IBM Security Identity Governance and Intelligence, Version 5.2.1

Personas and use cases

Persona is a user archetype based on role and other characteristics that influence how a user interacts with the offering. A Persona has a related set of responsibilities. In Identity Governance and Intelligence, you can represent those responsibilities by implementing Roles, and assigning them to Users. Any Role can be associated with any set of tasks, dashboards, reports, campaigns, and other resources. This topic provides examples of tasks that a certain Role can perform.

The main personas are:

Administrators
Business users

Administrators

In Identity Governance and Intelligence, there are:

Virtual appliance administrators
Identity Governance and Intelligence administrators

Business users

Business users are defined in the Regular Users schema and can perform tasks in the Service Center.

Examples of Business users:

Application Managers
User Managers
Role Managers
Risk Managers
Help Desks
Employees

Virtual appliance administrators

The Virtual appliance administrator is responsible for the setup and activation of the Identity Governance and Intelligence virtual appliance and for its day-to-day administration. See the following tables for the Virtual appliance administrators deployment and maintenance tasks.

Table 1. Virtual appliance administrators deployment tasks
Tasks	Subtasks and references
Install and configure the database server.	For Oracle: Installing the Oracle server Configuring the Oracle server For DB2®: Installing the DB2 server Configuring the DB2 server
(Optional) Install and configure the directory server to use the Identity Brokerage Providers module.	Installing and configuring the directory server
Prepare the virtual machine.	Setting up the virtual machine
Install and set up the virtual appliance.	Installing the IBM Security Identity Governance and Intelligence virtual appliance Setting up the initial virtual appliance
For high availability, set up a virtual appliance cluster.	Setting up a virtual appliance cluster Setting up a member node for IBM Security Governance and Intelligence by using the initial configuration wizard Changing a member node to a primary node Removing a node from the cluster Reconnecting a node into the cluster Synchronizing a member node with a primary node
Configure the virtual appliance settings.	Enabling Identity Brokerage Providers Managing directory server configuration Managing the database server configuration Managing OpenID connect configuration Managing the mail server configuration Managing application interfaces

Table 2. Virtual appliance administrators maintenance tasks
Tasks	Subtasks and references
Prepare for disaster recovery. Set up a secondary virtual appliance for an active-passive configuration.	Setting up a primary virtual appliance Backing up the virtual appliance Reverting the virtual appliance to its backup Creating a snapshot of the virtual appliance Setting up a secondary virtual appliance
Monitor event logs, memory, CPU, storage, and cluster status.	Viewing the event logs Viewing the memory usage Viewing the CPU usage Viewing the storage usage Viewing the cluster status
Configure SNMP monitoring.	Managing the SNMP monitoring
Configure external entities such as database servers, and OpenID connect providers.	Managing directory server configuration Managing the database server configuration Managing OpenID connect configuration
Configure mail servers, custom files, and certificate stores.	Managing the mail server configuration Managing custom files Managing certificates
Manage the virtual appliance update history, and license, firmware settings, and fix packs.	Viewing the update history Viewing the licensing Managing the firmware settings Installing a fix pack
Manage log retrieval and configuration, core dumps, Identity Brokerage Providers configuration, and build information.	Managing the log configuration Managing the core dump files Enabling Identity Brokerage Providers Viewing the About page information
Manage network settings such as application interfaces, hosts files, routes.	Managing application interfaces Managing hosts file Configuring static routes
Manage the Export/Import settings	Exporting or importing the configuration settings
Manage the virtual appliance system settings	Configuring the date and time settings Configuring the administrator settings Managing the snapshots Managing the support files Configuring system audit events Restarting or shutting down the appliance
Manage the virtual appliance by using the command line interface.	Cleaning core dump files Tailing logs and archiving logs Enabling trace for the virtual appliance services Adding a JVM property Management SSL certificate Getting and setting the SIB schema names Getting and setting the reconciliation failure threshold

Identity Governance and Intelligence administrators

An Identity Governance and Intelligence administrator, also called Super Administrator is predefined. This Super Administrator is responsible for defining other Identity Governance and Intelligence administrator profiles in the Administration Console by using a free configuration of N base permissions.

The Super Administrator can define an Identity Governance and Intelligence administrator as:

An administrator of a single module or of all the Identity Governance and Intelligence modules.
An administrator who is authorized to perform a selected set of tasks on module A, B, and others.

See Super Administrator for examples of tasks that a Super Administrator can perform.

See the following references for examples of tasks that an Identity Governance and Intelligence administrator can perform, when granted access to any of these modules.

