Authorization
Who is this guide for?
The Permission Reference of RAC/M Profiles guide describes the different permissions and the objects they act upon. In addition, it describes the default profiles that come with the solution and their purpose.
Note
The access profiles in the solution are fully configurable. The default profiles are examples only and are usually adapted to the particular context of the organization.
List of default profiles
Note
The default profiles have an English name, as they are preconfigured content elements in the solution. The metadata of content elements are unilingual, as they are normally configured by the organization in its language. Preconfigured content elements are an exception to the preconfigured content items are an exception to this rule and are in English.
But the names can be changed to reflect the translation during the initial integration project.
Special profiles
Special profiles cannot be deleted, as they are used in some automatic assignment rules when no profile has been explicitly assigned. However, they can be renamed like other profiles.
These profiles can also be assigned explicitly if necessary, but they are usually used in an automatic assignment mode.
Note
Automatic assignment is only done if the identity has no explicitly assigned profile
| Profile | Automatic assignment | Description | Welcome page |
|---|---|---|---|
| RAC/M Admin | No automatic assignment. But it is assigned to the initial administrator account. | Gives all access in the administrative console. Has limited access in the Self-Service area where he cannot make requests. | Dashboard |
| Manager | When the identity owns a delegation group | Gives access to Self-Service functions and to certain read rights required for these functions. Finally he can cancel provisioning requests. | Self-Service |
| User | If the identity is not "Manager" and has no other profile | Allows you to make access requests and see the tasks assigned to it in the Self-Service. | Self-Service |
Important
At the start of a campaign, the solution identifies all the reviewers who will participate in the campaign and checks their delegation groups. If a reviewer does not have a delegation group, the solution will automatically create one. The created group does not contain any delegates.
This mechanism ensures that a reviewer in a campaign has the "Manager" profile if it does not have another profile explicitly assigned.
General profiles
| Profile | Description | Welcome page |
|---|---|---|
| Account Management | Used to manage accounts in assets. It can view assets and make provisioning requests. It is also able to view, create, modify and delete application accounts. | Dashboard |
| Auditers | Used by auditors responsible for collecting compliance evidence in the solution, but does not allow changes to be made. Provides read-only access to all elements of the administrative console. | Dashboard |
| Operator | Provides read access to logs and configuration files, read and write access to groups, requests. Provides read and write to mapping configurations. | Dashboard |
| Super Operator | Used by the solution's drivers. It allows to
| Dashboard |
| Web Services | By default, the "Web Services" profile has no rights |
List of permissions
The following is a list of the permissions that can be assigned to a profile from the REQUEST / RAC/M Profiles screen. A permission is the combination of a scope and an action.
Actions
The following actions are defined, but for a more detailed description please refer to the Scopes section for the exact description of what the action allows for a given scope.
| Action | Description |
|---|---|
| Read | Represents a read right without any modification of the object. This action is often required for other actions. |
| Save | Represents the creation or modification of an object. |
| Delete | Represents the deletion of an object. In some contexts, it is useful to separate the modification from the deletion. |
| Execute | This action varies greatly depending on the scope. |
| Match | Represents the right to match elements together or unmatch them. |
| Approve | This action is not currently used in the solution. |
| Reject | This action is not currently used in the solution. |
Type of permission
In the following sections and subsections, any permission types (e.g., Read, Execute, etc.) that are not identified for an element have no impact on it.
Scopes
The following scopes are defined in the solution.
Manage
- (Main Element)
- Allows you to view ( Read) and execute ( Execute) sequences.
- Allows you to view ( Read ) the execution history of the sequences.
- Log files
- Allows you to view (Read) the RAC/M Identity logs.
- Data Files
- Allows you to view (Read), create/edit (Save) and delete (Delete) RAC/M Identity data files.
- RAC/M Users
- Allows you to view (Read), create/modify (Save) and delete (Delete) users.
- RAC/M Profiles
- Allows you to view (Read), create/edit (Save) and delete (Delete) RAC/M Identity profiles.
- Audits
- Allows you to view (Read) the audits.
People
(Main Element)
- Provides access to the RAC/M Identity administrative interface
- Allows you to make (Read and Save) account matches.
- Allows you to perform (Read and Save) approvals of account matches.
