Create Target Permissions
Target permissions are the corner stones on which the CA Identity Portal permission model is constructed. It is the technical permission that the user requests, over-layered and simplified by the CA Identity Portal permission model.
cis141
Target permissions are the corner stones on which the CA Identity Portal permission model is constructed. It is the technical permission that the user requests, over-layered and simplified by the CA Identity Portal permission model.
A Target Permission is the entitlement representation in the systems (i.e. IM, IG) that are connected to CA Identity Portal. Use target permission either for fetching the entitlements the user currently has, or for granting new entitlements to the user. The supported entitlements are:
- Provisioning Role (IM)
- Group Membership (IM)
- Attribute (IM)
- Role (IG)
- Resource (IG)
When designing a CA Identity Portal setup and implementation, one needs to plan and configure the relevant target permissions as detailed below.
Note:
For target permission scoping, see Permission Scoping.Target permissions can be assigned in two ways:
- Directly through the native implementation of the connector:
- IG– Through the API native method.
- IM– Triggering the corresponding event (similar to assigning a provisioning role in the Provisioning Roles tab)
- Indirectly through a dedicated API.
- IM– Through executing a task which will be responsible to assigning that task.
Follow these steps:
- Navigate to theAdmin UI.
- ClickElements,Target Permissions,Create.
- In the Details tab, select thewhich is associated with the target permission.ConnectorThe relevant target permissions for that connection are made available inSelect target permission name.
- Select a target permission from the dropdown list.The Tag value is populated automatically.
- Select theMod Typeas ADD.
- Click the Execution Plan tab.
- Select an execution plan from the list of plans created earlier.
- (Optional) Set the required compliance settings. See Compliance for more information.
- ClickCreate.The target permission is created..
Compliance
We use the compliance configuration to indicate which target permission should be used when evaluating compliance for the subject target permission. In some cases the target permission itself does not reside in the system which evaluates the compliance check, but a representation of it exist and should be used instead. For example: when using a target permission which is a provisioning role in Identity Manager, but we would like to perform a compliance check when requesting that provisioning role (the permission that is linked to that provisioning role) using the IG role that was created using the Identity Manager and Identity Governance integration.
To perform that configuration we would need a connector to IM and a connector to IG. We would then configure a target permission from the IM connector and another target permission (with the same name) that exist in IG. Then we would configure the compliance on the IM connector to point to the IG target permission.
For the compliance evolution to be executed we would need to define an external condition in a risk.
Refer to
Risks for more information.