IBM Identity Governance and Intelligence (IGI) offers two approaches for role management: role definition and role mining.
In role definition, the IGI administrator defines the new role upon existing knowledge of what that role should contain. The second approach uses the advanced role mining features of IGI to assist the role engineer in discovering and then defining new roles, using the Access Optimizer application.
The IGI data model defines entitlements, permissions, IT roles, business roles, and external roles. An entitlement identifies a structured set of permissions. These permissions are assigned to a user to access the resources of an organization. Permissions, IT roles, business roles and external roles are collectively referred to as entitlements. Entitlements are structured in a hierarchy.
Permissions are the basic authorization object. Permissions are defined as a permitted action on a protected object, for example, reading and writing a local file.
IT roles are a collection of permissions and other IT Roles defined within the context of a single system or application. Business roles are structured objects composed by any combination of simple permissions, IT roles, and other business roles from the same or different applications. Admin roles are business roles that are composed of IGI application permissions and used to grant administrative access to the IGI application.
External roles are a special case. They are IT roles imported from target applications.