A role is an Identity Manager object that allows resource access rights to be grouped and efficiently assigned to users. Roles are organized into four role types:
Business Roles organize into groups the access rights that people who do similar tasks in an organization need to do their job duties. Typically, Business Roles represent user job functions.
IT Roles, Applications, and Assets organize resource entitlements (or access rights) into groups. To provide users with access to resources, IT Roles, Applications, and Assets are assigned to Business Roles so that users can access the resources they need to do their jobs.
IT Roles, Applications, and Assets can be required, conditional, or optional.
Required roles are always assigned to the user.
Conditional roles have conditions that must evaluate to true in order for the role to be assigned.
Optional roles can be requested separately, and, upon approval, assigned to the user.
Because roles can be conditional or optional, users with the same general job description can have the same Business Role, but still have different access rights. This approach allows a Business Role designer to define coarse-grained access to roles in order to achieve regulatory compliance, while still allowing flexibility for the user’s manager to fine-tune the user’s access rights. With this approach, there is no need to define a new Business Role for each permutation of access needs in the enterprise, which is a problem known as role explosion.
A user can be assigned one or more roles, or no role.
For more information about roles, see Understanding and Managing Roles.