Access Risk Controls
Process Designer
Access Optimizer
Report Designer
Task Planner

Examples of Identity Governance and Intelligence administrators that can be defined and used in the system:

Application Managers
User Managers
Role Managers
Risk Managers

Super Administrator

A Super Administrator can perform the following tasks in the Administration Console:

Table 3. Super Administrator tasks
Tasks	Subtasks and references
For target integration, configure the target system.	Import the target type, also known as the adapter profile. See Importing target types (adapter profiles). Create an instance of the target from the target type. Specify the target identity and other information to connect to the server where the target resides. See Creating targets.
Configure the initial entities.	Create realms. See Concept of Realm and Managing the Administration Realm. Create resources. See Resources. Create entitlements. See Hierarchy of entitlements. Create applications. See Applications. Create accounts. See Accounts.
Configure organizational units.	Create organization units. See Organization units. Assign the organization unit to an entitlement. See Org Units. Assign resources to an organization unit. See Group Resources.
Configure groups.	Create groups. See Groups. Assign entitlements to the group. See Entitlements. Assign resources to the group. See Group Resources.
Configure roles.	Create and publish roles. See Roles. Define the entitlements. See Management.
On-board administrators.	Create the Administrator role. See Admin Roles. Assign organization units to the Administrator role. See Org Units. Assign users to the Administrator role. See Users.
On-board users. For example, a new employee UserA, joined the organization.	Create the user profile. See Users. Assign user to a role. See Users. Assign an entitlement to the user. See Entitlements. Assign resources to the user. See User Resources. Create and manage the accounts for the registered user. See Accounts. Assign rights. See Rights. Set a mitigation action if the user is assigned with a risk level. See Mitigations.
Add entitlements to the on-boarded user, such as an external role. For example, assign UserA with the external role Senior Developer on the Data Manager application.	View the permissions that are defined for the application. Search for the external role you want to assign. Check whether the external role configuration is set for user assignment on the target system. See Application Access. Add the entitlement. Assign the external role to the on-boarded user. See Entitlements. Check whether the assignment event Add Permission is generated for the external role. See Events.
Enable a custom Segregation of Duties policy.	Enable the external Segregation of Duties feature. Set up the external service, which can be a REST WEB Service or an implementation of a JAVA interface. See General
Define a certification campaign.	Certification Campaigns
Change account passwords for users.	Changing user passwords
Force users to change their Service Center password on their next login.	Forcing a password change
Configure the password service.	Configuring the password service in Access Governance Core
Configure the Access Requests workflows for change password, forgot password, or password reset functionalities.	Configuring the password service in Process Designer
Configure and assign dashboards.	Dashboards for Service Center

Access Risk Controls module

Administrators, who are granted access to the Access Risk Controls module, can perform the following tasks:

Table 4. Sample tasks in the Access Risk Controls module
Tasks	Subtasks and references
Model a business activity tree structure.	Business activities
Associate the permissions to one or more activities.	Business activity mapping
Set mitigation controls.	Mitigation controls
Define risks.	Risk definition
Define domains.	Domains
Evaluate risk violations.	Risk violations
Compare configurations.	Configuration comparison
Request or download report.	Report

Process Designer module

Administrators, who are granted access to the Process Designer module, can perform the following tasks:

Table 5. Sample tasks in the Process Designer module
Tasks	Subtasks and references
Define activities that can be associated to a process.	Activity
Design a process.	Process
Assign one or more administrative roles to each activity defined in the process.	Assign
Configure the Access Requests workflows for change password, forgot password, or password reset functionalities.	Password administration

Access Optimizer module

Administrators, who are granted access to the Access Optimizer module, can perform the following tasks:

Table 6. Sample tasks in the Access Optimizer module
Tasks	Subtasks and references
Configure and compare data snapshots.	Data snapshot
Define access data sets.	Access data sets
Configure relevance criteria.	Relevance criteria
Create and manage a data exploration analysis.	Data Exploration analysis and details
Create a role mining request.	Role mining

Report Designer module

Administrators, who are granted access to the Report Designer module, can perform the following tasks:

Table 7. Sample tasks in the Report Designer module
Tasks	Subtasks and references
Create and customize report queries.	Query
Create and customize reports.	Report
Create and customize dashboard items.	Dashboard
Assign the product report to a user or an entitlement.	Report assignment
Organize the product reports.	Menu

Task Planner module

Administrators, who are granted access to the Task Planner module, can perform the following tasks:

Table 8. Sample tasks in the Task Planner module
Tasks	Subtasks and references
Add jobs and configure job class attributes.	Jobs
Create and configure tasks, define job class parameters, and configure scheduling.	Tasks
Synchronize tasks to the selected scheduler.	Scheduler
Group tasks by context.	Context

Application Managers

Application Managers, with administrative rights, can perform any of the following tasks in the Administration Console.

