Role Engineering and Maintenance Process Details

Preparation

Role is being designed. Created by author, but not pushed anywhere yet. e.g - waiting for some information, waiting for devel team with configuration of objects.

Author of the role

The role is in the author’s playground, no action required from anybody else yet.

Admin-review

IGA administrator / Role administrator reviews role definition in this stage.
Verifies that the role is consistent with the Role model document, all components are well defined and all related technical components (e.g. groups ) are created. If specific IDM components - like new resources are being prepared, the IDM administrator acts together with IDM engineer to prepare IDM environment.

IGA administrator

Quite common, this is the stage when the role is designed in detail, IDM admininistrators are checking overall processing of the role and often they are redesigning some details to help the new system engineers.

Approval

Role prepared for approval by Role manager. He decides whether to move the role into production.

Role manager

Primary place for role manager action. Modifications may be made in this stage, but only by Role manager. The modifications are logged.

Active

Basic operational state of the role. Such role may be assigned.

 — 

 — 

Active-updated

Additional operational state of the role. This active role has some definition updates pending approval. Role may be assigned, the assignments are using the actual role configuration.

Role manager

There is no difference between Active and Active-updated state for in access request process. The updates are transparent to users.

Deprecated

Intermediate stage for roles being removed. Role can’t be assigned. Existing assignments are not affected.

 — 

The role still may be assigned if it is included in some other role.

Archived

Final stage of the role lifecycle. All assignments are removed. Role is kept here just for track of it’s history.

 — 

 — 

1.

 — 

Create role

Preparation

Object of the role is created. Anything in the object may be edited and modified in this stage. The role in this stage can’t be assigned nor included in other roles.

 — 

2.

Preparation

Send for admin review

Admin review

The status of the role changes. Operation is sent to IDM administrator who can check the role definition and finalize the deails.

3.

Preparation

Delete

 — 

 — 

4.

Admin review

Send for approval

Approval

When the role details are verified, this step moves the role to Proposed stage.

5.

Admin review

Return to requestor

Preparation

 — 

6.

Approval

Approve

Active

Role manager

 — 

7.

Approval

Return for review

Admin review

Role manager

The role does not have any assignments yet. No need to recompute them.

8.

Approval

Return to requestor

Preparation

Role manager

 — 

9.

Active

Update

Active-updated

Any of the 4 actors can update the role. Update is applied only when approved by Role manager.

Role owner

10.

Active

Deprecate

Deprecated

Any of the 4 actors can deactivate the role. This is not a big deal. No assignments are removed, just role can’t be requested.

Role owner

11.

Active

Archive

Archived

 — 

Role owner

12.

Active-updated

Approve changes

Active

Role manager

Assignments recompute is necessary in this case. See: Recompute of assignments

Role owner

13.

Active-updated

Reject changes

Active

Role manager

 — 

Role owner

14.

Deprecated

Archive

Archived

Role manager

 — 

Role owner

15.

Deprecated

Reactivate

Active

Role manager

 — 

Role owner