17.1 Overview of Roles

Identity Governance enables you to manage both the technical and business roles in your organization. To enable easier management of these roles, Identity Governance assigns technical role administrators and business role administrators with separate but overlapping responsibilities.

Business roles organize people by business function, and user-based attributes to determine what users should have access to, or if they can request that access without additional approval. Business roles authorize resources (permissions, technical roles, and applications) for users who are members of the business role. These authorizations also specify whether resources are to be auto-granted to users, auto-revoked from users, or should not be auto-granted and auto-revoked.

Technical roles organize lower-level permissions into sets of permissions that offer enough business value to be reviewed and assigned as a unit or requested as a unit. Technical roles are designed to limit the number of review items and surface permissions in ways that can be presented to typical non-administrator users.

Figure 17-1 illustrates how the different types of roles overlap. In this example, company policies authorize all full-time employees to have access to the HR Tools, Exchange Mailboxes, Lync, and My Meeting. Accounting clerks are authorized to have access to Document Control and Account Administration, a technical role that the technical role administrator created in Identity Governance. When you include a user as a member of a business role of Full-time Employee and Accounting Clerk, Identity Governance authorizes the user to have any of the mandatory or optional technical roles or permissions listed for the given role. Identity Governance could potentially automatically provision mandatory permissions, while it could assign optional permissions at a later time without further approval, because they are pre-approved by the policy. This example illustrates how you can save time, effort, and error, and enable controlled access through business roles. To understand how your entitlement assignments conform to your business policies, you can view the Role Effectiveness widget on the Governance Overview dashboard. For more information, see Viewing Entitlement Assignments Statistics to Leverage Roles.

Figure 17-1 Detailed Example of the Overlap between Business Roles and Technical Roles

NOTE:This chapter primarily discusses technical role policy concepts and procedures. For information about business roles, see Section 18.0, Creating and Managing Business Roles.