...
Account: see David’s contribution. accounts can be split up in personal and non-personal accounts.
non-personal accounts can also be divided in service accounts (machine to machine), robot accounts, test accounts etc.personal accounts can be regular or special accounts (such as admin accounts)
We also see the following objects that need ownership:
1. Relations between objects (relation between account and role)
2. Roles
3. Targetsystems (that can be provisioned)
4. Permissions Entitlements (in the targetsystem and IAM system) In some targetsystems permissions are allready combined in a technical role. Permissions can be sensitive if for example they give access to sensitive information. This may lead to a higher frequency of recertification.
The owner of the permissions should, in cooperation with a business manager, be able to identify sensitive of critical permissions. They should also be able to identify which permissions should never be allowed to be given to a single account.
5. Organization (If your using RBAC and automatic role assignment based on the organizational unit)
...