• A requester -- be it the user himself in a self-service request or the user's manager -- may not know exactly what roles, groups or attributes are needed to grant a recipient some required privileges.
• However, requesters often know someone else who already has the required privileges. A model-after user interface allows a requester to compare the profile attributes and entitlements of the recipient with a model user and request just those items whose descriptions appear relevant to the task at hand.
Key concepts:
• A requester can assign a subset of a model user's rights to a recipient.
• Access controls limit what recipients and model user a given requester can access.
• Requests formulated in this way are user friendly -- the requester already knows who has the required entitlements, just not what they are called.
• Selecting just key entitlements eliminates the problem of propagating rights from one over-provisioned user to another.
See more at: