Assigning employees to application roles
Assigned employees obtain all the permissions of the permission group to which the application role (or a parent application role) is assigned. In addition, employees obtain the company resources assigned to the application role.
If there are no employees directly assigned to an application role, the employees of the parent application role inherit the permissions.
NOTE: The application roles for Base roles | Everyone (Change), Base roles | Everyone (Lookup), Base roles | Employee Managers, and Base roles | Birthright Assignments are automatically assigned to employees. Do not make any manually assignments to these application roles.
To assign employees to an application role
-
In the Manager, select an application role in the One Identity Manager Administration category.
-
Select the Assign employees task.
-
In the Add assignments pane, add employees.
TIP: In the Remove assignments pane, you can remove assigned employees.
To remove an assignment
- Save the changes.
Related topics
Custom extension of application role permissions
For role-based login, application roles must link to a permissions group in which permissions for One Identity Manager are defined. The application role is given the permissions of the associated permissions group. If no permissions group assigned, the application role is obtains the permissions from the parent application role.
Some of the default application roles are already assigned permissions groups. These permissions groups have the permissions for the tables and columns and are equipped with menu items, forms, tasks, and program functions, which allow the application data to be edited in the Manager and in the Web Portal.
You can assign customized permissions groups to application roles so that the permissions for application roles meet your company requirements. You need to ensure that your custom permissions groups contain all the write permissions of the default permissions groups for these application roles. This allows users with these application roles to use all default One Identity Manager functionality.
NOTE: You can simplify grouping of permissions by using hierarchical linking of permissions groups. Permissions from hierarchical permissions groups are inherited from top to bottom. That means that a permissions group contains all the permissions belonging parent permissions groups.
Proceed as follows:
-
In the Designer, create a new permissions group .
NOTE: Set the Only use for role-based authentication option for the permissions group.
-
In the Designer, make the new permissions group dependent on the default permissions group of the application role. Assign the default permissions group as a parent permissions group. This means the newly defined permissions group inherits the properties of the default permissions group.
-
In the Designer, grant additional edit permissions for menu items, forms, tables, or columns.
-
In the Manager, assign the new permissions group to the application role.
A user who logs in to the Manager or to the Web Portal with an application role changed in this way receives – in addition to the default privileges of this application role – the custom permissions.
Related topics
Creating and editing dynamic roles for application roles
Use this task to assign employees to an application role through dynamic roles. For detailed information about using dynamic roles, see the One Identity Manager Identity Management Base Module Administration Guide.
NOTE: The task Create dynamic role is only available for application roles that do not have the option Dynamic roles not allowed set.
To create a dynamic role for the application role
-
In the Manager in the One Identity Manager Administration category, select the application role.
-
Select the Create dynamic role task.
-
Enter the required main data. The following applies to dynamic roles for application roles:
-
Object class: Select Employee.
-
Application role: This data is preset with the selected application role. If these objects fulfill the dynamic role conditions, they become members in the application role.
-
Dynamic role: The dynamic role name is made up of the object class and the full name of the application role by default.
- Save the changes.
To edit a dynamic role
-
In the Manager in the One Identity Manager Administration category, select the application role.
-
Select the Application role overview task.
-
In the overview form, click the dynamic role name in the Dynamic roles form element.
-
Select the Change main data task.
-
Edit the dynamic role.
- Save the changes.
Related topics
Specifying mutually exclusive application roles
It is possible that employees cannot own certain system roles at the same time. Thus, for example, exception approvers for rule violations may not be rule supervisors at the same time. To implement this behavior, you can specify mutually exclusive application roles. Then you cannot assign these application roles to the same person anymore.
NOTE: Only system roles, which are defined directly as conflicting application roles, cannot be assigned to the same employee. Definitions made on parent or child application roles do not effect the assignment.
To configure inheritance exclusion
To specify inheritance exclusion for application roles
-
In the Manager in the One Identity Manager Administration category, select the application role for which you want to define an inheritance exclusion.
-
Select the Edit conflicting application roles task.
-
In the Add assignments pane, assign application roles that are mutually exclusive to the selected system role.
- OR -
In the Remove assignments pane, remove the application roles that are no longer mutually exclusive.
- Save the changes.