Role Engineering and Maintenance Process Details
WORK IN PROGRESS |
1. The role engineering and maintenance lifecycle
This chapter describes details of the role engineering and maintenance process by listing its actors, displaying the process schema, and describing each stage of the process and each step that can be performed. The process is designed to handle exceptions manually by IGA administrator.
The process description and schema are simplified to be easily adopted by people.
Stage | Description | Action needed by | Note |
---|---|---|---|
Preparation |
Role is being designed. Created by author, but not pushed anywhere yet. e.g - waiting for some information, waiting for devel team with configuration of objects. |
Author of the role |
The role is in the author’s playground, no action required from anybody else yet. |
Admin-review |
IGA administrator / Role administrator reviews role definition in this stage. |
IGA administrator |
Quite common, this is the stage when the role is designed in detail, IDM admininistrators are checking overall processing of the role and often they are redesigning some details to help the new system engineers. |
Approval |
Role prepared for approval by Role manager. He decides whether to move the role into production. |
Role manager |
Primary place for role manager action. Modifications may be made in this stage, but only by Role manager. The modifications are logged. |
Active |
Basic operational state of the role. Such role may be assigned. |
— |
— |
Active-updated |
Additional operational state of the role. This active role has some definition updates pending approval. Role may be assigned, the assignments are using the actual role configuration. |
Role manager |
There is no difference between Active and Active-updated state for in access request process. The updates are transparent to users. |
Deprecated |
Intermediate stage for roles being removed. Role can’t be assigned. Existing assignments are not affected. |
— |
The role still may be assigned if it is included in some other role. |
Archived |
Final stage of the role lifecycle. All assignments are removed. Role is kept here just for track of it’s history. |
— |
— |
Actual stage | Operation | Target stage | Who can perform | What happens | Notification | |
---|---|---|---|---|---|---|
1. |
— |
Create role |
Preparation |
System engineer, |
Object of the role is created. Anything in the object may be edited and modified in this stage. The role in this stage can’t be assigned nor included in other roles. |
— |
2. |
Preparation |
Send for admin review |
Admin review |
Author of the role, |
The status of the role changes. Operation is sent to IDM administrator who can check the role definition and finalize the deails. |
Role owner, |
3. |
Preparation |
Delete |
— |
Author of the role, |
— |
Role owner, |
4. |
Admin review |
Send for approval |
Approval |
IGA administrator, |
When the role details are verified, this step moves the role to Proposed stage. |
Role owner, |
5. |
Admin review |
Return to requestor |
Preparation |
IGA administrator, |
— |
Role owner, |
6. |
Approval |
Approve |
Active |
Role manager |
— |
Role owner, |
7. |
Approval |
Return for review |
Admin review |
Role manager |
The role does not have any assignments yet. No need to recompute them. |
Role owner, |
8. |
Approval |
Return to requestor |
Preparation |
Role manager |
— |
Role owner, |
9. |
Active |
Update |
Active-updated |
Author of the role, |
Any of the 4 actors can update the role. Update is applied only when approved by Role manager. |
Role owner |
10. |
Active |
Deprecate |
Deprecated |
Author of the role, |
Any of the 4 actors can deactivate the role. This is not a big deal. No assignments are removed, just role can’t be requested. |
Role owner |
11. |
Active |
Archive |
Archived |
Role manager |
— |
Role owner |
12. |
Active-updated |
Approve changes |
Active |
Role manager |
Assignments recompute is necessary in this case. See: Recompute of assignments |
Role owner |
13. |
Active-updated |
Reject changes |
Active |
Role manager |
— |
Role owner |
14. |
Deprecated |
Archive |
Archived |
Role manager |
— |
Role owner |
15. |
Deprecated |
Reactivate |
Active |
Role manager |
— |
Role owner |