Symantec Access Management

Is anyone using Access Roles in Identity Manager for purposes other than SiteMinder?  If so, how and why?  I read in the documentation that they're intended for use with application tasks managed by (?) or coordinated with (?) SiteMinder, somehow.  But that doesn't mean anything to me, as our particular implementation doesn't include SiteMinder.  If I understand them correctly -- which I'm pretty sure I don't -- this makes them "Admin Roles without Admin Tasks", to a certain degree.

It occurs to me that Access Roles may be useful as a "dynamic grouping" mechanism, or as a means to encapsulate scoping rules into a self-contained object that can be leveraged elsewhere in IM.  This may or may not have value, considering that Identity Policies can be used for the same kind of thing.  But I'm wondering about the costs versus benefits of Identity Policies versus Access Roles for the purposes of dynamic grouping.  I'm not sure I have a complete understanding of when objects are evaluated for inclusion in an Access Role, as compared to Identity Policy, which seem to be triggered by events related to user object modification.

What do you think?  I appreciate any knowledge you may choose to share with me in these regards.  Thanks!

What version of Identity Manager are you using?

We've started an upgrade to R12.6 sp5 and will not be using SiteMinder.

I have not used Access Roles, but I have wanted to see if they could be set up to allow the end user to request access to an application.

We were only using SiteMinder for our AD so it sounds like we couldn't use it for other applications.

We're using IM R12.6 SP5 in our Test environment, and SP4 in our Production environment.

I'm thinking that requesting/providing access to applications is precisely the function of Access Roles; however, it appears that integration with SiteMinder apps is the only offering "out-of-the-box".  So like you, I'm hoping someone has some feedback about using Access Roles in a way that doesn't involve SiteMinder, just to see if it's possible or useful.

Based on my experience, Access Roles are used only with SiteMinder integration.
This kind of object is a simple "placeholder" to profile SiteMinder users for authorization purpose. 

I've never used access roles myself. But I have heard of a few projects where they are used as a placeholder for something else.

An example. Lets say I have a multi-valued attribute in my user directory. An application uses the values in this attribute to make access/personalization decisions. And lets say that there are 100 allowed values. A multi-select field on the user's profile where any of these 100 values could be added or removed would not look particularly nice. And you have no easy control over which values are allowed for which different types of users (e.g. employees can have any values, contractors limited to first 50 values).

However, you could create 100 access roles with the same name as the 100 attribute values. The access roles can be scoped so that only the correct admins can assign them, and only the correct users can receive them. You then create a single PX policy that fires on access role assignment/removal and adds/removes the corresponding attribute value from the multi-valued attribute in the user store.

Pearse