9. Provisioning: What's New

(Home)     Previous     Next


1. Support for Roles Based Provisioning

The Identity Manager User Application's Roles Based Provisioning Module provides an easy way to assign people to privileges in target systems through their role membership. The module allows you to easily ensure that employees have access to the resources they need to perform their jobs, but not more.

This milestone contains support for the Roles Based Provisioning Module.

1.1. Role Editor

The Role editor allows you to create and configure the roles you want to assign and manipulate in the Roles tab of the User Application. You use the editor to define the role details such as:

  1. Role name
  2. Role level
  3. Role category
  4. Role owners
  5. Role trustees

  6. Role relationships
  7. Entitlements granted as a result of membership in this role.
  8. Approval details

1.2. Separation of Duties Editor

It is now possible to create Separation of Duties (SoD) constraints to manage potential conflicts between role assignments for the Roles Based Provisioning Module. You can define

  1. The roles in conflict
  2. The type of approval that is required when a user requests an exception to the constraint.
  3. The users, groups, or containers that can approve an exception request.

1.3. Role Configuration Editor

It is now possible to configure the Role Subsystem for the Roles Based Provisioning Module in Designer. You can use the Role Configuration editor to define:

  1. Grace Period for Role Assignment Removal
  2. Localizable Role Level Display Names and Descriptions
  3. Approval Details for SOD constraint exceptions

1.4 Provisioning View: Role Catalog

The Provisioning view now supports the Role Catalog used by the Roles Based Provisioning Module. This includes support for the following editors:

The Provisioning view also supports dynamic sub-containers for roles. A dynamic sub-container is a custom container created by the user. It can contain roles and other sub-containers. An example dynamic sub-container, called System, is shown in the screen shot above.

Dynamic sub-containers make it easier to define trustees for roles. You can define trustees on the sub-containter instead of defining the trustee on each role. In this release, you must use iManager to set the trustees on the sub-containers.

1.5. Document Generation - Provisioning Style

The Provisioning Style has been updated to include sections for roles, separation of duties and the role configuration.

2. General

2.1. Temporary localized labels provided for category list items

All the category lists (Provisioning, Roles and Resource) now contain the string "Not translated - [CN]" in their list item labels when the user has not provided a value. This string is used when users open the Localize dialog for the list items and when users deploy the lists. Validation generates a warning that it is using a temporary "Not translated" string and that users should provide values.

2.2. New Workflow Process Type

The Provisioning Request Definition editor includes two workflows that support role approval and SoD constraint exception approval requests. To differentiate these workflows from standard workflows and from each other, the Process Type property has been added. Values are Normal, Role Approval and SoD Approval.

2.3 Activities: New Role Binding Activity

A new Role Binding activity has been added. This activity is used to either grant or deny either a Role or SoD approval request.

2.4. Provisioning View: Paste of Objects

The Provisioning view now allows you to specify the name and display name of an object when pasting the object (into the same location).

(Home)     Previous     Next