. Identity Governance archives the policy for
history and reporting purposes. Identity Governance
never displays archived business roles in the
application.
192 Creating and Managing Business Roles
17.3 Creating and Defining Business Roles
To create a business role, you must define a membership policy and an authorization policy for the
business role based on your business needs. Identity Governance allows you create business roles
using role mining, or by creating the role manually.
Section 17.3.1, “Creating Business Roles Using Role Mining,” on page 193
Section 17.3.2, “Defining Business Roles Manually,” on page 194
Section 17.3.3, “Configuring Business Role Membership,” on page 196
Section 17.3.4, “Adding Authorizations to a Business Role,” on page 197
17.3.1 Creating Business Roles Using Role Mining
Identity Governance can use advanced analytics to mine business data and to identify role
candidates. Business role mining is the process of discovering and analyzing business data to group
multiple users and access rights under one business role candidate. Identity Governance allows you
to use one of three role mining methods to create business roles.
To create a business role using role mining:
1 Log in to Identity Governance as a Customer, Global, or Business Roles Administrator.
2 Select Policy > Business Roles.
3 Click the Mining tab.
4 Select a role mining approach. (See Table 17-1 to determine which role mining approach to
use.)
5 Click Generate New Suggestions.
NOTE: If you already generated new suggestions, you can click Load Previous Suggestions, click
Load for the mining suggestion you want to use to load potential role candidates, then skip to
Step 9. Only saved suggestions still within the specified retention interval appear as Previous
Suggestions.
6 Provide the requested role mining options relevant to the business role you want to create.
TIP: To differentiate among mining suggestions you generate, provide a description that lists the
attributes you want to use for role mining, or that specifies the purpose for the role.
7 Click Start.
8 Click Load next to the mining suggestion you want to use to load potential role candidates.
9 Select one or more potential candidates.
IMPORTANT: If you selected visual role mining, you must select one or more criteria from the
visual representation before you can select potential candidates.
NOTE: You can click Change Authorizations to modify the authorizations used to create the
mining suggestions. Changing the authorizations can modify the values for Users, Permissions,
Roles, and Applications.
Creating and Managing Business Roles 193
10 Click Actions > Find Matching Roles to determine if the specified potential candidates match
members or authorizations of existing roles.
11 (Optional) Exclude potential candidates identified in the previous step that would create a
duplicated role.
NOTE: If you choose to create a business role candidate with members and authorizations that
match those in existing roles, you can analyze the candidate to calculate the match percentage.
For more information, see Section 17.6, “Analyzing Business Roles,” on page 202.
12 Click Actions > Create Candidates.
13 Select Create separate candidates for each criteria or Create a single business role candidate. If
you select the latter, specify a name for the business role.
14 (Optional) Select Create associated technical roles for common permissions to generate the
technical roles with users who have the same permissions.
15 (Optional) Select Group permissions added to technical roles by application to create application-
specific technical roles.
16 (Optional) Select Create business role hierarchy, then select the attributes by which to group
values for each available level, to create role hierarchy when mining business roles.
NOTE: The number of available levels is one less than the number of attributes you selected in
Role Mining Options. For example, if you selected three attributes, you would be able to group
the roles for up to two levels.
17 On the Roles tab, select one or more newly generated inactive roles.
NOTE: Identity Governance creates role candidates in a pending state, and administrators must
promote them before anyone can either approve the role candidates or publish them as a role.
Click the role candidate to ensure that the membership criteria and authorizations are as you
want them to be before publishing. You can edit the role candidate to make necessary changes.
18 Select Actions > Promote.
19 Select the new role, then select Actions > Publish.
After you create the business role and assigned owners and administrators, the business role is ready
for approval, depending on your approval policy. The approval policy allows you to have people
review the business role and approve or request changes to the business role. For more information,
see Section 17.4, “Adding a Business Role Approval Policy,” on page 200.
To detect users that meet the business role criteria in reviews or in the catalog, you must publish the
business role. For more information, see Section 17.5, “Publishing or Deactivating Business Roles,”
on page 200.
17.3.2 Defining Business Roles Manually
To create a business role manually, you must define a membership policy and an authorization policy
for the business role based on your business needs.
To define a business role manually:
1 Log in to Identity Governance as a Customer, Global, or Business Roles Administrator.
194 Creating and Managing Business Roles
2 Select Policy > Business Roles.
3 Click the Roles tab, then click the plus sign (+).
4 Specify the following information to create the business role:
Name of the business role
Business role description
Grace period
NOTE: A grace period specifies the number of days that you want Identity Governance to
consider the user as a member of the role when it detects that the member no longer
meets the membership policy requirements.
Risk level
5 Select the Membership tab, if not already selected, and provide information for one or
membership configuration items. For detailed information see Section 17.3.3, “Configuring
Business Role Membership,” on page 196.
6 Select the Authorizations tab, then provide configuration information for one of more of the
authorization configuration items.
NOTE: Applications must have an account collector to allow you to specify automatic grant or
revoke.
For detailed information about authorizing permissions, technical roles, and applications, see
Section 17.3.4, “Adding Authorizations to a Business Role,” on page 197.
7 Select the Owners and Administration tab to assign ownership for the following:
Role owner
Role manager
Fulfiller
Categories
Approval Policy
NOTE: If you do not make selections on this tab, Identity Governance makes default
assignments for the owner and fulfiller and assigns a default approval policy to the business
role.
8 (Optional) On the Membership tab, click View Membership to view the list of business role
members.
NOTE: During migration or upgrades, you must always run publication to refresh the list of
business role members. For more information about publishing data sources, see Chapter 8,
“Publishing the Collected Data,” on page 99.
9 Under What-if Scenarios, click:
Estimate Publish Impact to estimate changes that would occur if the role were published,
such as the users who would be added to or deleted from the business role, the resource
authorizations that would be added or deleted, and the change requests that would be
made.
Creating and Managing Business Roles 195
Estimate Deactivate Impact to estimate changes that would occur if the business role is
deactivated or deleted, such as the resource authorizations that would be deleted, and the
change requests that would be made.
Analyze SoD Violations to analyze the SoD violations that would occur if users held the
permissions and technical roles authorized by this business role.
10 (Conditional) Resolve SoD violations or edit the business role definition to resolve any issues.
For more information about SoD violations, see “Approving and Resolving an SoD Violation” on
page 229.
11 Click Save to save your modifications to the business role.
12 Select the saved role, then select Actions > Publish.
NOTE: When editing an existing business role, the Owners and Administration tab has a
separate Save button, which allows you to change these items independent of other items that
refer to the business role.
17.3.3 Configuring Business Role Membership
A membership policy determines which users are members of a business role. The membership
policy can include membership expressions, membership policy from other business roles, user or
group inclusion lists, and user or group exclusion lists. Regardless of how users become members of
a role, they are authorized to have the resources specified in the business role for as long as they are
members of the business role.
NOTE: Business role authorization of a resource (permission, technical role, or application) for a user
is independent of assigning the resource to the user. For example, the business role might authorize
a user to have a permission, but Identity Governance might not have assigned the permission.
Similarly, Identity Governance might have assigned a permission, but the business role might not
authorize the permission.
Included Membership
Optionally, specify business roles whose membership criteria, users, and groups you want to
include in the new business role. When combining the included roles, Identity Governance
includes only membership of published roles and eliminates duplicates. For example, you can
include BR1 and BR2 in the membership of BR3. Then, role BR3 becomes the union of BR1 and
BR2 along with any membership criteria specified for BR3.
