User Types
This feature is currently available only to customers participating in a Private Preview. If you'd like to participate and be among the first to try this feature, ask our support or account team for details.
A user type defines a grouping (often large) of similar users. It can be viewed as a category of users with much in common, even though they don’t all have the same business role.
Typical user types include the following:
-
Contractors
-
Full-Time Employees
-
Part -Time Employees
-
Terminated Employees
-
Customers
-
Students
User types are helpful not only for classifying users but also for provisioning access. One way is by assigning items through birthright access at the user type level.
User types are also recommended for grouping users by geographies, such as US Staff and UK Staff.
About Birthright Access
Birthright access sets the resources, roles, and other things that all members of a User Type are automatically assigned when they are first created.
Common birthright resources would be Email and Entra ID, since most organizations provision a user provider account and email address to all staff members, regardless of their job function.
Birthright access applies only to systems and software applications, not to physical assets.
Access Types
-
Resource: A resource is a digital or physical asset to which a user can be granted access. This could be a physical asset such as a key card or a digital application (Ping Directory, Okta, or Entra ID).
-
Entitlements: Entitlements are access levels within a resource (security roles, responsibilities, security groups, permission sets, and so forth).
-
Role: A role is a collection of resources and entitlements. Roles can be assigned to more than one person. Roles are best organized for a specific purpose, such as a specific job function.
Access Model
Every user has exactly one user type, and this is the foundation of the IGA access model.
Within the user type, administrators configure different access levels for roles and resources (such as birthright, default granted, and default not granted), defining the initial and potential access given to a user.
Only access defined in the user type can be granted. Anything not explicitly set in the user type can never be granted to a user of that user type. When access is defined, it is specified in one of the following categories:
-
Birthright: Birthright access is granted to every user of this user type and can never be removed.
-
Example: An email account for employees: All identities of the Employee user type are granted an email account. They have that email account as long as they are employees.
-
-
Assigned: Access is granted to every user of the User Type when the user is created as--or changed to--that User Type. Access can be removed.
-
Assignable: Access is not granted to new identities by default. Access can added directly by administrators or managers, by policies attached to a role, or through a self-service request if the access is available in a catalog. Access can be removed.
Ways Access is Granted
Users can obtain access in various ways based on the business processes and security requirements of their organization.
Birthright
Birthright access is access that every user receives based on their user type. For example, every Delinea employee gets an Azure AD and Slack account. Those would be birthright resources for the “Employee” user type.
Birthright access is granted when a user is created or updated; however, it is re-evaluated if the user type is updated.
Direct Assignment
An administrator can assign access to a user; however, only access available to the specific user type can be assigned.
Role Access by Dynamic Collections
Dynamic collections can automatically assign roles to users. A role will be assigned to all users in the dynamic collection. Dynamic collections are evaluated:
-
When a user is created
-
When a user is updated
-
On a schedule
-
When the collection definition is updated
-
When the user type is updated
To view or manage Dynamic Collections, navigate to the Collections page and select the Dynamic Collections tab.
Working with User Types
Creating and configuring user types is the first step in setting up ILM and IGA. To create, update, or delete a user type, navigate to the Access page and select the User Types tab.
To create a user type, select Create and fill out all required fields, plus any additional ones desired. The table below summarizes field details and requirements.
|
Field |
Required / Optional |
Data Type |
Note |
|---|---|---|---|
|
Name |
Required |
Unique; Text |
|
|
Description |
Required |
Text |
|
|
Enable Email Notification |
|
Boolean |
Determines whether an email notification will be sent. |
|
Notify Email Address |
Required if Enable Email Notification is true |
Text |
Email address to notify. |
|
Enable Termination Notification |
|
Boolean |
Determines whether a termination notification is sent. |
|
Days Before Termination To Notify |
Minimum of one required if Enable Termination Notification is true |
Number |
The number of days before termination to start the workflow for user termination notification. |
|
Default Credential Policy |
Required |
Selection |
The default credential policy for this user type. |
|
Default Duration |
|
Number |
The default number of days.
|
|
Maximum Duration |
|
Number |
The maximum duration allowed.
|
|
Allowed Resources |
|
Multi-Selection |
A list of resources this user type can potentially have. Each Resource can be identified as:
|
|
Allowed Roles |
|
Multi-Selection |
A list of roles this user type can potentially have. Each role can be identified as:
|
