Sun Identity Manager 8.1 Business Administrator's Guide

Designating Role Owners and Role Approvers

Roles have designated owners and approvers. Only role owners can authorize changes to the parameters that define the role, and only role approvers can authorize the assignment of the role to end-users.

Note –

If you have Identity Manager integrated with SunTM Role Manager, you should allow Role Manager to handle all role change approvals and notifications by manually disabling Identity Manager's ability to perform these actions.

You must edit the RoleConfiguration configuration object in Identity Manager as follows:

To be a role owner is to be the business owner responsible for the underlying resource account rights that are assigned through the role. If an administrator makes changes to a role, a role owner must approve of the changes before they can be carried out. This feature guards against an administrator changing a role without a business owner’s knowledge and approval. If change approvals have been disabled in the Role configuration object, however, a role owner’s approval is not required in order for changes to be carried out.

In addition to approving role changes, roles cannot be enabled, disabled, or deleted without a role owners’ approval.

Owners and approvers can either be directly added to a role, or dynamically added using a role-assignment rule. In Identity Manager it is possible (but not recommended) to create roles without owners and approvers.

Note –

Role-assignment rules have a RoleUserRule authType.

If you need to create a custom role-assignment rule, refer to the three default role-assignment rule objects and use them as an example:

Owners and approvers are notified by email if a work item requires their approval. Change-approval work items and approval work items are discussed in the Initiating Change-Approval and Approval Work Items section.

Owners and approvers are added to roles on the Security tab in the Create Role form.

Designating Role Owners and Role Approvers shows the Create Role form’s Security tab. For help using this form, see the online help.

Figure illustrating the Security portion of the Create
Role tabbed form.