Manage business roles
Manage business roles
Manage business roles use case is part of access right management process and it can relate to other use cases like for example,
1. Business roles can be requested or removed from Self-Service, by using same services as when requesting or removing access rights (entitlements), when also manage request catalog use case is needed
2. Business roles has same approval-, and owner levels available than access rights (entitlements)
3. Business roles can be granted automatically by using automated rules***
4. Business roles can be re-certificated**
5. If expanded access right management use cases are implemented, business roles can also contain physical**** and/or privilege accesses****
IGA solution contains capabilities for role management including flexible reporting and visual analyzer tool to help IGA admins in role mining.
What is business role?
Business role is combination of single access rights or sub-roles. Business role is kind of basket, which gathers several different accesses into one and it can be granted to users in different ways. Business role content is always granted or removed from the users as it has been defined in that moment, meaning that end-users are not able to break business role content.
Use case description
This use case can be expanded with other processes and those has been marked,
* User lifecycle management
** Governance
*** Automation & provisioning
**** Expanded access right management
|
Description |
Overview |
Business role is a collection of entitlements or sub-roles, and it is always managed as entire collection, meaning that its given and removed as it has been defined at that moment. User and manager can request business roles as other access rights are requested, but user or manager cannot break the business role, meaning that they cannot requests or remove individual access right from the business role (for requesting single access right it needs to be published to request catalog). Same applies to approvers if they are approving or declining business role requests. Business roles can also be granted automatically to users, based on their title, organizational unit or Cost Center when automated rule*** use case is taken into use. |
Operators |
IGA solution |
Prerequisites |
Manage entitlements and manage request catalog use cases are implemented and depending if users are able to request business roles from Self-Service, also request and remove access right use cases needs to be implemented. Customer has pointed IGA admin role to at least one Person, preferably to two Persons (check use case manage IGA solution users). |
Result |
IGA admin can create new business roles, publish them to Self-Service and when updating or inactivating existing business role, IGA admin can also simulate changes and set provisioning time when changes are provisioned to users (some cases big provisioning amounts is recommended to schedule out-side of busiest hours). User and / or manager can request and remove business roles and approvers can approve or decline requests from Self-Service. |
| Operating chain for creating new business roles |
|
| Operating chain for updating business roles |
|
| Self-Service reporting | User, manager and approver can see same reports for business role requests, removals and approvals as is listed in request access rights use case. |
| IGA admin reporting |
IGA admin can create new or use ready-made views, dashboards and reports for auditing business role related information.
|
| IGA admin actions |
|
Delete
Tools for role mining
Matrix42 IGA solution contains several helpful tools for IGA admins to be able practice role mining, which is needed when customer is defining the role content.
1. IGA admin can use reporting tool for complex validation for data, here is couple examples:
- Users with same title and their entitlements (and business roles)
- Users in the same organizational unit and their entitlements (and business roles)
- Users with same cost center and their entitlements (and business roles)
- Users with combination of information above
- Entitlement and users with an title "nurse"
- Entitlement and users with organizational unit "IT-department"
- Entitlements and users with cost center "1234"
2. Visual Analyzer tool
- With Visual Analyzer it is possible to see relations between IGA business roles, users, automated rules, entitlements, titles, organizational units etc.
- Tool is available to IGA admins in real-time and can be used for validating any data card relations for example by choosing title, it is possible to validate relations to persons and entitlements.
Expansion possibilities
Expansion possibilities are categorized in three category, but it is always important to validate if requested change has affect to the delivery schedule or work estimations.
Notice that IGA admin can change role related content at any time, but changes listed here are related to workflow, provisioning etc. changes.
| Category | Description |
|
Small (less than hour) |
Small changes does not usually affect to the delivery schedule or work estimations and these changes can be done also by IGA admins,
|
|
Medium (0,5 - 2 work days) |
Medium changes can be for example,
|
|
Large (more than 2 work days) |
Large changes usually takes longer time, since they require more detailed definition-, and testing work. For managing entitlements usually larger changes are new use cases which are expansions to the customers existing IGA solution
|
Relations & configuration instructions
Relations to other use cases,
Manage entitlements - Business role content requires entitlements
Manage request catalog - if business roles can be requested from Self-Service, request catalog categories needs to be in place.
Request / remove access rights - if business role can be requested/removed from Self-Service same services are used as when requesting / removing entitlements (single access rights)
Approval - if business role can be requested/removed from Self-Service, approval level is required to be set
Delegate approval responsibilities - managers and approvers can delegate business role related approval requests to other users
Manage automated rules - this use case is required when business roles are granted automatically to users, based on their title, organization unit or Cost Center
Manage organizational information - if business roles are granted automatically by using automated rules, also this use case is recommended to be implemented, since it can alert IGA admin if/when organizational information is changed, removed or new information is added.
Relations to other data cards,
IGA Business Role
IGA Entitlement
IGA Automated Rules
IGA Import Task
Configuration instructions,
- Configure EPEtask called "[Directory] IGA Access Right Record: Remove Group"
- Configure the connection settings and after that Test connection from the EPEtask
- Define user and group filters and settings
- No need to change user identity mappings
- Go to IGA Access Right Record and workflow called "2.0 Add user to group"
- Check the workflow nodes
- Publish the workflow
- Go to IGA Business role and workflow called "IGA Business Role"
- Check the workflow nodes
- Publish the workflow
Unit testing instructions,
- Test the IGA Business role management
- Test user must be Matrix42 ESM admin. Admins are usually managed by Efecte_IGA_Admins Directory Group.
- Before testing ESM must contain:
- Entitlements which provisioning type is automatic
- Create new Business role
- Test that Business role is applied to users (ESM and Directory)
- Test that Business role can be inactivated
System and user approval testing instructions
In this chapter are described system and user approval testing instructions.
Preparation tasks for both phases
1. Minimum requirement is that manage entitlements use case is implemented and tested successfully
2. Manage request catalog, approvals and request or remove access rights from Self-Service are required to be implemented and tested successfully if they are taken into use in the customers IGA solution.
Testing instructions for testing IGA admin actions,
1. Login as IGA admin to IGA solution
2. Create new business roles containing only automatic provisioning type of entitlements
3. Create new business roles containing only manual provisioning type of entitlements
4. Create relations between business roles and sub-roles
5. Update existing business role content by adding new sub-roles and entitlements
6. Update existing business role content by removing sub-roles and entitlements
7. Inactivate business role by changing status
8. Validate that views, dashboards and reports are showing correctly, after user, manager and approver actions has been tested
9. Validate that IGA access right records are created
Testing instructions for testing end-user, manager and approver actions
1. Login as user to Self-Service
- Request business role to yourself (both with content manual or automatic provisioning type of entitlements)
- Request business role removal from yourself
- Validate that status is changing correctly in the front page
- Validate that request history is showed correctly
- Validate that MyThings is showing active business roles correctly
2. Login as manager to Self-Service
- Request business roles to your internal and external subordinates
- Remove business roles from your internal and external subordinates
- Approve business role requests / removal requests made by your subordinates
- Validate that status is changing correctly in the front page
- Validate that request and approval history is showed correctly
- Validate that MyEmployee is showing active business roles correctly for your subordinates
3. Login as approver to Self-Service
- Approve business role requests and removal requests according to defined approval levels
- Validate that status is changing correctly in the front page
-
Validate that approval history is showed correctly