Sun Identity Manager 8.1 Business Administrator's Guide


access review

An audited process that enables managers or other responsible parties to review and certify user access privileges. User entitlement records can be automatically approved or rejected, or, they can be manually attested. Also see attestation.

account attribute

Account attributes provide a way for Identity Manager administrators to create a standard set of names that map to attributes on managed resources. For example, an Identity Manager attribute named fullname might map to the displayName attribute on Active Directory resources, and the cn attribute on LDAP resources. Any changes to the user’s fullname attribute in Identity Manager, is then passed to the user’s displayName and cn attributes on the user’s remote resource accounts.

admin role

Unique set of capabilities for each set of organizations assigned to an administrative user.


Person who configures Identity Manager or is responsible for operational tasks, such as creating users and managing access to resources.

administrator interface

User interface used by administrators to configure and manage Identity Manager.

Application (Role)

One of the four role types in Identity Manager, the Application role-type is a collection of resources, and/or resource groups, and/or specific applications on resources, that users need in order to do their jobs. Application roles cannot be assigned directly to users, but can be assigned to IT Roles and Business Roles.


The process of granting or denying a user access request to a role, a resource, or an organization. An Identity Manager administrator with permission to view and respond to an approval work item is called an approver.


User with administrative capabilities responsible for approving or rejecting access requests.

Asset (Role)

One of the four role types in Identity Manager, the Asset role-type is (typically) reserved for non-connected and/or non-digital resources that require manual provisioning, such as mobile phones and portable computers. Asset roles cannot be assigned directly to users, but can be assigned to IT Roles and Business Roles.


An action performed by an attestor during an access review to confirm that a user entitlement is appropriate.


The process of certifying that a specific user has the appropriate privileges on the appropriate resources at a specific point in time. An Identity Manager user with permission to view and respond to an attestation work item is called an attestor. Identity Manager rules determine whether a user entitlement record needs to be manually attested, or if it can be automatically approved or rejected.

attestation task

A logical collection of user entitlement reviews requiring attestation. User entitlements are grouped into a single attestation task if they are assigned to the same attestor and produced from the same access review instance.


User who accepts responsibility for certifying (attesting) that a user entitlement is appropriate. An attestor has extended privileges in Identity Manager that are necessary to manage user entitlements requiring attestation.

business process editor (BPE)

Graphical view of Identity Manager forms, rules, and workflow provided with Identity Manager versions prior to 7.0. The BPE has been replaced by the Identity Manager IDE in the current versions of Identity Manager. See Glossary.

Business Role

One of the four role types in Identity Manager, Business Roles are used to organize into groups the access rights that people who do similar tasks in an organization need. The Business Role role-type is made up of one or more Asset roles, Application roles, and/or IT Roles. Business Roles are meant to be directly assigned to users.


A group of access rights for user accounts that governs actions performed in Identity Manager; a low-level access control within Identity Manager.


The process of temporarily assigning future work items to one or more other users for a specified period of time.

directory junction

Hierarchically related set of organizations that mirrors a directory resource’s actual set of hierarchical containers. Each organization in a directory junction is a virtual organization.


See user entitlement

escalation timeout

A time range specified for a work item request in which the assigned work item owner has to respond before the Identity Manager process sends it to the next assigned responder.


Object associated with a Web page that contains rules about how a browser should display user view attributes on that page. Forms can incorporate business logic, and are often used to manipulate view data before it is presented to the user.

Identity Manager IDE

The Identity Manager Integrated Development Environment (Identity Manager IDE) is an application that enables you to view, customize, and debug Identity Manager objects in your deployment. The Identity Manager IDE is available as a NetBeans plug-in.

identity template

Defines the user’s resource account name.

IT Role

One of the four role types in Identity Manager, the IT Role role-type is a collection of roles (Assets, Applications, and/or other nested IT Roles), as well as resources, and/or resource groups. In some configurations, IT Roles can be directly assigned to users, but usually IT Roles are assigned to Business Roles, which are assigned to users.