NOTE: Excluded members of the including role takes precedence over the inclusion of included
business role members. For example, when BR3 includes BR1, and BR1 has a member User A,
and BR3 excludes User A then Identity Governance also excludes the user.
Also, note that Identity Governance does not allow circular inclusions. For example, you:
Cannot include BR1 in BR1 (self inclusion)
Cannot include BR2 in BR1 then include BR1 in BR2
Cannot include BR2 in BR1 and BR3 in BR2 and then include BR1 in BR3
196 Creating and Managing Business Roles
Membership expressions
Membership expressions are criteria that specify a set of users that are considered members of
the business role. Identity Governance converts your specified criteria to create SQL SELECT
statements to find the users that match the criteria. When you use the role mining feature,
Identity Governance provides recommendations for role candidates based on your data and
auto-generates the membership expressions when you create a role candidate. To optimize
specific SELECT statements, follow query optimization principles such as creating indexes for
attributes you are going to query. To optimize specific SELECT statements that might not be
performing as expected, contact your database administrator. To set effective dates for
authorizations, click the calendar icon at the top of the Membership Expression menu section.
TIP: When adding date attributes such as start date to membership expression, you can specify
a date using the calendar date picker or use the date formula. For example, if you want to
automatically make new employees a member of a business role two days before their start
date, use the date formula.
Include and Exclude Users and Groups
Optionally, define specific users and groups that you want to include in the business role that
might not match any membership expression. You can also specify users and groups to exclude
from the business role who would otherwise match membership expressions. For example, you
can have a membership expression that matches all managers in engineering, but you do not
want John Smith or managers in the CTO group even if they match that criteria. You can also
define a time period for when these inclusions or exclusions are valid.
NOTE: Excluding a user or group takes precedence over including them. For example, suppose
you include the Sales group and exclude the Contractors group. Then, Identity Governance
would exclude a user who belongs to both of those groups because exclusion takes precedence
over inclusion.
You can click View Membership to view the list of business role members.
NOTE: During migration or upgrades, you must always run publication to refresh the list of business
role members. For more information about publishing data sources, see Chapter 8, “Publishing the
Collected Data,” on page 99.
17.3.4 Adding Authorizations to a Business Role
A business role authorization policy defines the permissions, technical roles, and applications
authorized by the business role. Users are not automatically assigned the permissions of a business
role, nor are business role permissions removed if users no longer meet the criteria for a business
role. The business role authorization policy defines only whether the user is authorized the access
but does not assign the resource.
A business role can authorize technical roles, so the business role authorizes all business role users
and groups for all of the permissions included in each technical role. For more information, see
Chapter 16, “Creating and Managing Technical Roles,” on page 171.
You add an authorization policy to the business role on the Authorizations tab when you create or
edit the business role.
Creating and Managing Business Roles 197
There are many different components to an authorization policy. The following information explains
the different components.
Authorized Permissions
Identity Governance might preauthorize permissions when you mine for roles or you might
need to define them. Select permissions from the entire catalog or from a list of permissions
held by the business role members. Specify whether the permission is mandatory or optional.
Specify whether Identity Governance should automatically grant or revoke permissions. If
needed, select the calendar control to set an authorization period for when Identity
Governance authorizes these permissions for users in the business role. The authorization
policy can authorize a user in the business role for all of the permissions included in the
authorization policy.
If an authorized permission comes from an Identity Manager application and is an Identity
Manager role (parent) that contains other Identity Manager roles and Identity Manager
resources (children), there will be an option to also authorize the contained permissions (the
default is to not authorize contained permissions). You can view the hierarchy of contained
permissions by clicking show.
NOTE: If you specify auto-grant or auto-revoke on this kind of permission, the selected option
does not apply to any of the contained permissions. This is because if you grant or revoke a
permission that is an Identity Manager role that contains other contained Identity Manager
roles and Identity Manager resources, the Identity Manager system automatically grants or
revokes any contained Identity Manager roles and resources.
Authorized Technical Roles
Identity Governance might preauthorize technical roles when you mine for roles or you might
need to define them. The technical role acts as a grouping for the permissions. If all of the
appropriate permissions are included in a technical role, you can add the technical role instead
of the individual permissions. If needed, select technical roles from the entire catalog or from a
list of technical roles held by the business role members. Determine whether the technical role
is mandatory or optional. Specify whether Identity Governance should automatically grant or
revoke the technical role authorization. If needed, select the calendar control to set an
authorization period for when the permissions in the technical role are valid for the business
role. The authorization policy can authorize a user in the business role for technical roles
included in the authorization policy. If an authorized technical role comes from an Identity
Manager application and is an Identity Manager role that contains other Identity Manager roles
and Identity Manager resources, the authorization policy can authorize the member of the
business role for both the explicitly specified and contained permissions (direct permissions)
and permissions contained within the contained permissions (indirect permissions).
Permissions contained in a technical role might come from an Identity Manager application and
might be an Identity Manager role that contains other Identity Manager roles and Identity
Manager resources. For this reason, technical roles have two options for authorizing contained
permissions. You can opt to only authorize the permissions that are explicitly specified in the
technical role, or you can opt to authorize the permissions contained in the technical role and
any permissions that are contained in those permissions. The second option applies only to
permissions that are Identity Manager roles that contain other Identity Manager roles or
Identity Manager resources. You can view the hierarchy of all contained permissions that
Identity Governance authorizes by clicking show.
198 Creating and Managing Business Roles
NOTE: If you select Auto-grant or Auto-revoke on a technical role, the selected option applies
only to the permissions explicitly specified in the technical role. It does not apply to any of the
permissions that those permissions might contain.
Authorized Applications
Identity Governance might preauthorize applications when you mine for roles or you might
need to define them. If needed, define which applications the members of the business role are
authorized to hold. This means Identity Governance can create accounts for the members of the
business role in the listed applications. Select applications from the entire catalog or from a list
of applications held by the business role members. Specify whether Identity Governance should
or should not automatically grant or revoke the application authorization. If needed, select the
calendar control to set an authorization period for when the members of the business role have
access to the application. The authorization policy can authorize a user in the business role to
have accounts in the applications included in the authorization policy.
NOTE: Applications must have an account collector to allow you to specify automatic grant or
revoke.
Mandatory versus Optional
When an authorization policy specifies Mandatory on a permission, technical role, or
application, it means that a user is expected to have it if the user is a member of the business
role. However, there is no enforcement of having the mandatory item. Optional means the
authorization policy allows a user to have a resource, but the authorization policy does not
require it.
Automatic Grant or Revoke Settings
You can select whether to automatically grant or revoke each permission, technical role, and
application. Applications must have an account collector to allow you to specify automatic grant
or revoke. When the authorization policy applies the auto-grant or the auto-revoke policies in
the business roles, Identity Governance might issue grant requests if the user does not have a
resource, and revoke requests if the user has a resource. Under certain conditions, Identity
Governance might issue grant requests even if a user has a resource, and revoke requests even
if a user does not have a resource.
If you specify auto request on a technical role, the auto request applies only to the permissions
explicitly specified in the technical role. It does not apply to any of the permissions that those
permissions might contain. For example, for Identity Manager roles that contain children
permissions, Identity Governance issues auto requests only for the top-level role and then
Identity Manager rules apply for all children authorizations. For more information, see
Section 17.9, “Automated Access Provisioning and Deprovisioning,” on page 204.
