- 15 May 2024
- 1 Minute to read
- Print
- DarkLight
- PDF
Overview
- Updated on 15 May 2024
- 1 Minute to read
- Print
- DarkLight
- PDF
In simple terms, Roles are 'groups' of users. Each role contains a list of users assigned manually or dynamically. When you authorize a Role for an application, you can grant access to all users of that respective role.
With Cross Identity, you can
Import existing groups from an Active Directory – AD Roles
Create Roles (groups) in Cross Identity – Cross Identity Roles
Cross-identity supports three types of roles:
Static Role – The IAM admin or authorized personnel have the ability to manually create a static role according to the organization's requirements. The admin can configure entitlement mappings to the static role within the IGA application's configuration page to enable Role-Based Access Control (RBAC) during birthright provisioning. The admin must add users to the static role manually. These roles can be associated with any application to grant user access.
When an end-user requests a static role linked to one of the IGA applications, Cross Identity sends the request to the target applications through CI's IGA connector. This facilitates the provisioning of respective account entitlements mapped to the role. By establishing roles, RBAC can be effectively implemented. The solution also supports defining segregation of duty (SOD) checks on the static role, which is evaluated during the access request process.
Dynamic Role - Users are automatically added to a role with the help of certain conditions like location, Employee Type (Full Time/Contractor) etc. Promotions and Transfer use cases can also be performed through the dynamic role. With the Roles in place, we can achieve RBAC.
For example, the admin creates a rule that if the user's job title = is Security Architect and the Job location is in the United States, he will get the «Security Architect Role». So, all users whose job title and Location match the rule will get the role automatically. It can be used for birthright provisioning.
Built-in/System Defined – The Cross Identity utilizes two default roles All Users Role and Helpdesk, among others.