Novell Doc: Identity Manager User Application: Administration Guide

21.3 Provisioning security

When a user logs into the Identity Manager user application, the Security system authenticates that user and sets access controls to protect provisioning and workflow objects from unauthorized use. This ensures that the user sees only those provisioning request definitions to which he or she has been granted access. In addition to performing authentication and authorization services for the user application, the Security system manages proxy and delegate assignments.

A delegate is a user authorized to perform work for another user. A delegate assignment applies to a particular provisioning request definition.
A proxy is a user authorized to perform any and all work for one or more users, groups, or containers. Unlike delegate assignments, proxy assignments are independent of provisioning request definitions, and therefore apply to all work and settings.

If logging is enabled, any actions taken by a proxy or delegate are logged along with actions taken by other users. When an action is taken by a proxy or delegate, the log message clearly indicates that the action was performed by a proxy or delegate for another user. In addition, each time a new proxy or delegate assignment is defined, this event is logged as well.

If a provisioning request definition is configured to generate e-mail notifications, proxies as well as addressees are notified by e-mail. Delegates are not included in e-mail notifications.

Workflow security roles The Security system recognizes the following security roles:

Role	Description	Rights
User Application Administrator	Locksmith user with full administrative rights.	The User Application Administrator is permitted to perform these tasks in iManager: Configure provisioning requests Manage workflows already in process The User Application Administrator is permitted to perform these tasks within the user application: View and edit all tasks in all workflow queues. Define proxy and delegate assignments for any user in the system. View hidden information (hidden attributes) for any user in the system. Create Task Group Managers and assign them to groups. The User Application Administrator is the only user who can create and assign Task Group Managers. NOTE:The Administration tab of the Identity Manager user application provides tools for assigning rights to administer the user application. To use this tab, you must first log on as the user who was specified as the User Application Administrator at installation time. For details on using the security features of the user application, see Section 11.0, Security Configuration.
Organizational Manager	Direct report supervisor for an employee. Each user has only one Organizational Manager. HINT:The Organizational Manager can also be thought of as an administrative manager.	The Organizational Manager is permitted to: View all tasks that are in his/her team’s workflow queues. This capability applies to a single level in the management hierarchy; therefore, an Organizational Manager’s supervisor cannot see the tasks of the Organizational Manager’s direct reports. Edit tasks for direct reports, except in the case where a direct report has a task assigned to a group whose Task Group Manager is someone other than the Organizational Manager. In this case, the Organizational Manager can view the task, but not perform any edits. Upon escalation, the task moves to the Task Group Manager, not the Organizational Manager. Claim tasks and unclaim tasks, and reassign tasks to members of his/her team. Define proxy and delegate relationships for himself or herself and for members of his/her team. View hidden attributes for members of his/her team.
Task Group Manager	User given responsibility for a set of tasks associated with a task group. A task group is an extension of the LDAP Group object. Each task group can have only one Task Group Manager. Task Group Managers are assigned by the User Application Administrator. When a task is assigned to a group, the srvrprvTaskManager attribute for the group contains the DN for the user who is the designated Task Group Manager. For improved performance, Task Group Managers are also identified by an attribute on the user object. The srvprvIsTaskManager attribute is set to true for a user who is a designated Task Group Manager.	The Task Group Manager is permitted to: View and edit all tasks that are assigned to a group for which he/she is the designated leader. The Task Group Manager is not permitted to: Create resources or retract requests. Define proxy or delegate relationships. View hidden attributes for members of his/her team.

Role

Description

Rights

User Application Administrator

Locksmith user with full administrative rights.

The User Application Administrator is permitted to perform these tasks in iManager:

Configure provisioning requests
Manage workflows already in process

The User Application Administrator is permitted to perform these tasks within the user application:

View and edit all tasks in all workflow queues.
Define proxy and delegate assignments for any user in the system.
View hidden information (hidden attributes) for any user in the system.
Create Task Group Managers and assign them to groups. The User Application Administrator is the only user who can create and assign Task Group Managers.

NOTE:The Administration tab of the Identity Manager user application provides tools for assigning rights to administer the user application. To use this tab, you must first log on as the user who was specified as the User Application Administrator at installation time.

For details on using the security features of the user application, see Section 11.0, Security Configuration.

Organizational Manager

Direct report supervisor for an employee. Each user has only one Organizational Manager.

HINT:The Organizational Manager can also be thought of as an administrative manager.

The Organizational Manager is permitted to:

View all tasks that are in his/her team’s workflow queues. This capability applies to a single level in the management hierarchy; therefore, an Organizational Manager’s supervisor cannot see the tasks of the Organizational Manager’s direct reports.
Edit tasks for direct reports, except in the case where a direct report has a task assigned to a group whose Task Group Manager is someone other than the Organizational Manager. In this case, the Organizational Manager can view the task, but not perform any edits. Upon escalation, the task moves to the Task Group Manager, not the Organizational Manager.
Claim tasks and unclaim tasks, and reassign tasks to members of his/her team.
Define proxy and delegate relationships for himself or herself and for members of his/her team.
View hidden attributes for members of his/her team.

Task Group Manager

User given responsibility for a set of tasks associated with a task group. A task group is an extension of the LDAP Group object. Each task group can have only one Task Group Manager.

Task Group Managers are assigned by the User Application Administrator.

When a task is assigned to a group, the srvrprvTaskManager attribute for the group contains the DN for the user who is the designated Task Group Manager. For improved performance, Task Group Managers are also identified by an attribute on the user object. The srvprvIsTaskManager attribute is set to true for a user who is a designated Task Group Manager.

The Task Group Manager is permitted to:

View and edit all tasks that are assigned to a group for which he/she is the designated leader.

The Task Group Manager is not permitted to:

Create resources or retract requests.
Define proxy or delegate relationships.
View hidden attributes for members of his/her team.

NOTE:Any user can view hidden attributes associated with his/her own identity.

Defining proxy and delegate relationships To define a proxy assignment for a user, you use the Team Proxy Assignments page on the Requests & Approvals tab of the Identity Manager user interface. To define a delegate assignment for a user, you use the Team Delegate Assignments page, which is also available on the Requests & Approvals tab.

Creating Task Group Managers To define a Task Group Manager for a task group, you use the Create User or Group page on the Identity Self-Service tab of the Identity Manager user interface.

For complete details on defining Task Group Managers, proxies, and delegates, see the Identity Manager User Application: User Guide.