Figure 2: Inheriting an Active Directory group through a directly assigned system role
Figure 3: Inheriting software through an IT Shop request
Figure 4: Inheriting a resource through an indirectly assigned system role
Figure 2: Inheriting an Active Directory group through a directly assigned system role
Figure 3: Inheriting software through an IT Shop request
Figure 4: Inheriting a resource through an indirectly assigned system role
The following images show how excluding a system role affects how inheritance is calculated. Excluded system roles can still be assigned to identities. An option on the column XIsInEffect defines whether this assignment applies. Assigning an excluded system role leads to the entry XIsInEffect = 0, if the other system role from the exclusion definition is assigned at the same time.
System role (UID_ESet) | Excluded System Role (UID_ESetExcluded) |
---|---|
System role A12 | System role A11 |
System role B | System role B1 |
System role B | System role A2 |
System role (UID_ESet) | Assignment System Role (Entitlement) | Assignment Applies (XIsInEffect) |
---|---|---|
System role A | System role A1 | 1 |
System role A | System role A2 | 1 |
System role A | System role A11 | 0 |
System role A | System role A12 | 1 |
System role A1 | System role A11 | 0 |
System role A1 | System role A12 | 1 |
System role A2 | Software | 1 |
System role A11 | Active Directory group | 1 |
System role A12 | SAP role | 1 |
System role B | Resource R1 | 1 |
System role B1 | Resource R2 | 1 |
Figure 5: Inheritance through directly assigned system roles
Figure 6: Inheritance through an IT Shop request
Configuration parameter | Effect when set |
---|---|
QER | Structures | Inherite | NoESetSplitting |
Specifies whether or not the components of a system role are already split in the hierarchical role. If this parameter is set, the system roles are not broken down into their individual components until the target of the inheritance. |
If this configuration parameter is set, system roles that are assigned to hierarchical roles are not split in the calculation of inheritance. This means that the assignments of company resources to hierarchical roles are not written to the corresponding assignment tables (<BaseTree>Has...). The system roles whose assignments are in effect (PersonHasESet.XIsIneffect = 1) are not split until the calculation of user inheritance.
NOTE: A system role hierarchy is always split. This means the assignment of child system roles to hierarchical roles is always written in the assignment tables. This behavior is independent of the configuration parameter setting.
This configuration parameter is set by default.
Figure 7: Inheritance by indirectly assigned system roles when the configuration parameter is set
Figure 8: Inheritance by different hierarchical roles when the configuration parameter is set
If the configuration parameter is not set, the system roles whose assignments are in effect (BaseTreeHasESet.XIsIneffect = 1) are split in the inheritance calculation for the hierarchical roles. If the excluding system roles are assigned to different hierarchical roles, both assignments are effective. This makes the resulting company resource assignments to hierarchical roles also effective. If an identity is a member of both hierarchical roles, the company resources of the excluded system role are inherited by this identity.
Figure 9: Inheritance by different hierarchical roles when the configuration parameter is not set
If the mutually exclusive system roles are assigned to the same hierarchical role, the exclusion definition takes effect when calculating BaseTreeHasESet.
Figure 10: Inheritance through the same hierarchical role when the configuration parameter is not set
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Términos de uso Privacidad Cookie Preference Center