• Replies 1 reply
  • Subscribers 94 subscribers
  • Views 3478 views
  • Users 0 members are here
Options
Related

What is the actual use case for business and system roles in One Identity Manager (difference).

Wilke Jansoone
over 4 years ago

Hello,

Could someone help me to explain the difference between "business role" and "system role" in One Identity Manager.

In the Identity Manager 8.0 - Business Roles Administration Guide I read:

...
Various company resources can be assigned to business roles, for example, authorizations in different SAP systems or applications....

In the Identity Manager 8.0 - System Roles Administration Guide I read:

System roles make it easier to assign company resources that are frequently required or rather that are always assigned together...

So it seems that both business roles and system roles can be used to assign company resources. But it is not clear what the actual distinction is, and in what situation business or system roles need to be used.

Let me give an example of an important use case we are trying to accomplish:

A user has one or more business roles, in this the business role represents an actor in a business process. The business role requires multiple entitlements to be able for the business work to be able to be performed. These entitlements can be for example, one or more technical roles in applications (modeled as AD groups), and one or more memberships to AD groups for file share access. I suppose the AD groups in this case could be considered Company Resources.

Using One Identity we could:

1
===============
- Create a system role per AD group (in our company the AD groups already implicitly consolidate access to one or more company resources)
- Create a business role
- Assign the system role to the business role
- Assign the employee to the business role

Advantage: Clean separation between business and IT concepts
Disadvantage: Need to create a system role for each AD group (one on one mapping added value is not clear). Could lead to large number of system roles.

2
===============
- Create a business role
- Assign the AD group to the business role
- Assign the employee to the business role

Advantage: Simple model, less administrative overhead
Disadvantage: No actual separation between business and IT concepts

We are not sure what option to use in One Identity Manager. I suppose that internally One Identity Manager processes clearly distinguish between business role and system role assignments and that the semantics of each of these roles are taken into consideration.

Can anyone give some feedback around this topic, maybe an example of how this is configured at your site?

Thank you in advance,

Kind regards,

Wilke

  • over 4 years ago

    Personally, I would go for option 2 because of the minimized overhead. But it depends a little bit on the number of Business Roles having the same company resources assigned or of the change rate of these packages (of company resources).

    One of the reasons to use system roles is to create packages of (technical) company resource that are needed to get access to something or to perform a certain role in a technical target system. Now, these packages can be assigned to several business roles, departments, locations or cost centers to ease the administration of your role model and to ease the lifecycle of those packages.

    And of, course, as you have already mentioned, using system roles, would allow a clear separation of IT and business concepts (and/or owners).