IdentityNow – How are you structuring Entitlements, Access Profiles, and Roles?

Hi All,

We’re currently working on designing the proper architecture for Entitlements, Access Profiles, and Roles in IdentityNow. We keep getting stuck on the best way to structure Roles vs Access Profiles and would love some feedback.

How are you structuring the relationship between Entitlements, Access Profiles, and Roles?

How are you preventing role/access profile sprawl?

Appreciate any insights.

Thank you all

Hi Rey

Some recommendations:

Try not to duplicate Roles or Access Profiles (ie dont have multiple Access Profiles granting the exact same set of Entitlements)

I know there were issues in the past when Roles granted Entitlements directly (and not through Access Profiles) - that when role was removed the entitlement was not.

I dont know if this is still an issue, but IMO best practice would be to use Access Profiles.

Hello,

My 2 cents :

• Entitlement : Not requestable
• Access Profiles (AP) : Represent a capability in an app
  • ie: “App X - Read access” / “App Y - Edit Invoice“
  • Can’t be auto assigned
  • Self-request
• Roles : Represent a business function
  • Contains AP across multiple applications
  • Can be auto assigned and/or requestable

Warning :

• As Jason said, try as best as possible to not have overlapping Access Profiles
  • AP are auto-detected so it can lead to confusing AP assignements
  • If a user has 2 AP with overlapping entitlements, removing one AP will lead to the removal of the entitlements, even if they were also in the second AP
• Only AP can be assigned to an application, Roles cannot

That’s in theory, in my org we are also struggling to maintain a proper role model as a lot of app owners want to have auto-assignment for access to their app
→ We are ending up with roles that represent a capability in a single app, so that it can be auto-assigned.

Happy to hear what are the best practices on this topic