Identity Governance relies on authorizations to define a fixed set of access permissions. After installation of Identity Governance on premises and after deployment of Identity Governance as a service, the bootstrap administrator collects and publishes the initial set of identities and assigns a user as a Global or Customer Administrator who then assigns other authorizations. In SaaS environment, the Customer Administrator will work with a SaaS Operations Administrator to configure services and plan maintenance tasks. The SaaS Operations Administrator is a member of the SaaS team responsible for customer tenancy operations including data center configurations.
Identity Governance authorizations can be global or runtime:
Global authorizations are constant within Identity Governance and assigned through the Identity Governance Configuration settings. Identity Governance maintains the set of privileges granted by the authorization. For more information, see Section 2.1.1, Global Authorizations
Runtime authorizations are those that users assume as needed to perform tasks specific to a governance area such as request, review, or fulfillment. For example, you assign a Review Owner as needed during an access review and validation cycle. You can reassign these authorizations with each review run. For more information, see Section 2.1.2, Runtime Authorizations.
If a user does not have the required authorization or does not have an assigned task, the user will be redirected to the Access Request interface. For more information about requesting access, see Section 24.0, Instructions for Access Requesters and Approvers. For more information about the bootstrap administrator, see Understanding the Bootstrap Administrator for Identity Governance
in the Identity Governance 4.3.1 Installation and Configuration Guide.
After collecting and publishing an initial set of identities, assign the Global Administrator authorization in an on-premises environment and Customer Administrator in a SaaS environment to one of these identities. The Global or Customer Administrator can then assign the rest of the global authorizations. For more information, see Section 2.3, Assigning Authorizations to Identity Governance Users.
The Customer Administrator is the primary authorization for Identity Governance as a Service. This authorization is responsible for day-to-day business operations of the product and can:
Perform all Identity Governance actions
Assign all Identity Governance global and runtime authorizations for users in the enterprise
The Global Administrator is the primary authorization for Identity Governance on-premises deployments. This authorization can:
Perform all Identity Governance actions
Assign all Identity Governance global and runtime authorizations
The Access Request Administrator manages policies that define who can request access in your enterprise. This authorization can:
Create, modify, and delete Access Request Policies
Create, modify, and delete Access Request Approval Policies
Edit the default Access Request Approval Policy
Customize default request and approval forms
Create and customize approval workflows
Create custom request and approval forms for one or more permissions or applications
The Auditor has read-only rights to the catalog, reviews, Separation of Duties (SoD) policies and violations, business roles, risk, certification policies, fulfillment statuses, and Governance Overview dashboard. However, this authorization can configure and run insight queries and an account assigned to the Auditor authorization might also be specified as a Review Auditor in a review definition. For more information, see Section 2.1.2, Runtime Authorizations.
The Business Roles Administrator performs all administrative functions for all business roles. A Business Roles Administrator can delegate administrative privileges. This authorization can:
Administer the business role schema under Data Administration
Configure role mining settings
Collect automated and business role mining metrics
Mine for business roles and promote role candidates
Create a business role
Modify a business role
Add or change role owners, role managers, fulfillers, and categories
Add or change the business role approval policy
Add users and groups to the business role
Exclude users and groups from the business role
Publish a business role
Delete a business role
Analyze business roles
Configure the business roles default approval policy
Create and modify business roles approval policies
The Data Administrator manages the identity and application data sources. This authorization can:
Create, add, modify, and review data sources
Create custom metrics
Create scheduled collections
Execute data collection and publishing
Create and map attributes in the catalog
Review and edit data in the catalog
Create custom request and approval forms for one or more permissions or applications
Configure and run governance insight queries
Delegate responsibility by assigning application administrators, application owners, or manual fulfillers to applications in the catalog
Assign delegates for users
View data collection, data summary, and system trends on the Governance Overview dashboard
Perform data maintenance tasks including archiving and data cleanup
The Maintenance Administrator configures and performs data maintenance tasks such as archiving and data cleanup.
The Governance Insights Administrator manages data queries. This authorization can:
Configure and run governance insight queries
Download and import insight queries
The Fulfillment Administrator manages fulfillment and verification of requests that result from reviews. This authorization can access real time and historical data for provisioning activities, including fulfillment status and verification management.
The Report Administrator can access Identity Reporting. This authorization can:
Create, view, and run reports for Identity Governance
Add, remove, and modify data sources on which you want to run reports
The Review Administrator manages the review process but does not have access to data collection or fulfillment settings. This authorization can:
Create, schedule, and start reviews in preview mode or live mode
Modify a review schedule
Assign all the runtime authorizations as part of a review, thereby delegating certain rights pertaining to the review to those authorizations
View reviews in progress
View the name of the person who started the review on demand, on schedule, or by micro certification
View data summary and system trends on the Governance Overview dashboard
View the Catalog, but cannot modify it
The Technical Roles Administrator mines for technical role candidates and manages technical roles. A Technical Roles Administrator can delegate administrative privileges. This authorization can:
Collect User to permission assignments metric
Mine for technical roles and promote role candidates
Create and delete technical roles
Add or remove permissions from a technical role
Add or remove categories
Promote, activate, or deactivate technical roles
Assign technical role owners
Assign access request and approval policies
Assign technical roles to users detected to have all the permissions included in a technical role
Download or import technical roles
The Security Officer has read-only rights to the catalog and can:
Assign authorizations for all functions in Identity Governance
View data summary on the Governance Overview dashboard
View the Catalog, but cannot modify it
NOTE:Ensure that the users assigned to the Security Officer authorization can also be trusted with global privileges in Identity Governance.
