Sun Identity Manager 8.1 Business Administrator's Guide

Defining User Access to Resources

Users in your extended enterprise can be anyone with a relationship to your company, including employees, customers, partners, suppliers, or acquisitions. In the Identity Manager system, users are represented by user accounts.

Depending on their relationships with your business and other entities, users need access to different things, such as computer systems, data stored in databases, or specific computer applications. In Identity Manager terms, these things are resources.

Because users often have one or more identities on each of the resources they access, Identity Manager creates a single, virtual identity that maps to disparate resources. This allows you to manage users as a single entity. See Figure 1–1.

Figure 1–1 Identity Manager User Account Resource Relationship

Figure illustrating how a single Identity Manager virtual
identity maps to several resources.

To effectively manage large numbers of users, you need logical ways to group them. In most companies, users are grouped into functional departments or geographical divisions. Each of these departments typically requires access to different resources. In Identity Manager terms, this type of group is called an organization.

Another way to group users is by similar characteristics, such as company relationships or job functions. Identity Manager recognizes these groupings as roles.

Within the Identity Manager system, you assign roles to user accounts to facilitate efficient enabling and disabling of access to resources. Assigning accounts to organizations enables efficient delegation of administrative responsibilities.

Identity Manager users are also directly or indirectly managed through the application of policies, which set up rules and password and user authentication options.