Hi All
So we have around 440 IT Roles. And In each role we have profile from multiple applications.
For example:
Role A has role owner as Owner A consist of 5 entitlements:
Ent1 and Ent2 where entitlement owner is Owner1
Ent3 and Ent4 where entitlement owner is Owner2
Ent5 where entitlement owner is Owner3
Now the major issue what client is facing is with role composition certification is when certification is launched for RoleA it is going to Role OwnerA. But as owner of each ent is different and Owner A is not aware about them they are not able to certify.
Now the client want to segregate these roles based on same owner and launch Role composition certification.But as these contains 60+ ent for few roles.We are not thinking this is a feasible approach.Is there any suggestion how can they certify roles.
I think you can try with the “Role Composition Certification,” in which you can try and tackle your requirements with Certification Rule where you have Predelegation and Sign off approver rules.
So, you need to certify your IT Roles definition, which you can perform using Role Composition Certification.
Role owner is responsible for entitlements the Role has, not the owners of the same entitlements. If a user gets this Role, Role owner should approve along with or without manager or some other user(s).
Role owner is accountable for Identities having that Role access as he/she agreed to have all those entitlements while building RBAC.
When you certify the entitlements in these IT Roles, Role owner should certify not the Entitlement owner.
Role owner and Entitlement Owner(s) should have an understanding here, you are asking here as
Dear Entitlement Owners,
Do you agree your entitlement(s) to be part of this IT Role ?
I don’t think, you can split the certification items like you do in Access Requests.
Suggestion #1
Copy all the Entitlement Owners in Initial, Reminders and Escalation notifications. Mention in email that
Role Name: IT Role 1
Entitlements: Display a table here with Entitlement name and Owner name
If you think your entitlement should not be part of the same access (IT Role), Please inform Role owner.
Suggestion #2
Build a Quicklink
Owners of IT Roles which you want to certify and respective Entitlement Owners will be able to view the quicklink.
You can build the forms and workflow as per your requirement.
First Entitlement Owners should certify if their entitlements should part of the respective IT Roles or not
Finally, Role owner will complete the certification for each IT Role they have ownership with.
Workflow will automatically revoke respective entitlements, send email notifications and do the auditing as well.
In IIQ, there is nothing impossible. Sky is the limit.