Authorization Period
The authorization policy can authorize a user in the business role for a set period of time
defined in the authorization policy. Typically, you might need to set the authorization period
only during transitions like mergers or changes related to compliance. Avoid setting an
authorization period for business roles to change a specific role authorization, as you handle it
more efficiently using periodic business role membership reviews.
Creating and Managing Business Roles 199
17.4 Adding a Business Role Approval Policy
The approval policy for the business role governs all business role life cycle events. Identity
Governance contains a default approval policy that it assigns to each business role that you create.
The approval policy for the business role specifies all approval requirements for each business role
defined, including whether the business role requires approval when you create or modify that
business role.
Micro Focus recommends that your organization’s default policy require approval. A default policy
that does not require approval enables Identity Governance to approve roles automatically. When
your policy requires approval, you can submit each role for approval or select multiple draft roles
and then select Actions > Submit for Approval to submit multiple roles for approval.
Identity Governance applies the default approval policy, which specifies that business roles do not
require approval, to all business roles that you create. To change this you would have to change the
default approval policy to require approval by owners or specify a list of approvers.
Identity Governance provides two additional policies for your convenience. One policy requires
approval by the business owner (recommended) and the other policy does not require approval. A
Customer, Global, or Business role Administrator can change or delete these sample policies.
You can create additional approval policies and apply them to existing business roles after you have
created business roles. To change the default approval policy, select Default approval policy on the
Approval Policies tab.
To create a new approval policy:
1 Log in to Identity Governance as a Customer, Global, or Business Roles Administrator.
2 Select Policy > Business Roles.
3 Click the Approval Policies tab.
4 Select Add approval policy (+).
5 Specify a name and description for the approval policy, then determine whether it is required or
not.
6 Save the policy.
You can change the approval policy for a group of business roles at the same time by using the bulk
action on the business role list. You can also download business role approval policies as JSON files
using the bulk action menu. After editing, you can import the policies on the page that lists all
approval policies.
17.5 Publishing or Deactivating Business Roles
Two possible versions of a business role can exist:
Published: Before you can publish a business role, it must go through the approval process and
be approved, if it requires approval. A published business role is available for the governance
process and in the general catalog.
200 Creating and Managing Business Roles
Deactivated: You can edit published, approved, and deactivated roles. When you edit a
published business role, Identity Governance creates a draft of the business role that appears
on the Draft tab that you can send for approval if required, publish, or discard. However,
deactivated roles are not available for the governance process or in the general catalog.
The edit and approve cycle is a single cycle that is independent of the publication cycle. When you
edit the published business role, Identity Governance creates a draft version of the business role.
The approval cycle is not independent of the draft. If no approval is required, Identity Governance
automatically approves the draft but does not publish the draft. If an administrator publishes the
draft, it replaces the currently published version.
When the business role administrator deactivates a published role, Identity Governance takes one of
the following actions:
If there is an approved draft, Identity Governance archives the active version and the approved
draft replaces it.
If there is not an approved draft when the published role is deactivated, Identity Governance
prompts the administrator to keep the published version or the unapproved draft version of the
business role.
If there is no draft, Identity Governance moves the published business role to the approved
state.
To publish or deactivate a business role:
1 Log in to Identity Governance as a Customer, Global, Business Role Administrator.
2 Select Policy > Business Roles.
3 Select the business role to change, then select Edit.
4 If you have one version of the business role, select Publish or Deactivate the business role.
NOTE: Deactivating a business role disables the role from being a part of the review process and
removes resource authorizations from its members for its resources. However, deactivation
does not issue auto-revoke requests for resources that specify auto-revoke, and does not
change or retract any current or pending auto-grant or auto-revoke request.
or
If you have multiple versions of the business role, select the Draft or Published tab, then select
Publish or Deactivate.
NOTE: You must have two versions of the business role to have the Draft and Publish tabs
appear.
If you have many business roles that need to be published, Identity Governance provides a way to
publish all of the roles at the same time. On the Business Roles page, select the business roles to
publish, then select Actions > Publish.
Creating and Managing Business Roles 201
17.6 Analyzing Business Roles
Identity Governance allows you to improve role quality and effectiveness by providing you with
various analytical tools. To maintain an effective role model, it is important that organizations are
able to understand the quality of the roles that have been implemented. For example, you might
create a business role that has all or almost all of the members as another business role. This might
indicate that these roles are redundant and are not actually needed. Using role analysis, you can
analyze selected business roles, all business roles, or membership expression of existing roles to find:
Similarity in memberships and authorizations
Effectiveness of the selected business roles based on the percentage of users that hold the role
authorizations
Members and authorizations in common
Members without mandatory authorizations
Members without auto-grant authorizations
To analyze business roles:
1 Log in to Identity Governance as a Customer, Global, or Business Roles Administrator.
2 Select Policy > Business Roles.
3 Click Analysis tab.
4 Select an Analyze option and configure related parameters. For example, when selecting the
similarity analysis, you can modify the default similarity threshold. If you specify 60%, the
results display business roles that have 60% similarity with any authorization or membership.
NOTE: You can perform Business role similarity and Common authorizations analysis on
published or unpublished business roles, while you can perform Authorization effectiveness,
Mandatory authorizations, and Auto-grant authorization analysis only on published business
roles. If there are unpublished business roles in the list selected for Authorization effectiveness,
Mandatory authorization, and Auto-grant authorization analysis, Identity Governance highlights
them and skips them during analysis.
5 Select Start Analysis.
6 Click the links in the analysis results for additional information such as comparison tables of
memberships and authorizations in Business role similarity analysis, and lists of members in
Mandatory authorization.
7 (Optional) Select Download as CSV to download the results as a CSV file for further analysis.
17.7 Editing Business Roles
Identity Governance allows you to edit business roles. If you edit and save an approved business
role, the state changes to DRAFT, and the role must be re-approved. To edit a published business
role, a new draft copy is made for editing, and the published role continues to be used in governance
processes until the new draft is approved and published. You can also use the bulk action menu to
download business roles as JSON files. After editing, you can import the roles on the page that lists
all business roles.
202 Creating and Managing Business Roles
To edit a business role:
1 Log in to Identity Governance as a Business Role or Global Administrator.
2 Select Policy > Business Roles.
3 Select the business role you want to edit, then click Edit.
4 (Optional) If the business role is published, on the top of the page, click Edit.
NOTE: We recommend that you think through business role definitions and add all members
and authorizations before publishing. If you need to make changes after publishing, keep in
mind that business role detections compare your last published state with the current state and
automatically generate grants and revocations if auto-grants and auto-revoke settings are
enabled. Also, note that the membership policy of a business role can include members from
other published business roles, however, circular inclusions are not allowed.
Identity Governance creates a draft of the business role for you to edit on the Draft tab.
5 Make the appropriate changes to the business role.
6 Select Save to save the draft.
7 (Conditional) Click Compare with published to compare the draft version with the published
version of the business role to ensure that the changes are correct.
8 (Conditional) If the business role approval policy requires approval, when the draft is ready for
approval, click Submit for approval. If the business role approval policy does not require
approval, the draft is automatically approved whenever you save your edits.
9 After you approve a draft, select Publish to publish it.
When you delete a published business role, Identity Governance archives the business role for
reporting and auditing purposes.
