Group and Role Management
Group and Role Management allows an organization to manage application authorizations more efficiently by treating a collection of users who need the same type of application access as a unit. One or more authorizations can be associated to the group or role and users can be assigned to that group or role either by request or automatically based on some attribute they possess (their department, job title, position, etc.).
Apollo is a mainframe based authorization system used by the administrative applications housed on the mainframe or within the UT Direct application framework.
For assistance, please send an email to apollo@utlists.utexas.edu.
- Define attributes for the type of authorization allowed
- Set up groups to manage authorizations more easily
- Define audits to enforce authorizations for people, such as employment status or entitlements
- Delegate authority to grant or revoke authorizations or group memberships to non-developers
- Secured module and web interfaces provide parallel functionality
Apollo is centrally funded. Apollo is available at no cost to developers.
Intended Users
Apollo provides mainframe developers with an authorization framework for use with the applications which they maintain
Technical support
Technical support is provided by the UT Service Desk during normal business hours.
UT Service Desk
512-475-9400
Create a Ticket
help@its.utexas.edu
Maintenance
ITS Campus Solutions will notify customers about both scheduled and unscheduled maintenance (including service delivery issues) using the Alerts & Outages page. Services may not be available during the maintenance periods.
Scheduled maintenance may occur on either Tuesday or Thursday at 7:00 A.M. Central Time, as needed. To the maximum extent possible, installation of service, application, and security updates will be performed during scheduled maintenance windows.
Unscheduled maintenance tasks that require service downtime will be announced as soon as possible on the Alerts & Outages page.
Change notification: ITS Campus Solutions will notify customers of service availability and service delivery issues using the Alerts & Outages page.
User responsibilities
Subscribers (users) of the service and identified owners/administrators agree to be aware of and adhere to the university's Information Resources Acceptable Use & Security Policy Agreement.
Enterprise Group Services (EGS) allows university departments to automate the management of application and system authorization groups. EGS group membership is managed using Attribute-Based Access Control (ABAC) rules with members being added and removed automatically.
Enterprise Group Services (EGS) is currently in soft launch and working with selected early adopters. While the team will field requests from other University departments, requests from early adopters will be prioritized.
- Automatic management of authorization groups based on directory attributes.
- Authorization groups can be consumed in the Austin Active Directory (Austin AD) or the uTexas Enterprise Directory (TED).
- Supports compliance with UT-IRUSP Standard 4: Access Management § 4.1.4 and 4.1.6.
- Meets Minimum Security Standards for Application Development and Administration § 4.1.6, 4.1.8, and 4.1.9.
Enterprise Group Services (EGS) is a common-good service available to University departments at no cost.
Service Level Agreement (SLA)
Overview
This document defines the service level agreement for EGS.
Service Description
EGS is a service that encompasses an identity administration and access governance system. One of its principal features is the ability to support group and role-based access management.
Intended Users
EGS can be used by University departments or organizations who wish to leverage group and role-based access controls.
Technical Support
Both Tier 1 and Tier 2 technical support is available during normal business hours. Requests will receive an initial response within one business day. The time to implement the customer’s request will depend on the complexity of the request.
Tier 1
End users should contact the UT Service Desk.
UT Service Desk Phone: 512-475-9400
Create a Ticket: help@utexas.edu
Tier 2
Departmental support staff and the UT Service Desk may escalate issues to EGS Administrators. Customers referred to the EGS Administrators will be contacted within one business day.
Maintenance
ITS will notify customers about both scheduled and unscheduled maintenance using the Alerts and Outages page of service availability and service delivery issues. Services may not be available during the maintenance periods.
EGS is a service comprised of several technical components: midPoint, Grouper, and IGA Infrastructure. Maintenance for the service or its components will occur Wednesdays from 11:30 a.m. to 1:30 p.m. Please note that maintenance may not occur every Wednesday and not all components will require maintenance on the same Wednesday. To the maximum extent possible, installation of service, application, and security updates will be performed during scheduled maintenance.
Unscheduled maintenance tasks that require service downtime will be announced as soon as possible on the Alerts and Outages page.
The OHS Contacts System is a tool used by departments to identify individuals who are authorized to perform specific roles for the department.
The University's hierarchy can be represented in different ways in real time.
Organizational Hierarchy System Contacts (OHSC) is a common-good service available to University departments at no cost.
Routine requests are typically addressed within one business day.
UT Service Desk staff may escalate requests as needed.
Technical Support
Technical support is available during normal business hours:
M-F 8:00 a.m. - 5:00 p.m.
