Show TOC

Component documentationRole Management Locate this document in the navigation structure

 

Role Management allows you to manage roles from multiple systems with a single unified role repository. The roles can be documented, designed, analyzed for control violations, approved, and then automatically generated. It enables standardized practices to ensure that role definitions, development, testing, and maintenance are consistent across the entire enterprise.

Implementation Considerations

  • Designing a logical role naming convention

  • Creating a well-thought-out integration of role management into ongoing role development, testing, and change management processes

  • Identifying users when defining roles, such as role owners, security administrators, and user administrators

  • Defining goals, such as role optimization or consolidation, user access optimization, and risk and change request reduction.

  • Identifying custom reports

Features

The application allows role owners and security administrators to:

  • Track progress during role implementation

  • Monitor the overall quality of the implementation

  • Perform risk analysis at role design time

  • Set up a workflow for role approval

  • Provide an audit trail for all role modifications

  • Maintain roles after they are generated to keep role information current

Roles and Role Assignment

A role is a predefined set of access permissions. In this model, access is not granted to individual users, but rather to roles.

Example Example

To provision access to a financial application for a user, you must assign to that user a role that has access to the application. If the user is assigned to the requisite role, the user automatically has access to the application.

End of the example.

Different users need to access the same module or application, yet require different levels of access. Typically, for any given application, multiple roles exist that include some form of access. Therefore, role assignment defines both the application to which the user has access, and the level of access the user is granted within the application.

Risk Analysis and Mitigation

One key element of provisioning in the access control application is the identification and mitigation of risk. Here, a risk is identified as a conflict within a single role.

Example Example

In most organizations, the roles Receiving, Inventory, and Accounts Payable are mutually exclusive. To prevent the risk of fraud, a person responsible for cataloging deliveries cannot have the ability to catalog inventory, and to authorize payment for a delivery.

End of the example.

Recommendation Recommendation

End of the recommendation.

To facilitate role planning and role maintenance, see the set of reports in the Reports and Analytics work center that include reports for:

  • Facilitating overall role quality management

  • Providing valuable information for creating precise role definitions

  • Minimizing ongoing role maintenance

More Information

Role Maintenance