サポートと今すぐチャット
サポートとのチャット

Identity Manager 9.2 - System Roles Administration Guide

Examples of inheritance paths for system roles

Figure 2: Inheriting an Active Directory group through a directly assigned system role

Figure 3: Inheriting software through an IT Shop request

Figure 4: Inheriting a resource through an indirectly assigned system role

Effect of exclusion definitions for system roles

The following images show how excluding a system role affects how inheritance is calculated. Excluded system roles can still be assigned to identities. An option on the column XIsInEffect defines whether this assignment applies. Assigning an excluded system role leads to the entry XIsInEffect = 0, if the other system role from the exclusion definition is assigned at the same time.

Table 10: Excluded system roles (table ESetExcludesESet)
System role (UID_ESet) Excluded System Role (UID_ESetExcluded)
System role A12 System role A11
System role B System role B1
System role B System role A2
Table 11: System roles: inheritance (table ESetHasEntitlement)
System role (UID_ESet) Assignment System Role (Entitlement) Assignment Applies (XIsInEffect)
System role A System role A1 1
System role A System role A2 1
System role A System role A11 0
System role A System role A12 1
System role A1 System role A11 0
System role A1 System role A12 1
System role A2 Software 1
System role A11 Active Directory group 1
System role A12 SAP role 1
System role B Resource R1 1
System role B1 Resource R2 1

Figure 5: Inheritance through directly assigned system roles

Figure 6: Inheritance through an IT Shop request

Special features of inheritance system roles through hierarchical roles

Table 12: Configuration parameters for calculating assignments to hierarchical roles
Configuration parameter Effect when set

QER | Structures | Inherite | NoESetSplitting

Specifies whether or not the components of a system role are already split in the hierarchical role. If this parameter is set, the system roles are not broken down into their individual components until the target of the inheritance.

If this configuration parameter is set, system roles that are assigned to hierarchical roles are not split in the calculation of inheritance. This means that the assignments of company resources to hierarchical roles are not written to the corresponding assignment tables (<BaseTree>Has...). The system roles whose assignments are in effect (PersonHasESet.XIsIneffect = 1) are not split until the calculation of user inheritance.

NOTE: A system role hierarchy is always split. This means the assignment of child system roles to hierarchical roles is always written in the assignment tables. This behavior is independent of the configuration parameter setting.

This configuration parameter is set by default.

Figure 7: Inheritance by indirectly assigned system roles when the configuration parameter is set

Figure 8: Inheritance by different hierarchical roles when the configuration parameter is set

If the configuration parameter is not set, the system roles whose assignments are in effect (BaseTreeHasESet.XIsIneffect = 1) are split in the inheritance calculation for the hierarchical roles. If the excluding system roles are assigned to different hierarchical roles, both assignments are effective. This makes the resulting company resource assignments to hierarchical roles also effective. If an identity is a member of both hierarchical roles, the company resources of the excluded system role are inherited by this identity.

Figure 9: Inheritance by different hierarchical roles when the configuration parameter is not set

If the mutually exclusive system roles are assigned to the same hierarchical role, the exclusion definition takes effect when calculating BaseTreeHasESet.

Figure 10: Inheritance through the same hierarchical role when the configuration parameter is not set

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択