UT Service Desk
512-475-9400
Create a Ticket
Direct Email help@its.utexas.edu
Group and Role Management allows an organization to manage application authorizations more efficiently by treating a collection of users who need the same type of application access as a unit. One or more authorizations can be associated to the group or role and users can be assigned to that group or role either by request or automatically based on some attribute they possess (their department, job title, position, etc.).
SailPoint IIQ maintains a hierarchical role model which consists of Business Roles, IT Roles, and Entitlements:
- Business Roles identify affiliations or job functions by which users can be grouped
- IT Roles encapsulate sets of system entitlements
- Entitlements represent individual system authorizations
Roles can be used to:
- Grant various types and levels of access
- Restrict access to sensitive information assets by grouping entitlements in a form that is meaningful to the business
- Grant the minimum privileges required by an individual to perform his/her job
Roles can be requested manually, or they can be configured to be assigned automatically via an assignment rule. Entitlements can also be assigned directly to an identity rather than being mapped to a role.
Group and Role Management features include:
Managing Access via Identity Lifecycle Events is used to automatically assign a role or entitlement based on a change in a person’s status at the university:
- The “Joiner” event represents a new identity joining the University or an identity being reactivated (e.g., new hire, reinstated employee, etc.).
- The “Mover” event represents an identity moving between departments or job functions.
- The “Leaver” event represents an identity leaving the University (e.g., termination, retirement, etc.).
Managing Access via Requests is used when an individual, or a delegate, makes a request for assignment of a role or entitlement to his/her profile. Access requests may necessitate approvals by specific individuals, policy checks, and notifications to interested parties (depending on the access requested).
Administrative Functionality required to support group and roles:
- Role Maintenance is the ability to create, update, and delete a role and/or entitlement which corresponds to permission(s) in an application.
- Reconciliation is the correlation and refresh of identities within SailPoint IIQ based on current authorization information imported from an application. This functionality finds additional or modified entitlement assignments for an identity in the application that were made outside of SailPoint IIQ.
- Certification is the process of certifying the user accounts that exist for an application or certifying the roles and entitlements within the hierarchy of a role.
- Reporting is the ability to generate access reports on a scheduled or ad hoc basis.
SailPoint IdentityIQ (IIQ) is a common-good service available to University departments at no cost.
Service Level Objectives (SLOs)
Metric | Target |
---|---|
Availability | 99.178% |
Please note that these SLOs are dependent on other campus SLOs and are adjusted as those change.
Service Level Indicators (SLIs)
Service Level Indicators (SLIs) (i.e., whether or not the service met the Service Level Objectives (SLOs) have been met) are published at https://iamservices.utexas.edu/resources/metrics/.
Service Level Agreement (SLA)
Overview
This document defines the service level agreement for Sailpoint IdentityIQ (IIQ).
Service Description
SailPoint IIQ is an identity administration and access governance system. One of its principal features is the ability to support group and role-based access management.
Intended Users
SailPoint IIQ can be used by University departments or organizations who wish to leverage group and role-based access controls.
Technical Support
Both Tier 1 and Tier 2 technical support is available during normal business hours. Requests will receive an initial response within one business day. The time to implement the customer’s request will depend on the complexity of the request.
Tier 1
End users should contact the UT Service Desk.
UT Service Desk Phone: 512-475-9400
Create a Ticket: help@its.utexas.edu
Tier 2
Departmental support staff and the UT Service Desk may escalate issues to Sailpoint IIQ Administrators. Customers referred to the Sailpoint IIQ Administrators will be contacted within one business day.
Maintenance
ITS will notify customers about both scheduled and unscheduled maintenance using the Alerts and Outages page of service availability and service delivery issues. Services may not be available during the maintenance periods.
Scheduled maintenance occurs on Wednesdays from 11:30 a.m. to 1:30 p.m. Please note that maintenance may not occur on every Wednesday. To the maximum extent possible, installation of service, application, and security updates will be performed during scheduled maintenance.
Unscheduled maintenance tasks that require service downtime will be announced as soon as possible on the Alerts and Outages page.
Change notification: ITS will notify customers using the Alerts and Outages page of service availability and service delivery issues for Sailpoint IIQ.
User Responsibilities
Users and owners of Sailpoint IIQ services agree to be aware of and adhere to the University of Texas at Austin Acceptable Use Policy.
Owners of applications integrated with Sailpoint IIQ agree to:
- Be aware of and adhere to the Sailpoint IIQ Acceptable Use Policy.
- Use Sailpoint IIQ best practices when feasible.