2.1 Understanding Authorizations in Identity Governance

Identity Governance relies on authorizations to define a fixed set of access permissions. After installation of Identity Governance on premises and after deployment of Identity Governance as a service, the bootstrap administrator collects and publishes the initial set of identities and assigns a user as a Global or Customer Administrator who then assigns other authorizations. In SaaS environment, the Customer Administrator will work with a SaaS Operations Administrator to configure services and plan maintenance tasks. The SaaS Operations Administrator is a member of the SaaS team responsible for customer tenancy operations including data center configurations.

Identity Governance authorizations can be global or runtime:

  • Global authorizations are constant within Identity Governance and assigned through the Identity Governance Configuration settings. Identity Governance maintains the set of privileges granted by the authorization. For more information, see Section 2.1.1, Global Authorizations

  • Runtime authorizations are those that users assume as needed to perform tasks specific to a governance area such as request, review, or fulfillment. For example, you assign a Review Owner as needed during an access review and validation cycle. You can reassign these authorizations with each review run. For more information, see Section 2.1.2, Runtime Authorizations.

If a user does not have the required authorization or does not have an assigned task, the user will be redirected to the Access Request interface. For more information about requesting access, see Section 23.0, Instructions for Access Requesters and Approvers.

2.1.1 Global Authorizations

After collecting and publishing an initial set of identities, assign the Global Administrator authorization in an on-premises environment and Customer Administrator in a SaaS environment to one of these identities. The Global or Customer Administrator can then assign the rest of the global authorizations. For more information, see Section 2.3, Assigning Authorizations to Identity Governance Users.

Customer Administrator (Identity Governance as a Service only authorization)

The Customer Administrator is the primary authorization for Identity Governance as a Service. This authorization is responsible for day-to-day business operations of the product and can:

  • Perform all Identity Governance actions

  • Assign all Identity Governance global and runtime authorizations for users in the enterprise

Global Administrator (Identity Governance on-premises only authorization)

The Global Administrator is the primary authorization for Identity Governance on-premises deployments. This authorization can:

  • Perform all Identity Governance actions

  • Assign all Identity Governance global and runtime authorizations

Access Request Administrator

The Access Request Administrator manages policies that define who can request access in your enterprise. This authorization can:

  • Create, modify, and delete Access Request Policies

  • Create, modify, and delete Access Request Approval Policies

  • Edit the default Access Request Approval Policy

  • Customize default request and approval forms

  • Create and customize approval workflows

  • Create custom request and approval forms for one or more permissions or applications

Auditor

The Auditor has read-only rights to the catalog, reviews, Separation of Duties (SoD) policies and violations, business roles, risk, certification policies, fulfillment statuses, and Governance Overview dashboard. However, this authorization can configure and run insight queries and an account assigned to the Auditor authorization might also be specified as a Review Auditor in a review definition. For more information, see Section 2.1.2, Runtime Authorizations.

Business Roles Administrator

The Business Roles Administrator performs all administrative functions for all business roles. A Business Roles Administrator can delegate administrative privileges. This authorization can:

  • Administer the business role schema under Data Administration

  • Configure role mining settings

  • Collect automated and business role mining metrics

  • Mine for business roles and promote role candidates

  • Create a business role

  • Modify a business role

    • Add or change role owners, role managers, fulfillers, and categories

    • Add or change the business role approval policy

    • Add users and groups to the business role

    • Exclude users and groups from the business role

  • Publish a business role

  • Delete a business role

  • Analyze business roles

  • Configure the business roles default approval policy

  • Create and modify business roles approval policies

Data Administrator

The Data Administrator manages the identity and application data sources. This authorization can:

  • Create, add, modify, and review data sources

  • Create custom metrics

  • Create scheduled collections

  • Execute data collection and publishing

  • Create and map attributes in the catalog

  • Review and edit data in the catalog

  • Create custom request and approval forms for one or more permissions or applications

  • Configure and run governance insight queries

  • Delegate responsibility by assigning application administrators, application owners, or manual fulfillers to applications in the catalog

  • Assign delegates for users

  • View data collection, data summary, and system trends on the Governance Overview dashboard

Governance Insights Administrator

The Governance Insights Administrator manages data queries. This authorization can:

  • Configure and run governance insight queries

  • Download and import insight queries

Fulfillment Administrator

The Fulfillment Administrator manages fulfillment and verification of requests that result from reviews. This authorization can access real time and historical data for provisioning activities, including fulfillment status and verification management.

Report Administrator

The Report Administrator can access Identity Reporting. This authorization can:

  • Create, view, and run reports for Identity Governance

  • Add, remove, and modify data sources on which you want to run reports

Review Administrator

The Review Administrator manages the review process but does not have access to data collection or fulfillment settings. This authorization can:

  • Create, schedule, and start reviews in preview mode or live mode

  • Modify a review schedule

  • Assign all the runtime authorizations as part of a review, thereby delegating certain rights pertaining to the review to those authorizations

  • View reviews in progress

  • View the name of the person who started the review on demand, on schedule, or by micro certification

  • View data summary and system trends on the Governance Overview dashboard

  • View the Catalog, but cannot modify it

Technical Roles Administrator

The Technical Roles Administrator mines for technical role candidates and manages technical roles. A Technical Roles Administrator can delegate administrative privileges. This authorization can:

  • Collect User to permission assignments metric

  • Mine for technical roles and promote role candidates

  • Create and delete technical roles

  • Add or remove permissions from a technical role

  • Add or remove categories

  • Promote, activate, or deactivate technical roles

  • Assign technical role owners

  • Assign access request and approval policies

  • Assign technical roles to users detected to have all the permissions included in a technical role

  • Download or import technical roles

Security Officer

The Security Officer has read-only rights to the catalog and can:

  • Assign authorizations for all functions in Identity Governance

  • View data summary on the Governance Overview dashboard

  • View the Catalog, but cannot modify it

NOTE:Ensure that the users assigned to the Security Officer authorization can also be trusted with global privileges in Identity Governance.