17.8 Approving Business Roles
Identity Governance provides an approval process for users, groups, or business role owners to
approve the business roles they have been assigned to approve. The business role owners can
approve the business role if the role's approval policy specifies Business role owners. However, you
can also specify a list of users or members of a group to be approvers of the business role.
To approve a business role that is pending:
1 Log in to Identity Governance as a user assigned to approve the business role.
2 Select Policy > Business Roles.
3 Select the Pending Your Approval tab.
4 Select any of the pending approvals, then read and review the content of the business role.
5 Specify a comment in the Comment field as to whether you approve the business role or if you
want changes to the business role.
6 Select Approve to approve the role.
or
Creating and Managing Business Roles 203
Select Request changes if you want the business role to be modified.
When you select the Request changes option, the creator of the business role receives
notification of the change request. After you or an administrator modify the business role, the
approval workflow process starts again.
17.9 Automated Access Provisioning and Deprovisioning
You can set up business roles to automatically request provisioning and deprovisioning of authorized
resources for users in the business role by selecting the auto-grant or the auto-revoke setting for
each resource. Identity Governance performs business role detections and evaluates business role
membership changes to determine whether to issue the auto requests. During business role
detection, Identity Governance only evaluates whether auto requests should be issued. After all
business role detections including checking for pending requests, Identity Governance determines if
the auto requests including compensating requests should be issued. Identity Governance then
sends permission or application resource requests to the fulfillment system where the fulfillment
system handles them according to the rules specified in your system fulfillment configuration.
NOTE: During detection, Identity Governance monitors when a user gains or loses an authorization,
or when an authorization changes its auto-grant or auto-revoke policy. When Identity Governance
observes these kinds of changes, it triggers an evaluation of whether it needs to issue the auto
requests. However, detection does not monitor changes in user resource assignments. Authorization
for a resource is not the same thing as being assigned a resource. Since the detection process does
not monitor the assignment changes, assignment changes do not trigger an evaluation of whether to
issue the auto requests.
Figure 17-5 Business Role (Permissions and Applications) Automated Access Provisioning and Deprovisioning Process
204 Creating and Managing Business Roles
When you specify auto-grant and/or auto-revoke for technical roles, Identity Governance performs
two different actions.
Identity Governance auto-grants and/or auto-revokes the permissions that make up the
technical role, and follows the usual process for granting and revoking permissions
By default, when technical roles are revoked, fulfillment requests are generated to remove
permissions regardless of the business role authorization settings. Administrators can configure
Identity Governance to honor business role authorizations so that fulfillment requests are not
generated if the permission is authorized by business role membership by setting the
com.netiq.iac.request.honorBRoleAuthorizations property to true using the
Configuration Utility console mode procedures. Administrators can also control whether
fulfillment requests are generated for both auto grant and non-auto grant authorizations only
using the com.netiq.iac.request.honorBRoleAutoGrantOnly property.
Identity Governance auto-grants (makes) and/or auto-revokes (removes) a technical role
assignment as needed. If Identity Governance determines that a technical role assignment
should be made or removed, it makes or removes the assignment during business role
detection itself and does not generate a fulfillment request. This is because technical role
assignments are not provisioned from external data sources, but are provisioned and
maintained by Identity Governance.
Figure 17-6 Business Role (Technical Roles) Automated Access Provisioning and Deprovisioning Process when Business
The events that trigger Identity Governance to perform business role detections do not necessarily
result in Identity Governance issuing auto-grant or auto-revoke requests. The rules that trigger a
detection are different from the rules that govern whether Identity Governance will issue the auto
requests. For example, deactivating a technical role that is an authorized resource of a business role
Creating and Managing Business Roles 205
triggers a business role detection, but does not result in an auto-revoke request or changes to any
current auto-grant or auto-revoke request. Publication of application sources trigger detection but
do not necessarily result in Identity Governance issuing the auto requests.
Section 17.9.1, “Understanding Business Role Detections,” on page 206
Section 17.9.2, “Automatic Provisioning Requests,” on page 208
Section 17.9.3, “Automatic Deprovisioning Requests,” on page 209
Section 17.9.4, “Managing Compensating Requests,” on page 210
Section 17.9.5, “Understanding Inconsistencies,” on page 211
Section 17.9.6, “Detecting and Resolving Inconsistencies,” on page 214
Section 17.9.7, “Monitoring Business Role Detections,” on page 214
17.9.1 Understanding Business Role Detections
Business role detection is a process where Identity Governance updates business role memberships
and business role authorizations. After business role memberships and authorizations are updated,
Identity Governance might also issue the auto-grant and auto-revoke requests.
There are currently three types of business role detection:
All business roles
Identity Governance processes all published business roles in this type of detection. The
following events trigger this type of detection:
Publication of identities and applications
Creation, deletion, or modification of technical roles
Collection of identities after change events (also referred to as real time collection)
Business roles with expiring memberships or authorizations
Identity Governance processes business roles that have memberships or authorizations with an
expiration date. Identity Governance automatically runs this type of detection every 24 hours.
Single business role
Identity Governance processes exactly one business role in this type of detection. The following
events trigger this type of detection:
Publication of a business role
Deactivation or deletion of a published business role
Curation (manual or bulk update) of users
During this type of event, Identity Governance determines which business roles have
membership expressions involving the attributes that were curated and schedules a
business role detection for each of those business roles so that their membership is
recalculated.
A business role detection, regardless of its type, has two phases. In phase one, it calculates business
role memberships and authorizations. It also keeps track of all of the following types of authorization
changes and uses this information in phase two:
A user gains a new authorization for a resource that is auto-granted.
206 Creating and Managing Business Roles
This might occur because a user became a member of a new business role, or a new
authorization was added to a business role that the user is already a member of.
NOTE: If a business role authorizes a technical role and a new permission is added to the
technical role, it ultimately results in a new authorization for that permission for all of the
business role members.
An authorization that is auto-granted and was not previously in its validity period enters its
validity period.
An authorization that is in its validity period changes from not auto-granted to auto-granted.
A user loses an authorization for a resource that is auto-revoked.
This might occur because a user lost membership in a business role, an authorization was
removed from a business role that the user is a member of, the business role is deleted, or the
business role is deactivated.
NOTE: When evaluating whether to issue an auto-revoke request, Identity Governance ignores
the loss of authorizations that occurs because an administrator deactivated the business role.
If a business role authorizes a technical role and a permission is deleted from the technical role,
it ultimately results in the members of the business role losing their authorization for that
permission. If the technical role itself is deleted, it ultimately results in the members of the
business role losing authorization for all of the permissions that were contained in that
technical role. However, if a technical role is simply deactivated rather than being deleted,
business role authorizations stemming from that technical role are not lost.
An authorization that is auto-revoked and was not previously in its validity period exits its
validity period.
An authorization that is not in its validity period changes from not auto-revoked to auto-
revoked.
During phase one, after Identity Governance calculates a business role's membership and
authorizations, it determines what other business roles include the members of the business role
and schedules single-role detections for each of those business roles. This occurs whether Identity
Governance detects BR1 during an all business role detection or during a single-role detection for
just BR1 because changes to the membership of a business role affect the membership of any
business roles that include it. For example, if BR1 is included by BR2 and BR3, after calculating
membership and authorizations for BR1, Identity Governance schedules single-role detections for
BR2 and BR3.
