IDM Roles & Access Assignments

IDM is the central management tool for the administration of IDM roles, clients, organisations, specialist applications, business and specialist application roles and the user data and profile. The IDM database contains the data required for authentication and authorisation of application access.

IDM link: ➞ User administration PROD
IDM link: ➞ User administration ABN
IDM link: ➞ User administration REF


IDM Roles Overview with Access Request Creation and Management
IDM Roles Overview with Access Request Creation and Management

GKA/BVA training

Link to the GKA/BVA training documents: GKA/BVA Training (V4.0 in German only)

Instructions for application creation and administration of roles

GKD (Gesamtkoordinator Dienst)

The GKD has the technical and organisational responsibility over the authorisation assignment of the role GKA. The user with the role GKD can thus appoint different GKA for different offices, written permission from the respective CISO is required (Remedy MAC order or by signed mail). The GKD is responsible for granting the GKA the rights to perform his task in his office in the IDM tool provided for this purpose (REF/ABN/PROD) or for withdrawing them again.

GKD authorises GKA ▼
×
In the eIAM environment, only three IDM specialists hold the role GKD, which is superior to the offices and responsible for GKA role applications and user profile administrations. Therefore we refrain from writing a short manual here.

GKA (Gesamtkoordinatoren Amt)

The GKA of an office has the organisational and technical responsibility to ensure that only the persons intended by the line can access the business and technical application roles. In other words, he is responsible for adding or resolving the IDM user profile roles of the BVA's in the three IDM tool instances (REF/ABN/PROD) in his office (organisation).
GKA authorises BVA

BVA (Benutzerverwalter Applikation)

The BVA of one or more professional application in an office has the task of granting or denying a Application role to those users who have requested it.
  • The BVA uses a user role concept per application. All access to applications must be in accordance with the "need to know" principle. It must be ensured that a user only receives the information or is only allowed to execute the functions that he really needs.
  • The BVA determines and changes the scope of access by granting the application roles in the IDM tool provided for this purpose.
  • The BVA withdraws the user's access to the specialised applications by deleting the roles from the IDM administration tool provided for this purpose.
  • The BVA notifies the user of the changes to his authorisations.
BVA Access management of users to applications

IDM role requests

New BVA:
IDM role request as BVA to GKA

New GKA:
IDM role request GKA to GKD