Chat now with support
Chat mit Support

Identity Manager 8.1 - System Roles Administration Guide

Details of system role inheritance

System roles can be assigned to employees and workdesks in the following ways:

  • Direct assignment
  • IT Shop Request
  • Inheritance through hierarchical roles
  • Inheritance through dynamic roles

System role assignments are mapped in the ESetHasEntitlement table. Assignment of system roles to hierarchical roles are mapped in the BaseTreeHasESet table.

Employees can directly obtain system roles. Employees continue to inherit all (including inherited) the system roles belonging to all hierarchical roles of which they are members (table PersonInBasetree) as well as system roles of all hierarchical roles that are referenced through foreign key relations (table Person, column UID_BaseTree). Direct and indirect assignments of system roles to employees are mapped in the PersonHasESet table. This behavior applies in the same way for assignments of system roles to workdesks.

An employee (workdesk, hierarchical role) inherits everything that is assigned to the assigned system role. Child system roles are resolved in this case. Prerequisite is that each company resource can really be inherited.

  • The employee must own a user account in this target system in order to inherit a target system entitlement.

For more detailed information about editing role classes, see the One Identity Manager Identity Management Base Module Administration Guide and the One Identity Manager Business Roles Administration Guide.

Detailed information about this topic

Effectiveness of system roles

By assigning system roles to employees, workdesks or hierarchical roles, an employee may obtain company resources, which should not be assigned in this combination. To prevent this, you can declare mutually exclusive system roles. To do this you specify which system role of a pair of system roles, should be take effect if both are assigned. No company resources are inherited by the system role which is not effective.

  • The "QER\Structures\Inherite\ESetExclusion" configuration parameter is enabled.

It is possible, to assign employees, workdesks and company resources directly, indirectly or by IT Shop request to an excluded system role. This can be done at any time. One Identity Manager subsequently determines whether the assignment takes effect and the company resources are inherited.


  • You cannot define a pair of mutually exclusive system roles. That means, the definition "System role A excludes System role B" AND "System role B excludes System role A" is not permitted.

  • You must declare each system role to be excluded from a system role separately. Exclusion definitions cannot be inherited.

The effect of the assignments is mapped in the tables PersonHasESet, BaseTreeHasESet, and WorkdeskHasESet through the column XIsInEffect.

NOTE: If a company resource assigned to an excluded system role, is assigned directly or indirectly to an employee, or workdesk, the exclusion definition does not affect this company resource. The exclusion definition only applies to the system roles.

Example for the effectiveness of system roles
  • The system role "Marketing" contains all the applications and permissions for triggering requests.

  • The system role "Finance" contains all the applications and permissions for instructing payments.

  • The system role "Controlling" contains all the applications and permissions for verifying invoices.


Clara Harris directly assigns the system role "Marketing". She obtains the system role "Finance" and the system role "Controlling" through an IT Shop request. Clara Harris obtains all the system roles without an exclusion definition and therefore the associated permissions.

By using suitable controls, you want to prevent an employee from being able to trigger a request and also pay invoices. That means, the system roles "Finance" and "Marketing" are mutually exclusive. An employee that checks invoices may not be able to make invoice payments as well. That means, the system roles "Finance" and "Controlling" are mutually exclusive.

Table 2: Specifying mutually exclusive system roles (table ESetExcludesESet)
Effective business role Excluded System Role
Finance Marketing
Controlling Finance
Table 3: Effective Assignments
Employee Assigned system role Effective business role
Ben King Marketing Marketing
Jan Bloggs Marketing, finance Finance
Clara Harris Marketing, finance, controlling Controlling
Jenny Basset Marketing, Controlling Marketing, Controlling

Only the system role "Controlling" is in effect for Clara Harris. If the system role "Controlling" is removed from Clara, the "Finance" system role assignment is reinstated.

Jenny Basset retains the system roles "Marketing" and "Controlling" because there is no exclusion defined between the two system roles. That means that the employee is authorized to trigger request and to check invoices. If you want to prevent that as well, define further exclusion for the system role "Controlling".

Table 4: Excluded system roles and effective assignments
Employee Assigned system role Excluded System Role (UID_ESetExcluded) Effective business role

Jenny Basset









Detailed information about this topic
Related Topics

Disabled system roles

System roles can be disabled to temporarily to prevent, for example, employees and workdesks from inheriting their company resources. If a system role is disabled, the DBQueue Processor recalculates inheritance of its company resources. Existing assignments to employees and workdesks are removed. The disabled system role remains assigned, however, the assignment no longer has any effect (PersonHasEntitlement.XIsInEffect = 0). Once the system role is re-enabled, company resource inheritance is recalculated again. The company resources contained in the system role are assigned to employees and workdesks.

You cannot request a disabled system role in the Web Portal but you can assign it directly to employees, workdesks, hierarchical roles, dynamic roles, and IT Shop shelves.

Related Topics

System Role Types

System role types identify the type of company resources that the system role is used to grouped together. You can, for example, define system role types for system roles in which you group different target system groups.

To edit a system role type

  1. Select Entitlements | Basic configuration data | System role types.

  2. Select a system role type in the result list. Select Change master data.

    - OR -

    Click in the result list toolbar.

  3. Enter a name and description for the system role type.

  4. Save the changes.
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen