- A requester -- be it the user himself in a self-service request
or the user's manager -- may not know exactly what roles, groups
or attributes are needed to grant a recipient some required privileges.
- However, requesters often know someone else who already has the required
privileges. A model-after user interface allows a requester to compare
the profile attributes and entitlements of the recipient with a model
user and request just those items whose descriptions appear relevant
to the task at hand.
- A requester can assign a subset of a model user's rights to a recipient.
- Access controls limit what recipients and model user a given requester can access.
- Requests formulated in this way are user friendly -- the requester already
knows who has the required entitlements, just not what they are called.
- Selecting just key entitlements eliminates the problem of propagating
rights from one over-provisioned user to another.