Separation of Duties Administrator

The Separation of Duties Administrator creates and manages SoD policies and violation cases.

Workflow Administrator

The Workflow Administrator creates and edits custom workflows. For additional information about their access rights in Workflow Administration Console, see the Workflow Administration Guide.

2.1.2 Runtime Authorizations

Assign runtime authorizations when you need them. For more information, see Section 2.3, Assigning Authorizations to Identity Governance Users.

Access Requester

Access Requesters request application access, permissions, and technical role assignment. Identity Governance Access Request Administrator, Customer Administrator, and Global Administrator define the Access Request policy that specifies who can request access, what can they request, and for whom can they make their requests.

Access Request Approver

Access Request Approvers confirm whether to approve or deny requested access in the Request application. Identity Governance assigns this authorization if an Access Request Approval policy specifies approvers. Access request approvers can also reassign their task to another approver.

Application Owner

The Application Owner manages all assigned applications. This authorization can:

  • View and manage the following information in the catalog:

    • The applications in the catalog for which they are an owner or administrator

    • The accounts associated with those applications

    • All identities in the system, but details of the identities are restricted to only the permissions and account for which they are an owner or administrator.

    • All groups

  • Create custom request and approval forms for assigned applications and permissions under the assigned applications

  • Perform data editing for assigned applications

  • Review data and access within the assigned applications if assigned as a reviewer

  • (Conditional) Review access entitlements or remediate access policy violations within the application if assigned this responsibility by the review definition

Application Administrator

The Application Administrator validates published data and performs data cleanup, or editing, for all assigned applications. This authorization can:

  • Edit data within the scope of the data source

  • Review data and access within the data source

  • View the catalog but edit only items related to the assigned data source

  • Create custom request and approval forms for assigned applications and permissions under the assigned applications

Business Role Owner

The Business Role Owner can review a business role and approve a business role depending on whether the assigned approval policy specifies Approved by owners. Business role owners cannot edit business roles, they can only view them. For more information about approval policies, see Section 18.0, Creating and Managing Business Roles.

Business Role Manager

A Business Role Manager is an optional participant in the business role process. This authorization can:

  • Edit assigned business roles

  • Submit business role for approval, if approval is required based on approval policy

  • Promote role candidates

  • Publish roles

  • Deactivate roles

    NOTE:Role Managers cannot delete a role. Only Global or Business Role Administrators can delete roles.

Escalation Reviewer

The Escalation Reviewer is an optional participant in a review. All tasks not completed on time are forwarded to the Escalation Reviewer for resolution. Otherwise, the tasks are forwarded to the Review Owner. This authorization can:

  • View user, permission, application, and account details in the context of the review

  • Decide whether to keep, modify, or remove access privileges for a user under review

  • Edit review decisions before submitting those items

Fulfiller

The Fulfiller performs manual provisioning for access changes. This authorization can:

  • View the changeset, identity, permission, and application details for each fulfillment request

  • View guidance from collected analytics data about the requested change

  • View the reason for the requested change and the source of the request, such as a review run, business role fulfillment, or SoD policy

  • Fulfill, decline to fulfill, or reassign requests

Review Auditor

The Review Auditor verifies a review campaign. Each review can have its own Review Auditor. This authorization can:

  • Accept or reject the review after the Review Owner marks the review complete

  • View the name of the person who started the review on demand, on schedule, or by micro certification

  • View the data related to the review, but cannot modify the data

Review Owner

The Review Owner manages all assigned review instances. The Review Owner can view the details of any user, permission, or application entity within the context of the review. This authorization does not have general access to the catalog.

The Review Administrator who initiates a review automatically assumes the authorization of Review Owner if no Review Owner is specified.

NOTE:If you assign a new owner to a review, both the previous and new owners can access the review. The previous owner continues to see review instances run before the ownership change. The new owner sees only the instances run after the ownership change.

For an active Review, the Review Owner can:

  • Start and monitor the review progress

  • Resolve access policy violations in the review

  • Reassign certification tasks within the review

  • Run reports against the review

  • Declare the review complete

  • View the review status on the Governance Overview dashboard

  • View Quick Info details about a catalog item

  • View the fulfillment status of a review item

  • View the run history

Reviewer

The Reviewer authorization reviews sets of access permissions or memberships as part of a review run. This authorization can:

  • Decide whether to keep, modify, or remove access privileges for a user under review

  • Decide whether to keep or remove the business role membership for a user under review

  • Change the reviewer for any assigned review items

  • View user, permission, application, and account details in the context of the review

  • View a history of review decisions in the context of the review

  • View guidance on how a permission is assigned, such as through a direct assignment or authorized by a role

  • View current assignment details by clicking the review item links, if an administrator selected the assignment attributes as default columns to display for user and account access review

  • Add a comment to a review item with the decision to keep or remove, individually or in a batch

  • Edit review decisions before submitting them

SoD Policy Owner

The SoD Policy Owner is responsible for managing assigned Separation of Duties policies. This authorization can:

  • Manage assigned policies

  • Manage violation cases for assigned policies

Technical Role Owner

The Technical Role Owner is responsible for managing technical roles for which they are the owner. Owners cannot import, create, promote, delete, or assign access request policies to a role. This authorization can:

  • Add or remove permissions from a technical role

  • Add or remove categories

  • Activate or deactivate technical roles

  • Assign technical role owners

  • Assign technical roles to users detected to have all the permissions included in a technical role

  • Download technical roles