Table 9. Application Managers tasks in the Administration Console
Tasks	Subtasks and references
For target integration, configure the target system.	Import the target type, also known as the adapter profile. See Importing target types (adapter profiles). Create an instance of the target from the target type. Specify the target identity and other information to connect to the server where the target resides. See Creating targets.
On-board users. For example, a new employee UserA, joined the organization.	Create the user profile. See Users. Assign user to a role. See Users. Assign an entitlement to the user. See Entitlements. Assign resources to the user. See User Resources. Create and manage the accounts for the registered user. See Accounts. Assign rights. See Rights. Set a mitigation action if the user is assigned with a risk level. See Mitigations.
Add entitlements to the on-boarded user, such as an external role. For example, assign UserA with the external role Senior Developer on the Data Manager application.	View the permissions that are defined for the application. Search for the external role you want to assign. Check whether the external role configuration is set for user assignment on the target system. See Application Access. Add the entitlement. Assign the external role to the on-boarded user. See Entitlements. Check whether the assignment event Add Permission is generated for the external role. See Events.
Enable a custom Segregation of Duties policy.	Enable the external Segregation of Duties feature. Set up the external service, which can be a REST WEB Service or an implementation of a JAVA interface. See General

User Managers

User Managers, with administrative rights, can perform any of the following tasks in the Administration Console.

Table 10. User Managers tasks in the Administration Console
Tasks	Subtasks and references
On-board users. For example, a new employee UserA, joined the organization.	Create the user profile. See Users. Assign user to a role. See Users. Assign an entitlement to the user. See Entitlements. Assign resources to the user. See User Resources. Create and manage the accounts for the registered user. See Accounts. Assign rights. See Rights. Set a mitigation action if the user is assigned with a risk level. See Mitigations.
Add entitlements to the on-boarded user, such as an external role. For example, assign UserA with the external role Senior Developer on the Data Manager application.	View the permissions that are defined for the application. Search for the external role you want to assign. Check whether the external role configuration is set for user assignment on the target system. See Application Access. Add the entitlement. Assign the external role to the on-boarded user. See Entitlements. Check whether the assignment event Add Permission is generated for the external role. See Events.
Enable a custom Segregation of Duties policy.	Enable the external Segregation of Duties feature. Set up the external service, which can be a REST WEB Service or an implementation of a JAVA interface. See General

Role Managers

Role Managers, with administrative rights, can perform any of the following tasks in the Administration Console, including tasks in the Process Designer module.

Table 11. Role Managers tasks in the Administration Console
Tasks	Subtasks and references
Configure roles.	Create and publish roles. See Roles. Define the entitlements. See Management.
On-board users. For example, a new employee UserA, joined the organization.	Create the user profile. See Users. Assign user to a role. See Users. Assign an entitlement to the user. See Entitlements. Assign resources to the user. See User Resources. Create and manage the accounts for the registered user. See Accounts. Assign rights. See Rights. Set a mitigation action if the user is assigned with a risk level. See Mitigations.

Risk Managers

Risk Managers, with administrative rights, can perform any of the following tasks in the Administration Console, including tasks in the Access Risk Controls module.

Table 12. Risk Managers tasks in the Administration Console
Tasks	Subtasks and references
Add entitlements to the on-boarded user, such as an external role. For example, assign UserA with the external role Senior Developer on the Data Manager application.	View the permissions that are defined for the application. Search for the external role you want to assign. Check whether the external role configuration is set for user assignment on the target system. See Application Access. Add the entitlement. Assign the external role to the on-boarded user. See Entitlements. Check whether the assignment event Add Permission is generated for the external role. See Events.
Enable a custom Segregation of Duties policy.	Enable the external Segregation of Duties feature. Set up the external service, which can be a REST WEB Service or an implementation of a JAVA interface. See General

Business users: Managers

The following list provides examples of tasks Managers can perform in the Service Center, depending on their configuration.

Table 13. Managers tasks in the Service Center
Tasks	Subtasks and references
Approve or revoke campaign requests.	Campaign Management
Manage orphan accounts.	User-account matching
Manage access requests.	Account change requests Selecting the user Answering security questions Selecting the accounts Entering the new password Authorizing the request Executing the request Delegating requests Generating a request Processing a request Creating entitlements Generating a request Processing a request Executing a request Modifying entitlements Generating a request Processing a request Executing a request Request user access Generating a request Processing a request Executing a request Creating users Generating a request Processing a request Executing a request
Reset the account password for other users.	Resetting account passwords for other users
Reset own Service Center password.	Resetting my forgotten password
Map permissions and activities.	Dashboard Permission Perspective Activity Perspective
Configure, run, and download the report.	Request Download

Note: User Managers and Application Managers have customized Service Center dashboards from which they can view and manage their activities. For more information, see:

Business users: Help Desks

The following list provides examples of tasks that Help Desks can perform in the Service Center, depending on their configuration.

Table 14. Help Desks tasks in the Service Center
Tasks	Subtasks and references
Reset the account password for other users.	Resetting account passwords for other users

Business users: Employees

The following list provides examples of tasks that Employees can perform in the Service Center, depending on their configuration.

Table 15. Employees tasks in the Service Center
Tasks	Subtasks and references
Reset own Service Center password.	Resetting my forgotten password
Change the account password for active accounts.	Changing my account password
View Self Care requests status	Viewing my requests in the Self Care application
Update the security questions for account recovery	Updating my security questions

Note: Employees have customized Service Center dashboards from which they can view and manage their activities. For more information, see Employee dashboard.