OpenText Identity Governance enables you to manage both the technical and business roles in your organization. To enable easier management of these roles, OpenText Identity Governance assigns technical role administrators and business role administrators with separate but overlapping responsibilities.
Business roles organize people by business function, and user-based attributes to determine what users should have access to, or if they can request that access without additional approval. Business roles authorize resources (permissions, technical roles, and applications) for users who are members of the business role. These authorizations also specify whether resources are to be auto-granted to users, auto-revoked from users, or should not be auto-granted and auto-revoked.
Technical roles organize lower-level permissions into sets of permissions that offer enough business value to be reviewed and assigned as a unit or requested as a unit. Technical roles are designed to limit the number of review items and surface permissions in ways that can be presented to typical non-administrator users.
Figure 15-1 illustrates how the different types of roles overlap. In this example, company policies authorize all full-time employees to have access to the HR Tools, Exchange Mailboxes, Lync, and My Meeting. Accounting clerks are authorized to have access to Document Control and Account Administration, a technical role that the technical role administrator created in OpenText Identity Governance. When you include a user as a member of a business role of Full-time Employee and Accounting Clerk, OpenText Identity Governance authorizes the user to have any of the mandatory or optional technical roles or permissions listed for the given role. OpenText Identity Governance could potentially automatically provision mandatory permissions, while it could assign optional permissions at a later time without further approval, because they are pre-approved by the policy. This example illustrates how you can save time, effort, and error, and enable controlled access through business roles. To understand how your entitlement assignments conform to your business policies, you can view the Role Effectiveness widget on the Governance Overview dashboard. For more information, see Viewing Entitlement Assignments Statistics to Leverage Roles.
Both technical roles and business roles can be designated as authorization roles. If your environment has advanced authorization policy capability that limit access to applications based on predefined rules, then you can set one or more technical or business role as authorization roles to facilitate identification and monitoring of roles that are used as authorization roles. Technical roles and business roles, can be set or unset as an authorization role using the Actions menu.
Figure 15-1 Detailed Example of the Overlap between Business Roles and Technical Roles
NOTE:This chapter primarily discusses technical role policy concepts and procedures. For information about business roles, see Section 16.0, Creating and Managing Business Roles.