|Applies To||RSA Product Set: RSA Identity Governance & Lifecycle|
|Issue||This article contains definitions to various terms used in RSA Identity Governance & Lifecycle. It is common for new users to be confused between terms such as User / Account and Group / Role / Rule and how they interrelate.|
An account provides access to an application used in your organization through entitlements and application roles. The entitlements and application roles associated with accounts are collected by Entitlement Data Collectors (EDC). Accounts are not identities or users but may match the user ID attribute collected for an identity. Accounts provide access to applications for a user/real person.
Entitlements define the access privileges granted to one or more users in an organization to a specific application and the data within the application.
A group is a container that includes accounts and sub-groups of accounts collected from account data sources by Account Data Collectors (ADC). You view them under the Users tab in the User Interface (UI). Collecting groups at the Identity level was deprecated in version 6.5 and completely removed in 7.0. Entitlement Collectors (EDC) resolve references to groups with accounts and entitlements but do not create a group.
A user gets access to a group through their accounts who are members of a group, whereas a role gets users added to it as members. Adding entitlements to a group would result in users indirectly automatically getting the entitlement. Entitlements added to a role just mean the user should have that entitlement but it's not automatic unless you configure the workflow to automatically generate indirect entitlements.
An identity defines users in an organization who have access privileges to a quantifiable portion of an organization’s data and applications and corresponds to a real person who may have more than one account on various systems and applications.
Note: This is applicable only if the Role module is implemented for your installation. If you have system administrator privileges, you can enable the module in Admin > System Settings. In addition, enabling Business Role Manager will help you develop new roles and evaluate changes to existing roles.
A role represents an aggregation of users (included individually or within an included group or role) and entitlements (granular entitlements, application roles, other roles). RSA G&L enables you to view all the roles in the system, collect roles, and organize roles into role sets. A role set is simply a collection of roles.
Note: This is applicable only if the Rules module is implemented for your installation. If you have system administrator privileges, you can enable the module in Admin > System Settings.
RSA Identity G&L enables you (a business manager or an IT security officer, for example) to create and process business rules that detect and notify you about various conditions reflected in collected data that you want to monitor, and possibly rectify, so that you can maintain compliance with your organization’s security and regulatory policies. For example, you can configure a rule to detect whether users in a particular location, business unit or department are able to access a particular application resource ro which they do not have access but should.
Rules can also serve to provide decision support in user access request and role modeling processes. For example, RSA G&L would use a rule to evaluate an entitlement access request for a user to determine whether the request grant would violate a business rule if it were allowed.
A rule violation occurs when a user entitlement matching a rule’s condition is detected in the RSA G&L data store.
Conditions you can detect with rules include:
Entitlements in the context of a business rule include:
Reports can be generated on rules, rule violations, and rule violation exceptions.
User corresponds to an identity or real person who has access through accounts to one or more applications used in your organization.