In the Manager, you can obtain an overview of all the dynamic roles with conflicting entries in the exclude list. This means that for at least one item in the list the following applies:
-
The dynamic role condition does not apply.
For example, this might occur if the dynamic role condition was changed after an identity was entered in the exclude list.
- OR -
-
The excluded identity is also assigned to the role in another way
such as through inheritance or direct assignment.
Check these entries and correct the assignments.
To check conflicting entries of departments, locations, or cost centers in the exclusion list
-
In the Manager, select the Organizations > Troubleshooting > Dynamic roles with potentially incorrect excluded identities category.
-
Select the dynamic role in the result list.
-
Select the Exclude identities task.
In the exclusion list you can see which identities are affected by the given conditions.
Related topics
Use this task to map the relationships of a department, cost center of a location to other roles. This task has the same effect as assigning a department, cost center, or location on the role main data form. The assignment is entered in the respective foreign key column in the base table.
To assign a cost center or location to departments
-
In the Manager, select the Organizations > Cost centers or the Organizations > Locations category.
-
Select the role in the result list.
-
Select the Assign organizations task.
-
Select the Departments tab.
-
In the Add assignments pane, assign departments.
The selected role is primarily assigned to all departments as a cost center or location.
- Save the changes.
To assign a department or a location to cost centers
-
In the Manager, select the Organizations > Departments or the Organizations > Locations category.
-
Select the role in the result list.
-
Select the Assign organizations task.
-
Select the Cost centers tab.
-
In the Add assignments pane, assign cost centers.
The selected role is primarily assigned to all cost centers as a department or location.
- Save the changes.
To assign a department or a cost center to locations
-
In the Manager, select the Organizations > Departments or the Organizations > cost centers category.
-
Select the role in the result list.
-
Select the Assign organizations task.
-
Select the Locations tab.
-
In the Add assignments pane, assign locations.
The selected role is primarily assigned to all locations as a department or cost center.
- Save the changes.
By assigning identities, devices, or workdesks to roles and through the associated inheritance of company resources, an identity, device, or workdesk may obtain company resources that should not be assigned in this combination. To prevent this, you define inheritance exclusion. o do this, you specify which role of a pair of roles can inherit the company resources if an identity (device or workdesk) is a member in both. Inheritance through excluded roles cannot occur.
NOTE: It is possible to assign identities, devices, or workdesks to an excluded role directly or by assignment request. This can be done at any time. One Identity Manager determines whether the assignment takes effect when it calculates role the memberships.
Example: Inheritance exclusion
Jo User1 has a user account in this target system. They belongs to the "Marketing" department. The "Controlling" and "Finance" departments are assigned to them secondarily. The user account would normally, without inheritance exclusion, obtain all permissions of groups A, B, and C.
By using suitable controls, you want to prevent an identity from being able to trigger a request and to pay invoices. Inheritance exclusion is defined for the "Finance" department to do this. An identity that checks invoices may not be able to make invoice payments as well. Inheritance exclusion is defined for "Controlling" department to do this.
Table 27: Definition of inheritance exclusion
Marketing |
|
Group A |
Finance |
Marketing |
Group B |
Controlling |
Finance |
Group C |
Table 28: Resulting assignments for user accounts
Pat Identity1 |
Marketing |
Marketing |
Group A |
Jan User3 |
Marketing, finance |
Finance |
Group B |
Jo User1 |
Marketing, finance, controlling |
Controlling |
Group C |
Chris User2 |
Marketing, Controlling |
Marketing, Controlling |
Group A, Group C |
Only the group C assignment is in effect for Jo User1 due to inheritance exclusion. If Jo User1 leaves the "controlling" department at a later date, their membership in the department takes effect again and group B is reassigned to the user account.
NOTE: Only directly defined inheritance exclusions between the roles are taken into account.
For Chris User2, group assignments A and C remain because there was no direct inheritance exclusion defined between the "Marketing" and "Controlling" department. That means that the identity is authorized to trigger request and to check invoices. If this should not be allowed either, define further inheritance exclusion for the "Controlling" department.
Table 29: Resulting assignments for the user account
Chris User2
|
Marketing |
|
Group A |
Controlling
|
Group C
|
Controlling |
Finance
Marketing |
Group C |
You can define conflicting roles to prevent identities, devices, or workdesks from being assigned to several roles at the same time and from obtaining mutually exclusive company resources through these roles. At the same time, specify which departments, cost centers, and locations are mutually exclusive. This means you may not assign these roles to one and the same identity (device, workdesk).
NOTE: Only roles, which are defined directly as conflicting roles cannot be assigned to the same identity (device, workdesk). Definitions made on parent or child roles do not affect the assignment.
To configure inheritance exclusion
To define inheritance exclusion for a departments
-
In the Manager, select the Organizations > Departments category.
-
Select the department in the result list.
-
Select Edit conflicting departments.
-
In the Add assignments pane, assign departments that are mutually exclusive to the selected department.
- OR -
In the Remove assignments pane, remove the departments that are no longer mutually exclusive.
- Save the changes.
To define inheritance exclusion for a cost center
-
In the Manager, select the Organizations > Cost centers category.
-
Select the cost center in the result list.
-
Select Edit conflicting cost centers.
-
In the Add assignments pane, assign cost centers that are mutually exclusive to the selected cost center.
- OR -
In the Remove assignments pane, remove the cost centers that are no longer mutually exclusive.
- Save the changes.
To define inheritance exclusion for a cost center
-
In the Manager, select the Organizations > Locations category.
-
Select the location in the result list.
-
Select Edit conflicting locations.
-
In the Add assignments pane, assign locations that are mutually exclusive to the selected location.
- OR -
In the Remove assignments pane, remove the locations that are no longer mutually exclusive.
- Save the changes.
Detailed information about this topic
You can assign extended properties to departments, cost centers, and locations. Extended properties are meta objects, such as operating codes, cost codes, or cost accounting areas that cannot be mapped directly in One Identity Manager.
To set extended properties
-
In the Manager, select the Organizations > <role class> category.
-
Select the role in the result list.
-
Select Assign extended properties.
-
In the Add assignments pane, assign extended properties.
TIP: In the Remove assignments pane, you can remove assigned extended properties.
To remove an assignment
- Save the changes.
Related topics