Identity Manager container used to enable administrative delegation.

Organizations define the scope of entities (such as user accounts, resources, and administrator accounts) an administrator controls or manages. Organizations provide a “where” context, primarily for Identity Manager administrative purposes.

periodic access review

An access review that is performed at periodic intervals, for example, every calendar quarter.


Establishes limitations for Identity Manager accounts.

Identity Manager policies establish user, password, and authentication options, and are tied to organizations or users. Resource password and account ID policies set rules, allowed words, and attribute values, and are tied to individual resources.


An Identity Manager feature that periodically compares resource accounts in Identity Manager with accounts that reside on the resources themselves. Reconciliation correlates account data and highlights differences.


The process of correcting compliance violations discovered by Identity Manager’s auditing feature. Identity Manager audits data across the enterprise to ensure compliance with internal and external policies and regulations. An administrator with permission to view and respond to policy violations is called a remediator.


An Identity Manager user specified as the assigned remediator for an audit policy.

When Identity Manager detects a compliance violation that requires remediation, it creates a remediation work item and sends the work item to the remediator’s work item list.


In Identity Manager, a resource stores information about how to connect to a remote resource or system on which accounts are created. Remote resources to which Identity Manager provides access include mainframe security managers, databases, directory services, applications, operating systems, ERP systems, messaging platforms, and more.

resource adapter

Identity Manager component that provides a link between the Identity Manager engine and the resource.

This component enables Identity Manager to manage user accounts on a given resource (including create, update, delete, authenticate, and scan capabilities) as well as utilize that resource for pass-through authentication.

resource adapter account

Credentials used by an Identity Manager resource adapter to access a managed resource.

resource group

Collection of resources used to order the creation, deletion, and update of user resource accounts.

resource wizard

Identity Manager tool that steps through the resource creation and modification process, including setup and configuration of resource parameters, account attributes, identity template, and Identity Manager parameters.


A role is an Identity Manager object that allows resource access rights to be grouped and efficiently assigned to users. Roles are organized into four role types: Business Roles, IT Roles, Application Roles, and Assets. IT Roles, Applications, and Assets organize resource entitlements into groups. These three groups are then assigned to Business Roles so that users can access the resources they need to do their jobs.


Object in the Identity Manager repository that contains a function written in XPRESS, XML Object, or JavaScript languages. Rules provide a mechanism for storing frequently used logic or static variables for reuse within forms, workflows, and roles.


List of user account attributes for a resource.

schema map

Map of resource account attributes to Identity Manager account attributes for a resource.

Identity Manager account attributes create a common link to multiple resources and are referenced by forms.

service provider users

Extranet users, or customers of a service provider that are distinguished separately from the service provider company’s personnel or intranet users.


Person who holds an Identity Manager system account. Users can hold a range of capabilities in Identity Manager. Those with extended capabilities are Identity Manager administrators.

user account

Account created using Identity Manager.

Can refer to either an Identity Manager account, or an account on a remote resource managed by Identity Manager. The user account setup process is dynamic. Information or fields to be completed depend on the resources provided to the user directly or indirectly through role assignment.

user entitlement

In Identity Manager, an auditable access privilege granted to a user on a resource or system that enforces access restrictions.

user interface

In Identity Manager, the user interface allows users without administrative capabilities to perform a range of self-service tasks such as changing passwords, setting answers to authentication questions, and managing delegated assignments. Also known as the end-user interface

virtual organization

Organization defined within a directory junction. See directory junction.

work items

an action request generated by an Identity Manager workflow, form, or procedure. Approvals, change-approvals, attestations, and remediations are four kinds of work item.


A logical, repeatable process during which documents, information, or tasks are passed from one participant to another. Identity Manager workflows comprise multiple processes that control creation, update, enabling, disabling, and deletion of user accounts.