Administrator role delegation

Introduction

IBM® Security Verify provides ability to delegate administrator actions to other users for a certian period of time. The capability is specifically for the administrative roles that come into effect for managing access certification activities.

A certification campaign to certify users' and groups' access or accounts assigns the administrator role of Campaign Reviewer and / or Campaign Supervisor. If the initial user assigned to the certification campaign is on planned leave or unavailable, a "delegation" can be defined to assign the certification campaign to a delegated admin with the corresponding Campaign Reviewer and / or Campaign Supervisor designation.

Configure delegation

The three-step guide to delegate admin roles is as follows:

1. View my accesses
2. Delegate role
3. Manage delegated role

1. View my accesses

Login to Verify and navigate to My accesses to view current accesses. These are basically the accesses which are assigned, either directly OR via delegation from a peer employee:

Click a specific access, to view its details.

Here's are the typical details of Campaign Reviewer access:

Likewise, here are the typical details of Campaign Supervisor access:

The main point to note here is that the details view shows any existing delegation configuration for a specific admin role, along with details around the delegatees and the duration of the delegation. Any missing details around delegation would mean delegation is not set.

2. Delegate role

Once, the details have been inspected and delegation has been configured, configure any new delegation schedule as specified in this section. Click on the Delegate option to launch the configuration wizard, which will encompass the following steps:

• Select Roles for delegation
  Select one or more roles from the list that need to be delegated.

  

• Select delegatees (users that will be delegates)
  Select one or more users that will act as delegates.

  

• Specify the delegation schedule
  Select the start and end dates for this delegation.

  

• Specify justification
  Optionally, specify justification for the delegation.

  

• Review the selections before submission
  Preview the summary for delegation before scheduling it. It will have the details like schedule, justification, roles and users. Once selections are validated, click on the Schedule option.

  

3. Manage delegated role

Once delegation is scheduled, review and manage it by selecting the access.

Details of Campagin Reviewer admin role with delegation information:

Details of Campagin Supervisor admin role with delegation information:

In the event that fine-tuning delegation is needed, ex: change the delegatee:

• Navigate to `Manage users`. Here, remove the delegation from an user, by hitting on the cross against the user name.:
• Confirm the removal, the delegation schedule would be removed from the relevant role:
• Once delegation schedule is removed from a given role, delegate the same role again to a different user(s).

You can repeat the same process even for changing the delegation schedule. For example, the same "Campaign Reviewer" role has been delegated to Scott for a different time period:

💎

Aakash Prajapati, IBM Security

💎 Ramakrishna J Gorthi, IBM Security