In phase two of detection, using the information collected in phase one, Identity Governance
determines what, if any, auto requests it should issue. For specific conditions that could result in
auto-grant requests being issued, see Section 17.9.2, “Automatic Provisioning Requests,” on
page 208. For specific conditions that could result in Identity Governance issuing auto-revoke
requests, see Section 17.9.3, “Automatic Deprovisioning Requests,” on page 209.
Some of the conditions that could result in Identity Governance issuing an auto-grant or an auto-
revoke request involve compensating for in-progress requests that would change whether a user has
a particular resource. An administrator can configure Identity Governance to compensate for in-
progress requests. For more information about compensating requests, see Section 17.9.4,
“Managing Compensating Requests,” on page 210.
Creating and Managing Business Roles 207
Although Identity Governance might issue auto-grant requests and auto-revoke requests in phase
two of a business role detection, the requests might not ever be fulfilled for a variety of reasons. This
results in situations where there might be users whose assigned resources are inconsistent with the
auto-grant or the auto-revoke policies, or users that have pending grant or revocation requests for
resources that, if fulfilled, would cause them to be inconsistent with the auto-grant or the auto-
revoke policies. Identity Governance does not automatically check for such assignment
inconsistencies during normal business role detection because there would be additional overhead
to do so, thus slowing down the business role detection process. Instead, Identity Governance
enables administrators to manually check for such inconsistencies and fix them. For more
information, see Section 17.9.5, “Understanding Inconsistencies,” on page 211.
Depending on a variety of factors, business role detections can potentially take some time to
complete. Identity Governance allows administrators to monitor the progress of business role
detections and to see detailed information about in-progress and completed business role
detections. For more information, see Section 17.9.7, “Monitoring Business Role Detections,” on
page 214.
17.9.2 Automatic Provisioning Requests
During phase one of business role detection, Identity Governance gathers various types of
authorization change events which trigger an evaluation of whether to issue an auto-grant request.
The change events include user gaining a new authorization for a resource that specifies auto-grant,
an auto-granted authorization entering its validity period, or an authorization in its validity period
changing from not auto-granted to auto-granted. In phase two of business role detection, Identity
Governance evaluates what, if any, auto-grant requests to issue.
Identity Governance issues an auto-grant request only if all of the following conditions are satisfied:
The user + resource ends up being authorized after phase one business role detection.
The user either is currently not assigned the resource (for applications assigned means the user
has an account in the application) or there is a pending request to revoke the resource from the
user and the request is one of the types that an administrator has specified as being
compensatable.
NOTE: Identity Governance considers a request as pending until it is in a final state. Final states
include the following states: rejected by fulfiller, fulfillment error, fulfillment timed out,
completed and verified, completed and not verified and verification ignored, or completed and
verification timed out.
There is no previously issued auto-grant request from a business role detection for the user +
resource that is still in-progress. Auto-grant requests in a final state (see above) are obviously no
longer in progress. In addition, a request that has completed (marked as fulfilled) is not
considered to be in-progress, even though it might not yet be in verified, not verified and
verification ignored, or verification timed out state.
NOTE: When auto-grant option is enabled for a technical role resource, Identity Governance
generates fulfillment requests for the permissions that make up the technical role, but does not
generate fulfillment requests for the technical role assignment itself. Instead, Identity
Governance makes a technical role assignment immediately if it determines that the user does
not currently have the technical role assignment. Because there is no fulfillment request for
208 Creating and Managing Business Roles
making technical role assignments, the previous comments about Identity Governance checking
for completed and in-progress pending fulfillment requests do not apply in the case of making
technical role assignments.
17.9.3 Automatic Deprovisioning Requests
During phase one of business role detection, Identity Governance gathers various types of
authorization change events which trigger an evaluation of whether to issue an auto-revoke request.
The change events include a user losing an authorization for a resource that specifies auto-revoke,
an auto-revoked authorization exiting its validity period, or an authorization in its validity period
changing from not auto-revoked to auto-revoked. In phase two of business role detection, Identity
Governance evaluates what, if any, auto-revoke requests to issue.
Identity Governance issues an auto-revoke request only if all of the following conditions are
satisfied:
The resource is not authorized for the user by any business role.
The user either is currently assigned the resource (for applications, assigned means the user has
an account in the application), or there is a pending request to grant the resource to the user
and the request is one of the types that an administrator has specified as being compensatable.
NOTE: Identity Governance considers a request to be pending until it is in a final state, which
includes the following states: rejected by fulfiller, fulfillment error, fulfillment timed out,
completed and verified, completed and not verified and verification ignored, or completed and
verification timed out.
There is no previously issued auto-revoke request from a business role detection for the user
and resource that is still in progress. Auto-revoke requests in a final state (see above) are
obviously no longer in progress. In addition, Identity Governance does not consider a request
that has been completed (marked as fulfilled) to be in-progress, even though it might not yet be
in verified, not verified and verification ignored, or verification timed out state.
NOTE: When the auto-revoke option is enabled for a technical role resource, Identity
Governance generates fulfillment requests for the permissions that make up the technical role,
but does not generate fulfillment requests for the technical role assignment itself. Instead,
Identity Governance removes a technical role assignment immediately if it determines that the
user currently has the technical role assignment. Because there is no fulfillment request for
removing technical role assignments, the previous comments about Identity Governance
checking for completed and in-progress pending fulfillment requests do not apply in the case of
removing technical role assignments.
The above conditions apply only to published business roles. Identity Governance ignores
deactivated business roles when determining if all conditions are met. The following scenario
provides an example of automatic deprovisioning.
Scenario 1: An authorized permission is removed from a business role
1. BR1 authorizes permission X and specifies auto-grant and auto-revoke on it.
2. User A is a member of BR1 and currently has permission X.
3. A business role administrator removes the permission X authorization from BR1 and re-
publishes BR1. This action triggers business role detection on BR1.
Creating and Managing Business Roles 209
4. Identity Governance detects that Permission X is no longer authorized for BR1, which means
that all members who had authorizations for permission X from BR1 lose that
authorization. User A is one of those members who lose the authorization.
5. The loss of user A's authorization for permission X causes Identity Governance to evaluate
whether it should issue an auto-revoke request to remove permission X from user A.
6. Identity Governance issues an auto-revoke request to remove permission X from user A
because all conditions for automatic deprovisioning are met:
a. User A no longer has any authorization for permission X from any other business role,
b. User A currently has permission X, and
c. There is no in-progress auto-revoke request to remove permission X from user A.
17.9.4 Managing Compensating Requests
Identity Governance examines both the current state of the Identity Governance catalog and
pending requests that might alter that state to determine if a user has a resource when it evaluates
whether to issue an auto-grant or an auto-revoke request. Identity Governance compensates for
pending fulfillment requests that would change whether the user has a resource. Identity
Governance could grant a request to compensate for a pending revoke request, and it could issue a
revoke request to compensate for a pending grant request.
NOTE: Identity Governance rules for generating compensating requests are applicable to the
permissions that make up the technical role but are not applicable to technical role assignments.
The technical roles are managed and provisioned by Identity Governance itself. Auto-grant and auto-
revoke of technical role assignments do not involve generation of fulfillment requests because there
is no external data source for technical role assignments. Identity Governance makes or removes a
technical role assignment immediately and does not trigger fulfillment requests or compensating
requests.
Administrators can configure the types of requests for which Identity Governance might issue a
compensating request. The type of request indicates the Identity Governance process from which
the request originated. It might be an access request, a review, or a resolution of separation of duties
violations.
