Use this task to map which relations exist between business roles and departments, cost centers and locations. This task has the same effect as assigning a department, cost center, or location on the business role main data form. The assignment is entered in the respective foreign key column in the base table.
To assign a department, cost center, or location to business roles
-
In the Manager, select the Organizations > Departments, Organizations > Cost centers, or Organizations > Locations category.
-
Select the role in the result list.
-
Select the Assign business roles task.
-
In the Add assignments pane, assign business roles.
The selected role is primarily assigned to all business roles as a department, cost center, or location.
- Save the changes.
Related topics
By assigning identities, devices, or workdesks to roles and through the associated inheritance of company resources, an identity, device, or workdesk may obtain company resources that should not be assigned in this combination. To prevent this, you define inheritance exclusion. o do this, you specify which role of a pair of roles can inherit the company resources if an identity (device or workdesk) is a member in both. Inheritance through excluded roles cannot occur.
NOTE: It is possible to assign identities, devices, or workdesks to an excluded role directly or by assignment request. This can be done at any time. One Identity Manager determines whether the assignment takes effect when it calculates role the memberships.
Example: Inheritance exclusion
Jo User1 has a user account in this target system. They belongs to the "Marketing" business role. The "Controlling" and "Finance" business roles are assigned to them secondarily. The user account would normally, without inheritance exclusion, obtain all permissions of groups A, B, and C.
By using suitable controls, you want to prevent an identity from being able to trigger a request and to pay invoices. Inheritance exclusion is defined for the "Finance" business role to do this. An identity that checks invoices may not be able to make invoice payments as well. Inheritance exclusion is defined for "Controlling" business role to do this.
Table 20: Definition of inheritance exclusion
|
Marketing |
|
Group A |
|
Finance |
Marketing |
Group B |
|
Controlling |
Finance |
Group C |
Table 21: Resulting assignments for user accounts
|
Pat Identity1 |
Marketing |
Marketing |
Group A |
|
Jan User3 |
Marketing, finance |
Finance |
Group B |
|
Jo User1 |
Marketing, finance, controlling |
Controlling |
Group C |
|
Chris User2 |
Marketing, Controlling |
Marketing, Controlling |
Group A, Group C |
Only the group C assignment is in effect for Jo User1 due to inheritance exclusion. If Jo User1 leaves the "controlling" business role at a later date, their membership in the business role takes effect again and group B is reassigned to the user account.
NOTE: Only directly defined inheritance exclusions between the roles are taken into account.
For Chris User2, group assignments A and C remain because there was no direct inheritance exclusion defined between the "Marketing" and "Controlling" business role. That means that the identity is authorized to trigger request and to check invoices. If this should not be allowed either, define further inheritance exclusion for the "Controlling" business role.
Table 22: Resulting assignments for the user account
|
Chris User2
|
Marketing |
|
Group A |
Controlling
|
Group C
|
|
Controlling |
Finance
Marketing |
Group C |
You can define conflicting roles to prevent identities, devices, or workdesks from being assigned to several roles at the same time and from obtaining mutually exclusive company resources through these roles. At the same time, specify which business roles are mutually exclusive. This means you may not assign these roles to one and the same identity (device, workdesk).
NOTE: Only roles, which are defined directly as conflicting roles cannot be assigned to the same identity (device, workdesk). Definitions made on parent or child roles do not affect the assignment.
To configure inheritance exclusion
To define inheritance exclusion for a business role
-
In the Manager, select the Business roles > <role class> category.
-
Select a business role in the result list.
-
Select Edit conflicting business roles.
-
In the Add assignments pane, assign business roles that are mutually exclusive to the selected business role.
- OR -
In the Remove assignments pane, remove the business roles that are no longer mutually exclusive.
- Save the changes.
Detailed information about this topic
You can assign extended properties to business roles. Extended properties are meta objects, such as operating codes, cost codes, or cost accounting areas that cannot be mapped directly in One Identity Manager. For more information about extended properties, see the One Identity Manager Identity Management Base Module Administration Guide.
To specify extended properties for a business role
-
In the Manager, select the Business roles > <role class> category.
-
Select the business role in the result list.
-
Select the Assign extended properties task.
-
In the Add assignments pane, assign extended properties.
TIP: In the Remove assignments pane, you can remove assigned extended properties.
To remove an assignment
- Save the changes.
You may add assignment resources to single business roles. This means you can limit assignment resources to a certain business role in the Web Portal. When the assignment resource is requested, it is no longer necessary to request the business role as well. It is automatically a part of the assignment request. For more information, see the One Identity Manager IT Shop Administration Guide.
To limit an assignment resource to a business role
-
In the Manager, select the Business roles > <role class> category.
-
Select a business role in the result list.
-
Select the Create assignment resource task.
This starts a wizard that takes you through the steps for adding an assignment resource.
NOTE: Business roles associated with an assignment resource cannot be deleted until the associated assignment resource is deleted.
.