SailPoint IdentityIQ Role Model
SailPoint IIQ maintains a hierarchical role model which consists of Business Roles, IT Roles, and Entitlements:
- Business Roles identify affiliations or job functions by which users can be grouped.
- IT Roles encapsulate sets of system entitlements.
- Entitlements represent individual system permissions.
Roles can be requested manually, or they can be configured to be assigned automatically via an assignment rule. To allow for more flexibility, roles can be related via required, inherited, or permitted relationships. Alternately, entitlements may be assigned directly to an identity rather than being mapped to a role.
Figure 2 above represents a new hire staff member at the School of Journalism in the Moody College of Communication. The diagram illustrates how multiple roles or entitlements can be automatically assigned to the identity based on business rules or via an access request.
- The assignment of a Current Staff affiliation to the identity (handled automatically based on information from the HR system) automatically grants an equivalent Current Staff business role. The Current Staff business role automatically grants a more general Current Employee business role by virtue of inheritance. The Current Employee role in turn grants an IT role for Office 365 (O365) mailbox access eligibility that resolves to membership in a specific Austin Active Directory (AD) group.
- Since the identity is a current staff member in the School of Journalism, he/she is automatically granted another IT role that is used to control access to an application specific to the Moody College of Communication, called USHER. The IT role grants access to resources applicable to all staff members belonging to the School of Journalism within USHER. It assigns two entitlements representing group memberships in Austin AD and TED.
- Additional access to TSC Tools is manually requested and goes through the necessary approvals before being granted.