Best Practices to be followed during Role Creation/Modification. Role are used to club together multiple types of access from a single or multiple endpoints and grant it to user in a single request.
During role creation, determine the entitlements that will be mapped to the role and ensure that the correct role type is defined. An enterprise role encompasses entitlements that span across multiple endpoints, whereas an application role encompasses entitlements from a single endpoint.
To handle Enterprise and Emergency role requests, the workflows are defined under Global Configurations. Workflows for Application Roles are defined at security system level.
To enforce governance with respect to role composition modification, it is strongly recommended to define a Role Modification Workflow under Global Configuration. This will ensure that any updates to the role modifications are approved before being requestable.
If a workflow is defined for Role modification under Global Configurations, then roles will be in composing state till all approvals are done. If the ‘Role modification Auto Approve’ option is selected then roles will directly move to Active state.
During Role creation, validate the following configurations to ensure they are requestable:
Ensure that the status of the role is active.
Requestable is set to True.
Ensure that you have assigned a role owner to the role. The role owner is responsible for managing the role and can be used in workflows for approval.
Role admins must add at least one entitlement to the role during the role creation request.
Account Required in All Endpoints (Global Config) : Select this parameter to allow or disallow users to request for an Enterprise role based on whether users have an active account in the corresponding endpoints.
Roles Add Workflow (Global Config) : Workflow to be triggered when a user is requesting a role. Ensure that a workflow is selected to handle Add Role requests.
Roles Remove Workflow (Global Config) : Workflow to be triggered when a role gets removed. Ensure that a workflow is selected to handle Remove Role requests.
Role Modification Workflow (Global Config) : Workflow to be triggered when role is modified
Request Roles Query (Global Config): Use this filter to restrict users from requesting roles.
Request Comments (Global Config): To enforce comments during Enterprise/Emergency Role Request, make sure that this configuration is enabled.
If roles are missing under ADMIN > ROLES for some SavRole, make sure the ‘Show Roles’ are enabled for this savrole.
Use the role repair/role retrofit feature to fix all the role mappings. Repairing role mappings or retrofitting roles, ensures that the accesses are re-mapped as per the current roles and entitlements assigned to the users. Refer Repairing Role Mappings for more details. (Applicable versions EIC v23.1, v5.5 SP 3.15 and above)
Use the RoleAccessMismatchJob to discover violations/mismatches between the user's access to entitlements versus what is present in each role. It is recommended to run this job at least once a week during the job off-peak hours. It can be run daily if the number of roles and corresponding accounts are less in numbers. Refer Discovering Role Access Mismatches for more details.