Create Target Permissions
Target permissions are the corner stones on which the Identity Portal permission model is constructed. It is the technical permission that the user requests, over-layered and simplified by the Identity Portal permission model.
cis141
A Target Permission is the entitlement representation in the systems (that is, Identity Manager, Identity Governance) that are connected to Identity Portal. Use target permission either for fetching the entitlements the user currently has, or for granting new entitlements to the user. The supported entitlements are:
- Provisioning Role, Admin Role, Access Role - (Identity Manager)
- Group Membership (Identity Manager)
- Attribute (Identity Manager)
- Role (Identity Governance)
- Resource (Identity Governance)
When designing an Identity Portal setup and implementation, one must plan and configure the relevant target permissions as detailed below.
Note:
For target permission scoping, see Permission Scoping.Target permissions can be assigned in two ways:
- Directly through the native implementation of the connector:
- Identity Governance – Through the API native method.
- Identity Manager – Triggering the corresponding event (similar to assigning a provisioning role in the Provisioning Roles tab)
- Indirectly through a dedicated API.
- Identity Manager – Through executing a task which will be responsible to assigning that task.
Follow these steps:
- Navigate to theAdmin UI.
- ClickElements,Target Permissions,Create.
- In the Details tab, select thewhich is associated with the target permission.ConnectorThe relevant target permissions for that connection are made available inSelect target permission name.
- Select a target permission from the dropdown list.The Tag value is populated automatically.
- Select theMod Typeas ADD or REPLACE.If the entitlement is an "Attribute", then use REPLACE for single value and ADD for multi value.
- Click the Execution Plan tab.
- Select an execution plan from the list of plans created earlier.
- (Optional) Set the required compliance settings. See Compliance for more information.
- ClickCreate.The target permission is created.
Compliance
We use the compliance configuration to indicate which target permission should be used when evaluating compliance for the subject target permission. In some cases the target permission itself does not reside in the system which evaluates the compliance check, but a representation of it exist and should be used instead. For example: when using a target permission which is a provisioning role in Identity Manager, but we would like to perform a compliance check when requesting that provisioning role (the permission that is linked to that provisioning role) using the Identity Governance role that was created using the Identity Manager and Identity Governance integration.
To perform that configuration, you need a connector to Identity Manager and a connector to Identity Governance. We would then configure a target permission from the Identity Manager connector and another target permission (with the same name) that exist in Identity Governance. Then we would configure the compliance on the Identity Manager connector to point to the Identity Governance target permission.
For the compliance evolution to be executed, we must define an external condition in a risk.
Refer to
Risks for more information.