Administrator

Administrators are typically the identities knowing the internals. They have to configure the entitlements, target systems and organisations.

They are also responsible of the configuration of the multiple schedulers that steer important processes, like notifications, birthrights, entitlement expiration, bulk uploads, ... .

Tuning the internal system and doing problem solving is what they do.

In terms of security and governance, these are the most vulnerable profiles because of their extended privileges.

Close monitoring on these roles is required, see also the topic [conflicting_entitlements]

Organisation administrator

Organisation administrators ( or sub-organisation administrators if the organisation hierarchy is nested) are responsible to manage the relationship of the identity with the organisation he or she is responsible for.

Identities tend to move within organisations, people come, people go, changes department, starts a holiday job, ....

The only person(s) who can decide if the identity is still working for a organisation, is the organisation administrator.

If the system has a setup for workflows and approvals, this role would typically approve the creation and update of the organisation assignment.

Entitlement administrator

These administrators have the power to manage one or more specific entitlements in the system. This will be more focused on external entitlements.

For example : a HR department within a large organisation has created a web-application to upload salary data. One person at HR can give/approve the entitlement to other identities.