Role Engineering and Maintenance Process Details

Last modified 14 Jul 2022 15:17 +02:00
WORK IN PROGRESS

1. The role engineering and maintenance lifecycle

This chapter describes details of the role engineering and maintenance process by listing its actors, displaying the process schema, and describing each stage of the process and each step that can be performed. The process is designed to handle exceptions manually by IGA administrator.

The process description and schema are simplified to be easily adopted by people.

iga schemas role engineering
Figure 1. Schema of the role engineering and maintenance process
Table 1. Stages of the role engineering and maintenance process
Stage Description Action needed by Note

Preparation

Role is being designed. Created by author, but not pushed anywhere yet. e.g - waiting for some information, waiting for devel team with configuration of objects.

Author of the role

The role is in the author’s playground, no action required from anybody else yet.

Admin-review

IGA administrator / Role administrator reviews role definition in this stage.
Verifies that the role is consistent with the Role model document, all components are well defined and all related technical components (e.g. groups ) are created. If specific IDM components - like new resources are being prepared, the IDM administrator acts together with IDM engineer to prepare IDM environment.

IGA administrator

Quite common, this is the stage when the role is designed in detail, IDM admininistrators are checking overall processing of the role and often they are redesigning some details to help the new system engineers.

Approval

Role prepared for approval by Role manager. He decides whether to move the role into production.

Role manager

Primary place for role manager action. Modifications may be made in this stage, but only by Role manager. The modifications are logged.

Active

Basic operational state of the role. Such role may be assigned.

 — 

 — 

Active-updated

Additional operational state of the role. This active role has some definition updates pending approval. Role may be assigned, the assignments are using the actual role configuration.

Role manager

There is no difference between Active and Active-updated state for in access request process. The updates are transparent to users.

Deprecated

Intermediate stage for roles being removed. Role can’t be assigned. Existing assignments are not affected.

 — 

The role still may be assigned if it is included in some other role.

Archived

Final stage of the role lifecycle. All assignments are removed. Role is kept here just for track of it’s history.

 — 

 — 

Table 2. Operation steps of the role request process
Actual stage Operation Target stage Who can perform What happens Notification

1.

 — 

Create role

Preparation

System engineer,
Application owner,
IGA administrator,
Role manager

Object of the role is created. Anything in the object may be edited and modified in this stage. The role in this stage can’t be assigned nor included in other roles.

 — 

2.

Preparation

Send for admin review

Admin review

Author of the role,
Role owner,
IGA administrator,
Role manager

The status of the role changes. Operation is sent to IDM administrator who can check the role definition and finalize the deails.

Role owner,
Role author

3.

Preparation

Delete

 — 

Author of the role,
Role owner,
IGA administrator,
Role manager

 — 

Role owner,
Role author

4.

Admin review

Send for approval

Approval

IGA administrator,
Role manager

When the role details are verified, this step moves the role to Proposed stage.

Role owner,
Role author

5.

Admin review

Return to requestor

Preparation

IGA administrator,
Role manager

 — 

Role owner,
Role author

6.

Approval

Approve

Active

Role manager

 — 

Role owner,
Role author

7.

Approval

Return for review

Admin review

Role manager

The role does not have any assignments yet. No need to recompute them.

Role owner,
Role author

8.

Approval

Return to requestor

Preparation

Role manager

 — 

Role owner,
Role author

9.

Active

Update

Active-updated

Author of the role,
Role owner,
IGA administrator,
Role manager

Any of the 4 actors can update the role. Update is applied only when approved by Role manager.

Role owner

10.

Active

Deprecate

Deprecated

Author of the role,
Role owner,
IGA administrator,
Role manager

Any of the 4 actors can deactivate the role. This is not a big deal. No assignments are removed, just role can’t be requested.

Role owner

11.

Active

Archive

Archived

Role manager

 — 

Role owner

12.

Active-updated

Approve changes

Active

Role manager

Assignments recompute is necessary in this case. See: Recompute of assignments

Role owner

13.

Active-updated

Reject changes

Active

Role manager

 — 

Role owner

14.

Deprecated

Archive

Archived

Role manager

 — 

Role owner

15.

Deprecated

Reactivate

Active

Role manager

 — 

Role owner