The Separation of Duties Administrator creates and manages SoD policies and violation cases.
The Workflow Administrator creates and edits custom workflows. For additional information about their access rights in Workflow Administration Console, see the Workflow Administration Guide.
Assign runtime authorizations when you need them. For more information, see Section 2.3, Assigning Authorizations to Identity Governance Users.
Access Requesters request application access, permissions, and technical role assignment. Identity Governance Access Request Administrator, Customer Administrator, and Global Administrator define the Access Request policy that specifies who can request access, what can they request, and for whom can they make their requests.
Access Request Approvers confirm whether to approve or deny requested access in the Request application. Identity Governance assigns this authorization if an Access Request Approval policy specifies approvers. Access request approvers can also reassign their task to another approver.
The Application Owner manages all assigned applications. This authorization can:
View and manage the following information in the catalog:
The applications in the catalog for which they are an owner or administrator
The accounts associated with those applications
All identities in the system, but details of the identities are restricted to only the permissions and account for which they are an owner or administrator.
All groups
Create custom request and approval forms for assigned applications and permissions under the assigned applications
Perform data editing for assigned applications
Review data and access within the assigned applications if assigned as a reviewer
(Conditional) Review access entitlements or remediate access policy violations within the application if assigned this responsibility by the review definition
The Application Administrator validates published data and performs data cleanup, or editing, for all assigned applications. This authorization can:
Edit data within the scope of the data source
Review data and access within the data source
View the catalog but edit only items related to the assigned data source
Create custom request and approval forms for assigned applications and permissions under the assigned applications
The Business Role Owner can review a business role and approve a business role depending on whether the assigned approval policy specifies Approved by owners. Business role owners cannot edit business roles, they can only view them. For more information about approval policies, see Section 19.0, Creating and Managing Business Roles.
A Business Role Manager is an optional participant in the business role process. This authorization can:
Edit assigned business roles
Submit business role for approval, if approval is required based on approval policy
Promote role candidates
Publish roles
Deactivate roles
NOTE:Role Managers cannot delete a role. Only Global or Business Role Administrators can delete roles.
The Escalation Reviewer is an optional participant in a review. All tasks not completed on time are forwarded to the Escalation Reviewer for resolution. Otherwise, the tasks are forwarded to the Review Owner. This authorization can:
View user, permission, application, and account details in the context of the review
Decide whether to keep, modify, or remove access privileges for a user under review
Edit review decisions before submitting those items
The Fulfiller performs manual provisioning for access changes. This authorization can:
View the changeset, identity, permission, and application details for each fulfillment request
View guidance from collected analytics data about the requested change
View the reason for the requested change and the source of the request, such as a review run, business role fulfillment, or SoD policy
Fulfill, decline to fulfill, or reassign requests
The Review Auditor verifies a review campaign. Each review can have its own Review Auditor. This authorization can:
Accept or reject the review after the Review Owner marks the review complete
View the name of the person who started the review on demand, on schedule, or by micro certification
View the data related to the review, but cannot modify the data
The Review Owner manages all assigned review instances. The Review Owner can view the details of any user, permission, or application entity within the context of the review. This authorization does not have general access to the catalog.
The Review Administrator who initiates a review automatically assumes the authorization of Review Owner if no Review Owner is specified.
NOTE:If you assign a new owner to a review, both the previous and new owners can access the review. The previous owner continues to see review instances run before the ownership change. The new owner sees only the instances run after the ownership change.
For an active Review, the Review Owner can:
Start and monitor the review progress
Resolve access policy violations in the review
Reassign certification tasks within the review
Run reports against the review
Declare the review complete
View the review status on the Governance Overview dashboard
View Quick Info details about a catalog item
View the fulfillment status of a review item
View the run history
The Reviewer authorization reviews sets of access permissions or memberships as part of a review run. This authorization can:
Decide whether to keep, modify, or remove access privileges for a user under review
Decide whether to keep or remove the business role membership for a user under review
Change the reviewer for any assigned review items
View user, permission, application, and account details in the context of the review
View a history of review decisions in the context of the review
View guidance on how a permission is assigned, such as through a direct assignment or authorized by a role
View current assignment details by clicking the review item links, if an administrator selected the assignment attributes as default columns to display for user and account access review
Add a comment to a review item with the decision to keep or remove, individually or in a batch
Edit review decisions before submitting them
The SoD Policy Owner is responsible for managing assigned Separation of Duties policies. This authorization can:
Manage assigned policies
Manage violation cases for assigned policies
The Technical Role Owner is responsible for managing technical roles for which they are the owner. Owners cannot import, create, promote, delete, or assign access request policies to a role. This authorization can:
Add or remove permissions from a technical role
Add or remove categories
Activate or deactivate technical roles
Assign technical role owners
Assign technical roles to users detected to have all the permissions included in a technical role
Download technical roles