You can define conflicting roles to prevent employees, devices, or workdesks from being assigned to several roles at the same time and from obtaining mutually exclusive company resources through these roles. At the same time, you specify which business roles need to be mutually exclusive. This means you may not assign these roles to one and the same employee (device, workdesk).
NOTE: Only roles, which are defined directly as conflicting roles cannot be assigned to the same employee (device, workdesk). Definitions made on parent or child roles do not affect the assignment.
Example
The business role B has been entered as conflicting role in business role Jenna Miller and Hans Peter are members of business role A. Louise Lotte is member of business role B. Hans Peters cannot be assigned to business role B. Apart from that, One Identity Manager also prevents Jenna Miller from being assigned to business role B and Louise Lotte to business role A.
Figure 12: Members in conflicting roles
To configure inheritance exclusion
- In the Designer, set the QER | Structures | ExcludeStructures configuration parameter and compile the database.
Related topics
The following basic information is relevant for building up hierarchical roles in One Identity Manager.
- Configuration parameter
Use configuration parameters to configure the behavior of the system's basic settings. One Identity Manager provides default settings for different configuration parameters. Check the configuration parameters and modify them as necessary to suit your requirements.
Configuration parameters are defined in the One Identity Manager modules. Each One Identity Manager module can also install configuration parameters. In the Designer, you can find an overview of all configuration parameters in the Base data | General | Configuration parameters category.
- Role classes
Role classes form the basis of mapping hierarchical roles in One Identity Manager. Role classes are used to group similar roles together.
- Role types
Create role types in order to classify roles. Roles types can be used to map roles in the user interface, for example.
- Functional areas
To analyze rule checks for different areas of your company in the context of identity audit, you can set up functional areas. Functional areas can be assigned to roles. You can enter criteria that provide information about risks from rule violations for functional areas and roles.
- Attestors
In One Identity Manager, you can assign business roles to employees who can be brought in as attestors in attestation cases, provided that the approval workflow is set up accordingly. To do this, assign the business roles to application roles for attestors. A default application role for attestors is available in One Identity Manager. Assign employees that are authorized to attest permissions, requests, or other data stored in One Identity Manager to this application role. You may create other application roles as required. For detailed information about implementing and editing application roles, see the One Identity Manager Authorization and Authentication Guide.
- Approvers and Approvers (IT)
In One Identity Manager, you can assign business roles to employees who can be brought in as approvers in approval processes for IT Shop requests, provided that the approval workflow is set up accordingly. To do this, assign the business roles to application roles for approvers. Default application roles for approvers and approvers (IT) are available in One Identity Manager. Assign employees that are authorized to approve requests in the IT Shop to this application role. You may create other application roles as required. For detailed information about implementing and editing application roles, see the One Identity Manager Authorization and Authentication Guide.
Detailed information about this topic
Business roles are grouped by role class in the navigation view. Each business role is assigned to exactly one role class. You must define suitable role classes before you can add business roles.
To edit role classes
- Select the Business roles | Basic configuration data | Role classes category.
- Select a role class in the result list. Select the Change master data task.
- OR -
Click 
in the result list.
- Edit the role class's master data.
- Save the changes.
Enter the following master data for a role class.
Table 6: Role class properties
|
Role class |
Role class description. The role class is displayed under this name in the navigation view. |
|
Attestors |
Applications role whose members are authorized to approve attestation instances for all roles in this role class.
To create a new application role, click . Enter the application role name and assign a parent application role.
NOTE: This property is available if the Attestation Module is installed. |
|
Description |
Text field for additional explanation. |
|
Inherited top-down |
Direction of inheritance top-down. |
|
Inherited bottom-up |
Direction of inheritance bottom-up. |
|
Delegable |
Specifies whether memberships in roles of this role class can be delegated. |
|
Assignments allowed |
Specifies whether assignments of respective object types to roles of this role class are allowed in general. |
|
Direct assignments allowed |
Specifies whether respective object types can be assigned directly to roles of this role class. |
Related topics
Create role types in order to classify roles. Roles types can be used to map roles in the user interface, for example.
To edit role types
- Select the Business roles | Basic configuration data | Role types category.
- Select the role type in the result list. Select the Change master data task.
- OR -
Click in the result list.
- Edit the role type's master data.
- Save the changes.
Enter the following master data for a role type:
Table 7: Role type properties
| Role type |
Role type description. |
| Description |
Text field for additional explanation. |
