If an identity management system also takes over the task of managing rights, it is called "Identity and Access Management", in short IAM. We will continue to speak of an identity management system in the following but for the sake of simplicity. Many advantages of an identity management system are only to be carried out when access rights are managed in the same system. Access management is a prerequisite for the technical forcing of security rules – see Compliance . In addition, the creation of a company-wide overview and control is important.
Access rights in the same system
Simple roll allocation
Overview
Central control
Difference in roles and rights
Role Based Access Control (RBAC)e
The "Role Based Access Control" method is a design pattern for managing access rights. You don't assign specific rights ("read data set XY") directly to individual users, but to a role ("processor for Z"). Users are then assigned certain roles based on their functions in the company. The access rights are derived from the roles. In identity management system, only roles are usually assigned. Mapping on specific rights usually takes place in the applications. User roles can be assigned globally or at application level in the identity management system.
Application admins can manage rights themselves
The award of the reels does not necessarily have to perform a central IDM admin. Depending on the organizational structure, it may also be useful to assign roles of application admins.
Example view from Keycloak (Open Source IAM from Red Hat)