Symantec IGA

  • Private Community
 View Only

Back to discussions
Expand all | Collapse all

Identity Manager delegation configuration

  • 1.  Identity Manager delegation configuration

    Broadcom Employee
    Posted Aug 02, 2024 06:14 AM

    How to delegate tasks in Identity Manager when some employee with user management entitlments goes on vacation?

     

    Generally you assign entitlements as roles to groups, so it is an organizational matter to put enough people in the group assigned to the management roles so there is always someone that can carry on the identity management tasks. But let's not avoid the question and try to address it as described: I am going on vacation and I would like to appoint someone to be able to carry on with my identity management tasks while I am away.

    The question seems aligned with the default functionality documented here https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-5/administrating/workflow/work-lists-and-work-items/delegating-work-items.html , but it goes beyond the delegation of approvals in workflows.

     

    The Identity Manager delegation model is very flexible and allows tasks to be delegated in a potentially non-finite cycle, as it allows us to delegate the addition of members of a role to the same members of the role and similar schemes.

     

    This is an example on how to achieve the desired functionality: "a user A wants to delegate the management of his tasks assigned in Identity Manager to a user B". Later we could refine the example by adding an end date.

     

    To do this, the proposed solution is to use a user attribute, let's call it String009. 

     

    1st We will modify the value of the String009 attribute of user B, so that it contains the userID of the first user (A). 

    2nd We will modify the definition of "members" of the Identity Manager administrative role to include everyone as a member, limiting the scope to those users whose administrator has delegated the tasks to .

     

    For the first step we can use a delegation task "delegate my work" and a Policy Xpress (PX). The task will allow us to choose the user to whom we want to delegate our functions. And the PX will modify the String009 attribute of this user (B). For better understanding, example screens follow:

     

    In the second step we modify all those roles that contain the tasks that we want to be able to delegate, so that the membership rules allow adding to the scope those users of the user (or managed by) who has delegated the tasks. Below is an example screen of a new "delegable user manager" role for a better understanding:

     



    For example, user "Employee4" delegates his user management tasks (view user, modify user) to Employee2:

     

    the user A chooses who is gona be delegated
    Caption

     

    Now the user B can manage users that were assigned to user A
    Caption