Role Management allows you to manage roles from multiple systems with a single unified role repository. The roles can be documented, designed, analyzed for control violations, approved, and then automatically generated. It enables standardized practices to ensure that role definitions, development, testing, and maintenance are consistent across the entire enterprise.
Designing a logical role naming convention
Creating a well-thought-out integration of role management into ongoing role development, testing, and change management processes
Identifying users when defining roles, such as role owners, security administrators, and user administrators
Defining goals, such as role optimization or consolidation, user access optimization, and risk and change request reduction.
Identifying custom reports
The application allows role owners and security administrators to:
Track progress during role implementation
Monitor the overall quality of the implementation
Perform risk analysis at role design time
Set up a workflow for role approval
Provide an audit trail for all role modifications
Maintain roles after they are generated to keep role information current
Roles and Role Assignment
A role is a predefined set of access permissions. In this model, access is not granted to individual users, but rather to roles.
Example
To provision access to a financial application for a user, you must assign to that user a role that has access to the application. If the user is assigned to the requisite role, the user automatically has access to the application.
Different users need to access the same module or application, yet require different levels of access. Typically, for any given application, multiple roles exist that include some form of access. Therefore, role assignment defines both the application to which the user has access, and the level of access the user is granted within the application.
Risk Analysis and Mitigation
One key element of provisioning in the access control application is the identification and mitigation of risk. Here, a risk is identified as a conflict within a single role.
Example
In most organizations, the roles Receiving, Inventory, and Accounts Payable are mutually exclusive. To prevent the risk of fraud, a person responsible for cataloging deliveries cannot have the ability to catalog inventory, and to authorize payment for a delivery.
Recommendation
To facilitate role planning and role maintenance, see the set of reports in the Reports and Analytics work center that include reports for:
Facilitating overall role quality management
Providing valuable information for creating precise role definitions
Minimizing ongoing role maintenance