[MUSIC PLAYING] In one of our previous videos, we show how to order something in IT Shop. For example, to get an account, and Safeguard, and some permissions. Another approach to assign permissions and resources to user is to use roles. And in this short example, I'd like to show you how that will work with roles.
This is my first target. My second target is to show you how to use the Identity Manager Provisioning Engine just to do a lot of things around Safeguard user and group provisioning. As you can see on the screen, there is the Delora Blanchart. The Delora Blanchart is a standard employee. You can see that just here. Not too many resources assigned.
There are some application roles. There are some IT shop assignments. And there is just one Active Directory account, which is her Delora Blanchart account. This is the person I like to deal with.
Additionally to that, I'd like to show you, as well, a role. Therefore, I just step into my business roles. There is a business role Tree, Technical roles. And one of these Technical roles is Privileged Account Management the idea is to add the Delora Blanchart later on to that specific role, but I'd like to show the role first.
Here is my role. As you can see, this role shows a lot of different assigned items. On the one hand side, there is just one person part of the role right now. On the other hand side, you will see an Assigned Active Directory Group. There is a Assigned Privileged Account Management Group.
There is, as well, a resource assigned that means people who are a member of this role gets the company cell phone allowance. Now there is, additional to that then, the Safeguard user, which you automatically get if you get a member of this role. And not on the screen, but you can have it in mind, it is possible merely to assign everything to these roles to make people and the administration as easy as possible.
Remember, roles, are at the end, a container which can contain a lot of different resources from a lot of different target systems. And all of these resources get assigned, then, to these identities assigned to the role. So this is my role. Perfect. And now, try exactly what I do. And I want to show you the power of the Identity Manager.
And so I don't [INAUDIBLE] just an [INAUDIBLE] you to this role. I can do that. But I want to do that on the property basis of the employee itself. And therefore, I'm just looking for the Delora Blanchart. Here she is. I stepped into the master data of the Delora Blanchart. I stepped to the user defined button. And here it's a main advisory property, which is one of our custom properties in the Identity Manager. This is customized here.
I just click that down. And you can see my main advisory could be for PAM, for LDAP or SAP, just in this system. I will do that now for PAM. And I will save that. And what happens now, it's the following. Because of that property change, this person gets outer assigned to that specific role.
In the background, there is the engine of the Identity Manager running, and it's doing something. And on the basis of this assignment, this person will get automatically a member of the roles. So I step back to my business role. And as you can see, now Delora is just part of the role. That means she is assigned, and additionally to that, because she is part of the role, here, in the process role of the Identity Manager, there are now some provisioning steps done.
For example, they've got to Safeguard account created, and so on. This happens here all in the background. And as you can see, there is a process called Privileged Account Governance, User Insert . That sounds like that this is our Safeguard account.
And that has happened all in the background. This is the Rich Provisioning Engine of the Identity Manager. And this is what the system is doing in the background. If this is done, and I step back, for example, to my person, which is Delora. Here we are. Then you can see that Delora is now fully equipped with a lot more resources than she had before. There is a technical role assignment that is what was done on the property basis.
Responsible for this is an automation process that just checks that I set this main advisory. And on the basis of that, the person gets assigned to the role. Here's the role. Then, additionally, because the role itself was equipped with a Safeguard user, automatically, a Safeguard user was assigned to Delora. This is the Safeguard user allowance.
This is the Safeguard user that was, at the end, assigned to the person. That was a resource assigned, which is the company's cell phone allowance. That means people having that role are now allowed to have a company cell phone. This is just to show you that this is possible.
And in the background, now , the following happened. All of that was out of provision. For example, in Safeguard, and maybe as well in Active Directory. So the first thing I want to do here is, I want to figure out if this account is provisioned in Safeguard.
I just click on that account. You can see this is my Safeguard user. The Safeguard user is on that appliance provisioned. It is assigned to one IM group, which is a group where you can get your allowance to deal with assets and it is assigned to that specific employee.
The same thing should now be in Safeguard. We know that from before. So we are just searching for Delora. And there is the account. We just look into that account. There is the data from Delora that's automatically provisioned. Getting the data from the person object, you see Delora is a standard Safeguard user with access to user and help desk.
And if we look at the group, then we will see that as a group assigned, it's one IM group as we expected this. Last but not least, of course, it was a role assignment. We have seen that there is the cell phone allowance assigned and the Active Directory account.
And then, I can see here as well the assigned group that was part of my role. Just to show you that this is the truth, I step back to my business role, and in business role, I just select my Privileged Account Governance role. And here you can see, this was the group we got assigned.
And the one all the other might now say, that's nice there is on an administrative basis. But how to enrich this process with a big approval workflows so that the assignment to the role is then, at the end, something that happens on the basis of an approval workflow, like we saw that in previous videos before.
This is nothing you should be concerned about it. In Identity Manager, you have only to activate that role to be used in IT shop and then you can add as many high sophisticated workflows as you like.