A role is an Identity Manager object that allows resource access rights to be grouped and efficiently assigned to users.
Roles are organized into four role types:
Business Roles organize into groups the access rights that people who do similar tasks in an organization need to do their job duties. Typically, Business Roles represent user job functions. In a financial institution, for example, Business Roles might correspond to job functions like bank teller, loan officer, branch manager, clerk, accountant, or administrative assistant.
IT Roles, Applications, and Assets organize resource entitlements into groups. In order to provide end-users with access to resources, IT Roles, Applications, and Assets are assigned to Business Roles so that users can access the resources they need to do their jobs. IT Roles contain a specific set of Applications, Assets, and/or Resources, including specific entitlements on those assigned Resources. IT Roles can also contain other IT Roles.
The concept of role types is new in Identity Manager version 8.0. If your organization upgraded to version 8.0 from an earlier version of Identity Manager, your legacy roles were imported as IT Roles. For more information, see Managing Roles Created In Versions Prior to Version 8.0.
IT Roles, Applications, and Assets can be required, conditional, or optional.
A required role will always be assigned to the end-user.
A conditional role has conditions that must evaluate to true in order for the role to be assigned.
An optional role can be requested separately, and, upon approval, assigned to the end-user.
Required, conditional, and optional roles allow a Business Role designer to define coarse-grained access to contained roles in order to achieve regulatory compliance, while still allowing flexibility for an end-user’s manager to fine-tune the end-user’s access rights. Users assigned conditional or optional roles can still share the same assigned Business Role, but have different assigned access rights. With this approach, there is no need to define a new Business Role for each permutation of access requirements within an organization (a problem known as role explosion).