NOTE: Identity Governance always compensates for pending requests that originated from the
business role detection process.
To specify types of request that should generate compensating requests:
1 Log in to Identity Governance as a Customer, Global, or Business Roles Administrator.
2 Select Policy > Business Roles > Manage Auto Requests.
3 Select the additional type of requests for which the system should automatically compensate.
The following scenarios provide a few examples of when Identity Governance would issue
compensating requests.
210 Creating and Managing Business Roles
Scenario 1: User gains an auto request enabled permission that was lost but which Identity
Governance considers as still authorized
1. Business role BR1 and business role BR2 both authorize permission X and both specify auto-
grant and auto-revoke.
2. User A is a member of BR1 and currently has permission X.
3. An administrator or the system modifies user A's attributes so that the user is no longer a
member of BR1. Identity Governance’s real-time identity collection detects this change and
user A loses authorization for permission X.
4. Identity Governance issues a revoke request to remove permission X from user A.
5. The application containing permission X removes permission X from user A.
6. An administrator or the system modifies user A's attributes again so the user becomes a
member of BR2 and as such is authorized for permission X. The application containing
permission X has removed permission X from user A, but the Identity Governance catalog still
shows that user A has permission X because no one executed collection and publication of that
application since Identity Governance issued the revoke request. Therefore, Identity
Governance would not normally issue an auto-grant request for permission X.
However, because the revoke request for permission X still shows that it is pending verification,
and you configured Identity Governance to issue compensating grant requests for this type of
revoke request, Identity Governance issues a compensating grant request for user A to be given
permission X.
Scenario 2: User loses an auto request enabled permission that was granted but which Identity
Governance considers as not authorized
1. Business role BR1 authorizes permission X and specifies auto-grant and auto-revoke.
2. User A has no permissions but an administrator or the system changes the user’s attributes
making the user a member of BR1. Real-time identity collection in Identity Governance detects
this change and user A becomes a member of BR1 and gains an authorization for permission X.
3. Identity Governance issues a grant request for user A to have permission X.
4. The application that contains permission X assigns permission X to user A.
5. User A's attributes are changed again so that the user is no longer a member of BR1. User A's
authorization for permission X is lost. The application containing permission X has assigned
permission X to user A, but the Identity Governance catalog still shows that user A does not
have permission X because no one executed collection and publication of that application since
Identity Governance issued the grant request. Therefore, Identity Governance would not
normally issue an auto-revoke request for permission X.
However, because the grant request for permission X still shows that it is pending verification
and you configured Identity Governance to issue compensating revoke requests for this type of
grant request, Identity Governance issues a compensating revoke request to remove permission
X from User A.
17.9.5 Understanding Inconsistencies
Although Identity Governance might issue auto-grant requests and auto-revoke requests in phase
two of a business role detection, the requests might not ever be fulfilled for a variety of reasons. The
fulfillment system might handle the requests in a different order than they were issued, the
fulfillment system could reject the request, or there could be an error fulfilling the request. In
Creating and Managing Business Roles 211
addition, external systems might change resource assignments without Identity Governance issuing
a request to do so. Identity Governance does not examine resource assignment changes when
determining whether to issue an auto-grant or auto-revoke request because there would be
additional overhead to do so, thus slowing down the business role detection process.
These kinds of scenarios can result in situations where there might be users whose assigned
resources are inconsistent with the auto-grant or the auto-revoke policies, or users who have
pending grant or revocation requests for resources that, if fulfilled, would cause them to be
inconsistent with the auto-grant or the auto-revoke policies.
Inconsistency checking for permissions and applications includes checking for pending requests that
might cause the permission or application to be held or not held in the future. A request is
considered to still be pending even if its status has been changed to completed by a fulfiller (manual
or automated provisioning process) and it is waiting for verification because the request might or
might not result in the permission or application being held or not held in the future. Verification
happens after a publication occurs. Once verification happens, the request will no longer be
considered to be pending. Its status will change to either not verified or verified. Although not a final
state, not verified is considered by inconsistency checking to no longer be a pending request and
such a request is not considered when determining whether the permission or application might be
held or not held in the future.
Administrators can manually initiate inconsistency detection for auto-grant and auto-revoke
inconsistencies. Identity Governance displays information about the most recent inconsistency
detection for six types of inconsistencies: Auto-grant Permissions, Auto-grant Technical Roles, Auto-
grant Applications, Auto-revoke Permissions, Auto-revoke Technical Roles, and Auto-revoke
Applications. Information includes status, start time, end time, count of inconsistencies detected,
who started the detection, who canceled the detection (if canceled), and so forth. If detection is
currently running, a spinner icon will be displayed next to a status of Running. The administrator can
click a refresh icon in the Action column to start detection if one is not currently running. Once
detection has completed, the status will be changed to Completed and the user will be able to click
the value in the inconsistency count column to see and optionally resolve the inconsistencies that
were detected. If no inconsistencies were detected, the count column will have a value of zero.
Auto-grant request inconsistencies occur under the following conditions:
One or more business roles authorize a resource (permission, technical role, or application) and
specify that the resource is to be auto-granted to users.
A user who is a member of one or more business roles either does not currently hold the
authorized resource or may not hold the resource in the future due to a pending revoke
request. In this context, Identity Governance considers only pending revoke requests that have
been configured as compensatable requests.
There is no in progress auto-grant request that would grant the resource to the user.
NOTE: There will never be pending revoke requests or in-progress auto-grant requests for technical
role assignments because Identity Governance always removes and fulfills technical role
assignments immediately.
Here is one scenario where an auto-grant request inconsistency could occur:
1. User A becomes a member of BR1 that authorizes permission X and specifies that X should be
auto-granted. Identity Governance does not issue an auto-grant request because user A already
has permission X.
212 Creating and Managing Business Roles
2. The application that contains permission X removes permission X from user A without Identity
Governance issuing any request to do so. This can happen because external applications might
assign or unassign resources to or from users without receiving any request from Identity
Governance to do so.
3. Identity Governance collects and publishes the application that contains permission X and
updates its catalog to reflect that User A no longer has permission X. After the publication,
Identity Governance triggers business role detection. However, Identity Governance does not
issue an auto-grant for user A to have permission X, because detection did not see any
authorization changes (the fact that the business role authorizes the user to have permission X
did not change), and detection does not check to see if there were assignment changes.
This results in an inconsistency between the auto-grant policy and the assignment state with
respect to user A and permission X.
Auto-revoke request inconsistencies occur under the following conditions:
A user either has a resource (permission, technical role, or application) or will have the resource
in the future due to a pending grant request that is not currently authorized by any business
role the user is a member of. In this context, Identity Governance considers only pending grant
requests that have been configured as compensatable.
The user was at one time a member of a business role that auto-revokes the resource. When
checking for revoke inconsistencies, Identity Governance only considers the business roles the
user was a member of within the last N days. Memberships held earlier than the last N days are
not considered.
There is no in progress auto-revoke request that would revoke the resource from the user.
NOTE: There will never be pending grant requests or in progress auto-revoke request for technical
role assignments because Identity Governance always removes and fulfills technical role
assignments immediately.
Here is one scenario where an auto-revoke request inconsistency could occur:
1. User A is a member of BR1 that authorizes permission X and specifies that X should be auto-
revoked.
2. User A's attributes change in a way that causes the user to lose membership in BR1. The real-
time collection process in Identity Governance detects the change. After it processes the
change, Identity Governance triggers a business role detection. The detection causes Identity
Governance to issue an auto-revoke request to remove permission X from user A.
