Effectiveness of membership in OneLogin roles
When roles are assigned to user accounts an employee may obtain two or more groups, which are not permitted in this combination. To prevent this, you can declare mutually exclusive roles. To do this, you specify which of the two roles should apply to the user accounts if both are assigned.
It is possible to assign an excluded role at any time either directly, indirectly, or with an IT Shop request. One Identity Manager determines whether the assignment is effective.
NOTE:
-
You cannot define a pair of mutually exclusive roles. That means, the definition "Role A excludes role B" AND "Role B excludes role A" is not permitted.
-
Every role to be excluded from another role must be declared separately. Exclusion definitions cannot be inherited.
The effect of the assignments is mapped in the OLGUserInOLGRole table through the XIsInEffect column.
Prerequisites
-
The QER | Structures | Inherite | GroupExclusion configuration parameter is set.
In the Designer, set the configuration parameter and compile the database.
NOTE: If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.
-
Mutually exclusive roles belong to the same domain
To exclude roles
-
In Manager, select the category OneLogin > Roles.
-
Select the role in the result list.
-
Select the Exclude roles task.
-
In the Add assignments pane, assign the roles that are mutually exclusive to the selected role.
- OR -
In the Remove assignments pane, remove the roles that are no longer mutually exclusive.
- Save the changes.
OneLogin role inheritance based on categories
In One Identity Manager, user accounts can selectively inherit roles. To do this, the roles and user accounts are divided into categories. The categories can be freely selected and are specified using a mapping rule. Each category is given a specific position within the template. The mapping rule contains different tables. Use the user account table to specify categories for target system dependent user accounts. In the other tables, enter your categories for the roles. Each table contains the category positions position 1 to position 63.
Each user account can be assigned to one or more categories. Each role can also be assigned to one or more categories. The role is inherited by the user account when at least one user account category items matches an assigned role . The role is also inherited by the user account if the role or the user account is not put into categories.
NOTE: Inheritance through categories is only taken into account when roles are assigned indirectly through hierarchical roles. Categories are not taken into account when roles are directly assigned to user accounts.
Table 12: Category examples
1 |
Default user |
Default permissions |
2 |
System users |
System user permissions |
3 |
System administrator |
System administrator permissions |
Figure 2: Example of inheriting through categories.
To use inheritance through categories
-
In the Manager, define the categories in the OneLogin domain.
-
Assign categories to user accounts through their main data.
-
Assign categories to roles through their main data.
Related topics
Overview of all assignments
The Overview of all assignments report is displayed for some objects, such as authorizations, compliance rules, or roles. The report finds all the roles, for example, departments, cost centers, locations, business roles, and IT Shop structures in which there are employees who own the selected base object. In this case, direct as well as indirect base object assignments are included.
Examples:
-
If the report is created for a resource, all roles are determined in which there are employees with this resource.
-
If the report is created for a group or another system entitlement, all roles are determined in which there are employees with this group or system entitlement.
-
If the report is created for a compliance rule, all roles are determined in which there are employees who violate this compliance rule.
-
If the report is created for a department, all roles are determined in which employees of the selected department are also members.
-
If the report is created for a business role, all roles are determined in which employees of the selected business role are also members.
To display detailed information about assignments
-
To display the report, select the base object from the navigation or the result list and select the Overview of all assignments report.
-
Click the Used by button in the report toolbar to select the role class for which you want to determine whether roles exist that contain employees with the selected base object.
All the roles of the selected role class are shown. The color coding of elements identifies the role in which there are employees with the selected base object. The meaning of the report control elements is explained in a separate legend. To access the legend, click the icon in the report's toolbar.
-
Double-click a control to show all child roles belonging to the selected role.
-
By clicking the button in a role's control, you display all employees in the role with the base object.
-
Use the small arrow next to to start a wizard that allows you to bookmark this list of employees for tracking. This creates a new business role to which the employees are assigned.
Figure 3: Toolbar of the Overview of all assignments report.
Table 13: Meaning of icons in the report toolbar
|
Show the legend with the meaning of the report control elements |
|
Saves the current report view as a graphic. |
|
Selects the role class used to generate the report. |
|
Displays all roles or only the affected roles. |
Login information for OneLogin user accounts
When new user accounts are created in One Identity Manager, the passwords needed to log in to the target system are created immediately also. Various options are available for assigning the initial password. Predefined password policies are applied to the passwords, and you can adjust these policies to suit your individual requirements if necessary. You can set up email notifications to distribute the login information generated to users.
Detailed information about this topic