Identity Manager 8.1 - Business Roles Administration Guide

Managing Business Roles Role Mining in One Identity Manager

Discontinuing Inheritance

There are particular cases where you may not want to have inheritance over several hierarchical levels. That is why it is possible to discontinue inheritance within a hierarchy. The point at which the inheritance should be discontinued within a hierarchy is specified by Block inheritance. The effects of this depend on the chosen direction of inheritance.

  • Roles marked with Block inheritance do not inherit any assignments from parent levels in top-down inheritance. It can, however, pass on its own directly assigned company resources to lower level structures.
  • In bottom-up inheritance, the role labeled with the option "Block inheritance" inherits all assignments from lower levels in the hierarchy. However, it does not pass any assignments further up the hierarchy.

The Block inheritance option does not have any effect on the calculation of the manager responsible.

Example for Discontinuing Inheritance Top-Down

If the option Block inheritance is set for the department "Sales" in the top-down example, it results in sales employees being assigned address administration and employees in the retail department, address administration and internet software, but neither is assigned mail or text editing applications. Applications in the department "Overall organization" are, however, not assigned to retail and dealers.

Figure 3: Discontinuing Inheritance Top-Down

Example for Discontinuing Inheritance Bottom-Up

An employee from the project group "Programming" receives applications from the project group as well as those from the projects groups underneath. in this case, the development environment, assembler tool and the prototyping tool. If the project group "Programming" has labeled with the option Block inheritance, it no longer passes down inheritance. As a result, only the CASE tool is assigned to employees in the project group "Project lead" along with the application project management. Applications from the projects groups "Programming", "System programming" and "Interface design" are not distributed to the project lead.

Figure 4: Discontinuing Inheritance Bottom-Up

Basics for Assigning Company Resources

You can assign company resources to employees, devices, and workdesks in the One Identity Manager. You can use different assignments types to assign company resources.

Assignments types are:

Direct Assignment

Direct assignment of company resources results from the assignment of a company resource to an employee, device, or workdesk, for example. Direct assignment of company resources makes it easier to react to special requirements.

Figure 5: Schema of a direct assignment based on the example of an employee

Indirect Assignment

In the case of indirect assignment of company resources, employees, devices and workdesks are arranged in departments, cost centers, locations, business roles or application roles. The total of assigned company resources for an employee, device or workdesk is calculated from the position within the hierarchies, the direction of inheritance (top-down or bottom-up) and the company resources assigned to these roles. In the Indirect assignment methods a difference between primary and secondary assignment is taken into account.

Figure 6: Schema of an indirect assignment based on the employee example