- Allows you to perform (Read and Save) merges of persons.
Person
- Allows you to view (Read), create/modify (Save) and delete (Delete) persons.
- Allows you to display (Read) extended attributes related to persons.
- Allows you to display (Read) information about persons in the identity screen.
- Allows you to do make matching (Read).
- Allows you to use search lists (Read) of persons.
Identity
- Allows you to view (Read), create/modify (Save) and delete (Delete) identities.
- Allows you to view (Read) the list of identities associated with a person.
- Allows you to view (Read) contextual information about identities in different screens.
- Allows you to view (Read) the list of job types.
- Allows you to match identities to accounts or people (Read) and (Match)
- Allows you to use (Read) the identity search lists.
Assets
- (Main Element)
- Allows you to view (Read), create/modify (Save) and delete (Delete) asset groupings, assets, groups and permissions.
- Allows you to view (Read) the list of segregation of duties.
- Allows you to view (Read) information or lists of assets and asset groupings in different screens.
- Allows you to view (Read) the extended attributes of assets and asset groupings.
- Items
- Allows you to view (Read) the extended attributes related to the items.
- Allows you to view (Read), create/modify (Save) and delete (Delete) items.
- Allows you to view (Read), create/modify (Save) and delete (Delete) operations.
- Accounts
- Allows you to view (Read), create/modify (Save) and delete (Delete) accounts.
- Allows you to view (Read) the list of accounts in the account matching screens.
- Allows you to view (Read) extended attributes related to accounts.
- Allows you to view (Read) information about accounts in audits.
- Allows you to transfer (Save) identity accounts to the identity detail screen.
- Group
- Allows you to view (Read), create/modify (Save) and delete (Delete) groups.
- Allows you to view (Read), create/modify (Save) and delete (Delete) delegation groups.
- Allows you to view (Read) information about groups in entitlments review campaigns.
- Allows you to view (Read) information about groups in audits.
Access
- (Main Element)
- Allows you to view (Read) the access section.
- Campaign
- Allows you to view (Read), create/modify (Save) and delete (Delete) review campaigns.
- Allows you to start and end (Run) a campaign.
- Allows you to perform certain tasks in a review campaign:
- Transfer (Execute) approvals.
- Send (Execute) reminder notifications to reviewers.
- Load and view (Execute) email templates.
- Change (Save) the end date of campaigns.
- Generate (Run) campaign reports.
- Allows you to view (Read) information about review campaigns in the Queries screen if they are related to campaigns.
- Allows you to view (Read) campaign reports.
- Allows you to view (Read) previous campaign executions in the Incremental Campaigns list.
- Allows you to open the (Read) detail modal window of a role in a campaign.
- All campaign content
- Permet aux certificateurs d'effectuer leurs tâches d'approbation (Lecture et Enregistrer).
- Roles
- Allows you to view (Read), create/modify (Save) and delete (Delete) roles and role versions.
- Allows you to view (Read) contextual information about roles in different screens.
- Allows you to unlink (Delete) roles from the identities they are associated with in the identity screen.
- Allows you to view (Read) the extended attributes of roles.
- Allows you to activate (Execute) a role version.
- Allows you to view (Read) the list of job types.
- Role modeling session
- Allows you to view (Read), create/modify (Save) and delete (Delete) role modeling sessions.
- Enables or disables (Run) roles in the modeling session.
- Allows you to mine down or multi-mine (Execute) roles in a modeling session.
- Policies
- Permet d'utiliser l'option de menu de ségrégation des tâches (Lecture)
- Fonctions
- Allows you to view (Read), create/modify (Save) and delete (Delete) additional functions.
Provisioning
- (Main Element)
- Allows you to cancel (Delete) provisioning requests
- Tasks
- Allows you to view (Read) the tasks of individuals.
- Allows you to view (Read) the tree of entitlements requested and currently possessed in approval requests in Self-Service.
- Identities Requests
- Allows you to view (Read), modify or cancel (Save), restart (Execute) access requests in the Self-Service or administrative interface.
- Identities
- Allows you to view (Read) or cancel (Save) entitlement requests for identities.
- Roles
- Allows you to view (Read) or cancel (Save) entitlement requests for roles.
