When a user logs into the Identity Manager user application, the Security system authenticates that user and sets access controls to protect provisioning and workflow objects from unauthorized use. This ensures that the user sees only those provisioning request definitions to which he or she has been granted access. In addition to performing authentication and authorization services for the user application, the Security system manages proxy and delegate assignments.
A delegate is a user authorized to perform work for another user. A delegate assignment applies to a particular provisioning request definition.
A proxy is a user authorized to perform any and all work for one or more users, groups, or containers. Unlike delegate assignments, proxy assignments are independent of provisioning request definitions, and therefore apply to all work and settings.
If logging is enabled, any actions taken by a proxy or delegate are logged along with actions taken by other users. When an action is taken by a proxy or delegate, the log message clearly indicates that the action was performed by a proxy or delegate for another user. In addition, each time a new proxy or delegate assignment is defined, this event is logged as well.
If a provisioning request definition is configured to generate e-mail notifications, proxies as well as addressees are notified by e-mail. Delegates are not included in e-mail notifications.
Workflow security roles The Security system recognizes the following security roles:
Role |
Description |
Rights |
---|---|---|
User Application Administrator |
Locksmith user with full administrative rights. |
The User Application Administrator is permitted to perform these tasks in iManager:
The User Application Administrator is permitted to perform these tasks within the user application:
NOTE:The Administration tab of the Identity Manager user application provides tools for assigning rights to administer the user application. To use this tab, you must first log on as the user who was specified as the User Application Administrator at installation time. For details on using the security features of the user application, see Section 11.0, Security Configuration. |
Organizational Manager |
Direct report supervisor for an employee. Each user has only one Organizational Manager. HINT:The Organizational Manager can also be thought of as an administrative manager. |
The Organizational Manager is permitted to:
|
Task Group Manager |
User given responsibility for a set of tasks associated with a task group. A task group is an extension of the LDAP Group object. Each task group can have only one Task Group Manager. Task Group Managers are assigned by the User Application Administrator. When a task is assigned to a group, the srvrprvTaskManager attribute for the group contains the DN for the user who is the designated Task Group Manager. For improved performance, Task Group Managers are also identified by an attribute on the user object. The srvprvIsTaskManager attribute is set to true for a user who is a designated Task Group Manager. |
The Task Group Manager is permitted to:
The Task Group Manager is not permitted to:
|
NOTE:Any user can view hidden attributes associated with his/her own identity.
Defining proxy and delegate relationships To define a proxy assignment for a user, you use the Team Proxy Assignments page on the Requests & Approvals tab of the Identity Manager user interface. To define a delegate assignment for a user, you use the Team Delegate Assignments page, which is also available on the Requests & Approvals tab.
Creating Task Group Managers To define a Task Group Manager for a task group, you use the Create User or Group page on the Identity Self-Service tab of the Identity Manager user interface.
For complete details on defining Task Group Managers, proxies, and delegates, see the Identity Manager User Application: User Guide.