Chat now with support
Chat mit Support

Identity Manager 8.1 - System Roles Administration Guide

Example of a system role hierarchy

The following tables show how assignments to system roles and the system role hierarchy is mapped in the One Identity Manager database.

Table 8: System roles: assignments (ESetHasEntitlement)
System role (UID_ESet) Assignment System Role (Entitlement) Origin (XOrigin)
System role A System role A1 1
System role A System role A2 1
System role A System role A11 2
System role A System role A12 2
System role A1 System role A11 1
System role A1 System role A12 1
System role A1 System entitlement 1
System role A2 Application 1
System role A11 Active Directory group 1
System role A12 SAP role 1
System role B Resource 1
Table 9: System role hierarchy (table ESetCollection)

System role (UID_ESet)

Child System Role (UID_ESetChild)

System role A System role A
System role A System role A1
System role A System role A2
System role A System role A11
System role A System role A12
System role A1 System role A1
System role A1 System role A11
System role A1 System role A12
System role A11 System role A11
System role A12 System role A12
System role A2 System role A2
System role B System role B

Example of inheritance routes

Figure 2: Inheriting an Active Directory Group through a Directly Assigned System Role

Figure 3: Inheriting an Application through an IT Shop Request

Figure 4: Inheriting a Resource through an Indirectly Assigned System Role

Effect of exclusion definitions

The following images show how exclusion excluding a system role affects how inheritance is calculated. Excluded system roles can still be assigned to employees. An option on the column XIsInEffect defines whether this assignment applies. Assigning an excluded system role leads to the entry XIsInEffect = 0, if the other system role from the exclusion definition is assigned at the same time.

Table 10: Excluded system roles (table ESetExcludesESet)
System role (UID_ESet) Excluded System Role (UID_ESetExcluded)
System role A12 System role A11
System role B System role B1
System role B System role A2
Table 11: System roles: inheritance (table ESetHasEntitlement)
System role (UID_ESet) Assignment System Role (Entitlement) Assignment Applies (XIsInEffect)
System role A System role A1 1
System role A System role A2 1
System role A System role A11 0
System role A System role A12 1
System role A1 System role A11 0
System role A1 System role A12 1
System role A2 Application 1
System role A11 Active Directory group 1
System role A12 SAP role 1
System role B Resource R1 1
System role B1 Resource R2 1

Figure 5: Inheritance through Directly Assigned System Roles

Figure 6: Inheritance through an IT Shop Request

Special features of inheritance via hierarchical roles

Table 12: Configuration parameters for calculating assignments to hierarchical roles
Configuration parameter Effect when set

QER\Structures\Inherite\NoESetSplitting

Specifies whether or not the components of a system role are already split in the hierarchical role. When setting this parameter, the system roles are not broken down into their individual components until the target of the inheritance.

If this configuration parameter is set, system roles that are assigned to hierarchical roles are not split in the calculation of inheritance. This means that the assignments of company resources to hierarchical roles are not written to the corresponding assignment tables (<BaseTree>Has...). The system roles whose assignments are in effect (PersonHasESet.XIsIneffect = 1) are not split until the calculation of user inheritance.

This configuration parameter is activated by default.

Figure 7: Inheritance via indirectly assigned system roles when the configuration parameter is activated

Figure 8: Inheritance via different hierarchical roles when the configuration parameter is activated

If the configuration parameter is not activated, the system roles whose assignments are in effect (BaseTreeHasESet.XIsIneffect = 1) are split in the inheritance calculation for the hierarchical roles. If the excluding system roles are assigned to different hierarchical roles, both assignments are effective. This makes the resulting company resource assignments to hierarchical roles also effective. If an employee is a member of both hierarchical roles, the company resources of the excluded system role are inherited by this employee.

Figure 9: Inheritance via different hierarchical roles when the configuration parameter is deactivated

If the mutually exclusive system roles are assigned to the same hierarchical role, the exclusion definition takes effect when calculating BaseTreeHasESet.

Figure 10: Inheritance via the same hierarchical role when the configuration parameter is deactivated

Verwandte Dokumente