Objects assigned through inheritance are calculated by the DBQueue Processor. Tasks are added to the DBQueue when assignments relevant to inheritance are made. These tasks are processed by the DBQueue Processor and result in follow-on tasks for the DBQueue or in processes for process component "HandleObjectComponent" in the Job queue. Resulting assignments of permissions to user accounts in the target system are inserted, modified or deleted during process handling.
Figure 10: Overview of Inheritance Calculation
Employees, devices and workdesks can only be members in roles that are extensions of the BaseTree table. These role are display in views, each of which represents a certain of the table BaseTree.
Graphical representation of business roles
|NOTE: Because the views are subsets of the table BaseTree, all the inheritance mechanisms described below also apply to the views.|
Inheritance comes from the table BaseTree. The BaseTree table can map any number of hierarchical role structures using the UID_Org - UID_ParentOrg relationship. These are stored in the table BaseTreeCollection. All the roles inherited from the given role are listed and, depending on their subset of the table BaseTree there is a corresponding, so-called *Collection table containing a subset of the role hierarchy.
The following relations apply in the table BaseTreeCollection:
This principle also applies to bottom-up trees that pass inheritance from bottom to top, even if the parent relationship from the BaseTree table appears to be reversed.
Each role inherits from itself.
Each role in a role hierarchy must be related to the table OrgRoot ("Role classes"). OrgRoot is the anchor for role hierarchies. A role hierarchy is always mapped for one role class only. Roles from different role classes may not be in one and the same role hierarchical or point to each other through a parent-child relationship.
Figure 11: Visual of a Hierarchical Role Structure based on an OrgCollection
A role inherits everything that is assigned to its parents in the role hierarchy including those it assigned to itself. If the number of roles from which the role has inherited something changes, the assigned objects are recalculated for all members of this role. If the number of assigned objects of one class changes, the objects assigned in this class are recalculated for all members of the role. If an application is assigned to a parent application, the members of the table BaseTreeHasApp are recalculated.
The members of a role inherit all assignments that belong to them according to the BaseTree and also previous structures according to BaseTreeCollection through primary and secondary role structures.
When inheritance is calculated, an entry is made for each assignment in the corresponding assignment table. Each table, in which assignments are mapped, has a column XOrigin. The origin of an assignment is stored in this column as a bit field. Each time an entry is made in the assignment table, the bit position is changed according to the assignment type. Each assignment type changes only its allocated bit position.
XIsInEffect shows whether an assignment is in effect. For example, if an employee is disabled, marked for deletion, or classified as a security risk, inheritance of company resources can be prohibited for this employee. The group assignment is maintained but the assignment has no effect.
DBQueue Processor monitors changes to the XOrigin column. The column XIsInEffect is recalculated when changes are made to the value in XOrigin.
|Value in XOrigin||Meaning|
|0||0||0||1||1||Only directly assigned.|
|0||0||1||0||2||Only indirectly assigned.|
|0||0||1||1||3||Directly and indirectly assigned.|
|0||1||0||0||4||Assigned through dynamic roles.|
|0||1||0||1||5||Assigned directly and through dynamic roles.|
|0||1||1||0||6||Assigned indirectly and through dynamic roles.|
|0||1||1||1||7||Assigned directly, indirectly and through dynamic roles.|
|1||0||0||1||9||Assignment request and direct assignment.|
|1||0||1||0||10||Assignment request and indirect assignment.|
|1||0||1||1||11||Assignment request, direct and indirect assignment.|
|1||1||0||0||12||Assignment request and through dynamic roles.|
|1||1||0||1||13||Assignment request, directly and through dynamic roles.|
|1||1||1||0||14||Assignment request, indirectly and through dynamic roles.|
|1||1||1||1||15||Assignment request, directly, indirectly and through dynamic roles.|
You should check the following settings and make adjustments as required:
You can specify whether inheritance of company resources can be limited for single employees, devices or workdesks.
You can prevent employees, devices or workdesks being added to roles which contain mutually excluding company resources by specifying "conflicting roles".
© 2020 One Identity LLC. ALL RIGHTS RESERVED. Feedback Nutzungsbedingungen Datenschutz