3. The application that contains permission X removes permission X from user A. Later, however,
the application restores permission X to user A. Again, remember that external applications
might assign or unassign resources to or from users without receiving any request from Identity
Governance to do so.
4. Identity Governance collects and publishes the application that contains permission X. After
publication, business role detection is triggered. However, Identity Governance does not issue
an auto-revoke request to remove permission X from user A, because detection did not see any
authorizations that were lost (user A is still not authorized by any role to have permission X) and
detection does not check to see if there were permission assignment changes.
This results in an inconsistency in the auto-revoke policy for permission X because user A at one
time was a member of BR1, and it specified that permission X should be auto-revoked.
Creating and Managing Business Roles 213
17.9.6 Detecting and Resolving Inconsistencies
Identity Governance does not automatically check for inconsistencies during normal business role
detection because there would be additional overhead to do so, thus slowing down the business role
detection process. Instead, Identity Governance allows an administrator to find these
inconsistencies and issue new requests to resolve them if needed. It is not a given that you should
resolve all such inconsistencies, so Identity Governance does not do it automatically. This is
especially true of the auto-revoke inconsistencies. The fact that a user was at one time a member of
a business role that specifies that a permission the user holds should be auto-revoked might or
might not be sufficient reason to revoke the permission from the user.
To find and resolve inconsistencies:
1 Log in to Identity Governance as a Customer, Global, or Business Roles Administrator.
2 Select Policy > Business Roles > Manage Inconsistencies.
3 (Optional) Click the gear icon to customize the column display. For example, to view who started
the inconsistency detection, select Started by in the Available Column list.
4 To start inconsistency detection, click the refresh icon in the Action column.
5 (Conditional) If there are auto-revoke types, specify the number of days to search for lost
business role memberships.
When searching for auto-revoke inconsistencies, Identity Governance searches for
authorizations that specify auto-revoke in business roles that users were previously members
of. It only looks for business role memberships that the user lost within the last N days. Identity
Governance ignores business role memberships that were lost before N days.
6 Click the number of detected inconsistencies to view the list of inconsistencies in a pop-up
window.
7 (Optional) In the pop-up window search bar, specify a user name, a permission, or a business
role name to search for related inconsistencies.
8 (Optional) Submit grant or revoke requests for some or all inconsistencies to resolve them.
9 (Optional) Click the refresh icon to recalculate and update the number detected inconsistencies.
17.9.7 Monitoring Business Role Detections
Identity Governance enables administrators and support personnel to troubleshoot issues by looking
at the progress and results of business role detections.
During business role detection, in addition to various instance times, Identity Governance stores the
number of memberships, authorizations, and auto-requests. You can enable the collection of more
detailed information on the exact memberships, authorizations, and auto-requests that were
generated during detection by setting the following configuration properties using the Identity
Governance Configuration Utility. For more information about the utility procedures, see “Using the
Identity Governance Configuration Utility” in the Identity Governance 3.7 Installation and
Configuration Guide.
214 Creating and Managing Business Roles
IMPORTANT: If you enable the collection of detailed information, business role detections slow
down and consume more space in the database to store the detailed information. Generally, you
should enable the collection of detailed information only if you are troubleshooting a problem and
need more information to determine what is happening.
com.netiq.iac.brd.log.detected.members
When set to true this configuration property causes business role detection to store the list of
users who were added to and removed from a business role during the detection.
com.netiq.iac.brd.log.detected.auths
When set to true this configuration property causes business role detection to store the list of
authorizations that were added and deleted during the detection.
com.netiq.iac.brd.log.detected.autorequests
When set to true this configuration property causes business role detection to store the list of
auto-grant and auto-revoke requests that Identity Governance issued during the detection.
To monitor business role detections:
1 Log in to Identity Governance as a Customer, Global, or Business Roles Administrator.
2 Select Policy > Business Roles > Business Role Detections.
3 (Optional) Specify a business role name in the search bar to search for the detection status and
details such as the detection end time, the number of auto-revokes generated for a business
role, and so forth.
4 (Optional) Select the number of business roles completed to view additional details such as the
number of members that the system added or removed, the number of authorizations that the
system granted or revoked, and so forth.
5 (Optional) Select detections to delete. You should not delete a detection that is currently
running.
You can click the settings icon to customize the columns displayed on the Business Roles Detection
tab. For example, to add a column that displays the action that triggered each Business Role
detection, click the settings icon, and then select Detection Triggered By.
17.10 Downloading and Importing Business Roles and
Approval Policies
You can download business roles, approval policies and other referenced objects and import them
later into an Identity Governance environment. The download will either generate a single JSON file
or a zip file depending on the options you select during download, such as associated applications
and assigned categories. In addition to downloading the business role or approval policy definitions,
you can download the list of objects as a CSV file.
To download or import business roles and business role definitions:
1 Log in to Identity Governance as a Customer, Global, or Business Roles Administrator.
2 Select Policy > Business Roles.
Creating and Managing Business Roles 215
3 To download:
A list of business roles with description, owners, and managers as a CSV file, select Actions
> Download all as CSV on the Roles tab.
To download all business role definitions, select Actions > Download Definitions.
To download one or more business role definitions, select Actions > Download Definitions.
Select one or more roles on the Roles tab.
Enter the business role name or a meaningful description.
(Optional) Include references to business role owners, managers, and fulfillers; and
download included business roles, associated applications, technical roles, and
assigned categories and approval policies.
Click Download.
4 Select the download icon on the top title bar to access the saved files and download the files.
5 (Optional) Delete the file from the download area in Identity Governance.
If you do not manually delete files, Identity Governance will automatically delete files based on
your default download retention day settings. For information about customizing download
settings, see Section 3.9, “Customizing Download Settings,” on page 54.
6 If you make changes or want to import previously downloaded business roles into another
environment, select Import Business Roles on the Roles tab.
7 Navigate to the business roles JSON or zip file, select the file to import, then click Open.
8 Identity Governance detects whether you are importing new or updated roles and whether the
updates would create any conflicts or have unresolved references.
9 Select how to continue based on what information the application user interface displays. For
example, under Updates, you can compare the imported values with current values for each
role by selecting the respective role before selecting the roles to import.
10 Select the roles you want to import, then click Import.
NOTE: Identity Governance does not automatically publish imported business roles. You must
publish them in order for them to take effect in the system. For more information, see
“Publishing or Deactivating Business Roles” on page 200.
11 (Conditional) If you import more than the preconfigured threshold for the number of roles that
can be displayed on the import page, Identity Governance will switch to bulk import mode.
When in bulk mode, instead of selecting whether to create, update, or handle conflicts for
specific roles, you can select to import all new roles and update all existing roles. For conflicts,
you can choose to either overwrite existing roles or create new roles.
NOTE: The default value for roles that can be displayed is 200 or the value specified in the
com.netiq.iac.importExport.maxImportsToDisplay property.
12 (Optional) Download the auto-generated import report from the download area. The import
report will identify what was imported as well as call out any unresolved references.
To download or import business role approval policies:
1 Log in to Identity Governance as a Customer, Global, or Business Roles Administrator.
2 Select Policy > Business Roles.
216 Creating and Managing Business Roles
3 Select a policy or all the policies on the Approval Policies tab.
4 Select Actions > Download Definitions.
4a Enter the approval policy name or a meaningful description.