- Account
- Allows you to view (Read) or cancel (Save) rights requests for accounts.
- Allows you to view (Read) account management indicators in the dashboard.
- Allows you to view (Read) email templates and scripts related to manual provisioning configurations.
- Groups
- Allows you to view (Read) or cancel (Save) entitlements requests for groups.
- Written Requests
- Allows you to view (Read) or cancel (Save) written requests.
- Role Requests
- Allows you to view (Read), cancel (Save), restart (Execute) role requests in the administrative interface.
- Groups for role
- Allows you to view (Read) group requests for roles.
- Members for role
- Allows you to view (Read) member requests for roles.
- Role modifications
- Allows you to view (Read) modification requests for roles.
- Role included in other roles
- Allows you to view (Read) included role requests for roles.
Organization
- (Main Element)
- Allows you to view (Read), modify (Save) or delete (Delete) businesses, organizations and departments.
Reports
- (Main Element)
- Allows you to view (Read), generate (Execute) or delete (Delete) reports.
Configurations
- (Main Element)
- Allows access to (Read) the configuration screens.
- Allows you to run (Execute) individual modules and test configurations.
- Mappings
- Allows you to view (Read), modify (Save) and delete (Delete) the following mapping configurations:
- Jobs
- Job Type
- Labels
- Sources
- Extended Attributes
- Allows you to view (Read), modify (Save) and delete (Delete) the following mapping configurations:
- Status
- Allows you to view (Read), modify (Save) and delete (Delete) the Status mapping configurations
- Processing
- Allows you to create/modify (Save) and delete (Delete) the following types of configuration:
- Sequences
- Blocks
- Modules
- Formatters
- Collectors
- Extractors
- File managers
- Manual provisioning
- Allows you to create/modify (Save) and delete (Delete) the following types of configuration:
- Configuration Files
- Allows you to view (Read), create/modify (Save) and delete (Delete) configuration files.
- Script Files
- Allows you to view (Read), create/modify (Save) and delete (Delete) script files.
Policies
- Policy
- Allows you to view (Read), create/modify (Save) and delete (Delete) account policies.
- Policy Password
- Allows you to view (Read), create/modify (Save) and delete (Delete) password policies.
- Policy Username
- Allows you to view (Read), create/edit (Save) and delete (Delete) username policies.
- Policy collision
- Allows you to record (Save) name collisions in the username policy screen.
Dashboard
- (Main Element)
- Permet de visualiser (Lecture) le tableau de bord.
Self-Service
Note
In Self-Service, permissions are contextual to identities based on delegation groups. For example, in order to approve an entitlement request for an identity, one must have the appropriate permission in the profile and be a member of the delegation group configured to approve access for that identity.
There are two exceptions to this rule:
- Requesting entitlements for an identity. Once the profile has the right permission, a person can make an entitlement request for any identity but the solution will ask for approvals from the appropriate persons.
- Full access permission. This permission overrides the usual rule and makes the permissions applicable to all identities.
- (Main Element)
- Allows you to access (Read) the Self-Service portal.
- All Access
- Allows (Execute) requests and (Execute) searches of all identities in the Self-Service portal.
- Task
- Allows you to view (Read) the identity tasks in the Self-Service.
- Identity Request Details
- Allows you to visualize in the Self-Service (Read) the provisioning requests linked to an identity.
- Role Request Details
- Allows you to visualize in the Self-Service (Read) the requests linked to a role.
- Access Request
- Allows you to make requests (Execute) to add and remove entitlements for identities.
- Request External Identity
- Allows you to make (Execute) requests to add and remove rights for external identities.
- Employment Termination - Employee
- Allows you to make (Execute) termination requests for identities.
- Employment Termination - External Contractor
- Allows you to make (Execute) termination requests for external identities.
- Account Activation Requests
- Allows you to make (Execute) account activation requests.
- Role Creation Requests
- Allows you to make (Execute) role creation requests.
- Role Modification Requests
- Allows you to make (Execute) role modification requests.
- Review Campaign
- Allows you to view (Read) and make (Save) approvals in review campaigns in a Self-Service context.
- Allows you to view (Read) review campaign reports in a Self-Service context.
- Allows you to view (Read) review campaign indicators in a Self-Service context.