4b (Optional) Include references to the approval policy approver.
4c Select Download.
4d Select the download icon on the top title bar to access the saved file and download the file.
4e (Optional) Delete the file from the download area in Identity Governance.
If you do not manually delete files, Identity Governance will automatically delete files
based on your default download retention day settings. For information about customizing
download settings, see Section 3.9, “Customizing Download Settings,” on page 54.
5 If you make changes, or want to want to import previously downloaded approval policies into
another environment, select Import Approval Policies on the Approval Policies tab.
6 Navigate to the approval policy JSON or zip file, select the file to import, then click Open.
7 Identity Governance detects whether you are importing new or updated policies and whether
the updates would create any conflicts or have unresolved references.
8 Select how to continue based on what information the application user interface displays. For
example, under Updates, you can compare the imported values with current values for each
entity by selecting the respective policy before selecting the policies to import.
9 Select the policies you want to import, then click Import.
10 (Conditional) If you import more than the preconfigured threshold for the number of policies
that can be displayed in the import page, Identity Governance will switch to bulk import mode.
When in bulk mode, instead of selecting whether to create, update, or handle conflicts for
specific policies, you can select to import all new policies and update all existing policies. For
conflicts, you can choose to either overwrite existing policies or create new policies.
NOTE: The default value for policies that can be displayed is 200 or the value specified in
com.netiq.iac.importExport.maxImportsToDisplay property.
11 (Optional) Download the auto-generated import report from the download area. The import
report will identify what was imported as well as call out any unresolved references.
Creating and Managing Business Roles 217
218 Creating and Managing Business Roles
You might also like
- Security With SAP NetWeaver 7.0 P - ADM - SEC - 70 Deloiite DummyNo ratings yetSecurity With SAP NetWeaver 7.0 P - ADM - SEC - 70 Deloiite Dummy442 pages
- Oracle R12 Function and Data Security - UMX and Role Based Access Control100% (1)Oracle R12 Function and Data Security - UMX and Role Based Access Control86 pages
- Enterprise Application Roles Management - Cleansing and Segregation of Duties ApproachNo ratings yetEnterprise Application Roles Management - Cleansing and Segregation of Duties Approach5 pages
- Developing Active Directory Based ApplicationNo ratings yetDeveloping Active Directory Based Application36 pages
- Role Concept in Oracle Fusion ApplicationsNo ratings yetRole Concept in Oracle Fusion Applications4 pages
- Identity Access Management For RSA Archer Based On RSA Identity Governance LifecycleNo ratings yetIdentity Access Management For RSA Archer Based On RSA Identity Governance Lifecycle37 pages
- Adeptia Enterprise Architecture FrameworkNo ratings yetAdeptia Enterprise Architecture Framework27 pages
- To Information Systems: A01 - WALL9844 - 04 - SE - FM - Indd 1 26/11/19 3:44 PMNo ratings yetTo Information Systems: A01 - WALL9844 - 04 - SE - FM - Indd 1 26/11/19 3:44 PM26 pages
- Technique Guide 6 Roles and Permissions MatrixNo ratings yetTechnique Guide 6 Roles and Permissions Matrix3 pages
- Setting Up Sales Planning Cloud SecurityNo ratings yetSetting Up Sales Planning Cloud Security27 pages
- Working Effectively in An Information Technology EnvironmentNo ratings yetWorking Effectively in An Information Technology Environment22 pages
- The Role Mining Problem: Finding A Minimal Descriptive Set of RolesNo ratings yetThe Role Mining Problem: Finding A Minimal Descriptive Set of Roles10 pages
- Self-Service Receiving View Only Role R10No ratings yetSelf-Service Receiving View Only Role R1016 pages
- Chapter 7 - CC105 - INFORMATION MANAGEMENTNo ratings yetChapter 7 - CC105 - INFORMATION MANAGEMENT8 pages
- The Roletailored User Experience: Microsoft Dynamics Nav 2009No ratings yetThe Roletailored User Experience: Microsoft Dynamics Nav 200912 pages
- User Roles and Permissions Crash CourseNo ratings yetUser Roles and Permissions Crash Course18 pages
- Roles and Authorizations in Your S4HANA Migration ProjectNo ratings yetRoles and Authorizations in Your S4HANA Migration Project22 pages
- IAG Auth Policy Attribute Values For Value HelpNo ratings yetIAG Auth Policy Attribute Values For Value Help14 pages
- Introduction To Access Optimizer - IBM DocumentationNo ratings yetIntroduction To Access Optimizer - IBM Documentation2 pages
- SAP Security Overview For BT: July 13, 2007 Ravi KoppakulaNo ratings yetSAP Security Overview For BT: July 13, 2007 Ravi Koppakula15 pages
- Trusted Application Access Playbook: Based On Access Policy Manager (APM)No ratings yetTrusted Application Access Playbook: Based On Access Policy Manager (APM)23 pages
- Order Management Inquiry Only Role SetupNo ratings yetOrder Management Inquiry Only Role Setup11 pages
- Beyond Roles:: A Practical Approach To Enterprise User ProvisioningNo ratings yetBeyond Roles:: A Practical Approach To Enterprise User Provisioning19 pages
- Handbook of Research On Machine and Deep Learning Applications For Cyber SecurityNo ratings yetHandbook of Research On Machine and Deep Learning Applications For Cyber Security507 pages
- Shubham Chhimpa Resume April2023 Without Number100% (1)Shubham Chhimpa Resume April2023 Without Number1 page
- Module 1 Introduction To Java TechnologyNo ratings yetModule 1 Introduction To Java Technology62 pages
- COMPSCI 351 and COMPSCI 751 - Strategic Exercise 1 - AnswersNo ratings yetCOMPSCI 351 and COMPSCI 751 - Strategic Exercise 1 - Answers3 pages
- Translating Subtitles: CAT Week-8 Spring 2019 Wei, LIUNo ratings yetTranslating Subtitles: CAT Week-8 Spring 2019 Wei, LIU14 pages
- Rapidly Deploying A Neural Search Engine For The COVID-19 Open Research Dataset: Preliminary Thoughts and Lessons LearnedNo ratings yetRapidly Deploying A Neural Search Engine For The COVID-19 Open Research Dataset: Preliminary Thoughts and Lessons Learned10 pages
- E-Ball Technology: Presented By, K. Malathi (15U51A0521)No ratings yetE-Ball Technology: Presented By, K. Malathi (15U51A0521)19 pages
- Scispacy: Fast and Robust Models For Biomedical Natural Language ProcessingNo ratings yetScispacy: Fast and Robust Models For Biomedical Natural Language Processing8 pages
- 20 Practical Examples of RPM Commands in LinuxNo ratings yet20 Practical Examples of RPM Commands in Linux11 pages
- MotoGP (TM) 13 - Boxed Version Patch LogNo ratings yetMotoGP (TM) 13 - Boxed Version Patch Log2 pages
- Corporate Governance - Effective Performance Evaluation of the BoardFrom EverandCorporate Governance - Effective Performance Evaluation of the BoardNo ratings yet
- The LLC Launchpad: Navigate Your Business Journey with ConfidenceFrom EverandThe LLC Launchpad: Navigate Your Business Journey with ConfidenceNo ratings yet
- Digital Capability: Building Lego Like Capability Into Business CompetencyFrom EverandDigital Capability: Building Lego Like Capability Into Business CompetencyNo ratings yet
