Chat now with support
Chat with Support

Identity Manager 9.1.2 - System Roles Administration Guide

Effectiveness of system roles

By assigning system roles to employees, workdesks, or hierarchical roles, an employee may obtain company resources, which should not be assigned in this combination. To prevent this, you can declare mutually exclusive system roles. To do this you specify which system role of a pair of system roles, should be take effect if both are assigned. No company resources are inherited by the system role which is not effective.

Prerequisite
  • The QER | Structures | Inherite | ESetExclusion configuration parameter is set.

    In the Designer, set the configuration parameter and compile the database.

    NOTE: If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

It is possible, to assign employees, workdesks, and company resources directly, indirectly, or by IT Shop request to an excluded system role. This can be done at any time. One Identity Manager subsequently determines whether the assignment takes effect and the company resources are inherited.

NOTE:

  • You cannot define a pair of mutually exclusive system roles. That means, the definition "System role A excludes System role B" AND "System role B excludes System role A" is not permitted.

  • You must declare each system role to be excluded from a system role separately. Exclusion definitions cannot be inherited.

The effect of the assignments is mapped in the PersonHasESet, BaseTreeHasESet, and WorkdeskHasESet tables through the XIsInEffect column.

NOTE: If a company resource assigned to an excluded system role, is assigned directly or indirectly to an employee, or workdesk, the exclusion definition does not affect this company resource. The exclusion definition only applies to the system roles.

Example: Effectiveness of system roles
  • The "Marketing" system role contains all the software applications and permissions for triggering requests.

  • The "Finance" system role contains all the software applications and permissions for instructing payments.

  • The "Controlling" system role contains all the software applications and permissions for verifying invoices.

Jo User1 directly assigns the system role "Marketing". They obtain the "Finance" system role and the "Controlling" system role through an IT Shop request. Jo User1 obtains all the system roles without an exclusion definition and therefore the associated permissions.

By using suitable controls, you want to prevent an employee from being able to trigger a request and also pay invoices. That means, the "Finance" and "Marketing" are system roles mutually exclusive. An employee that checks invoices may not be able to make invoice payments as well. That means, the "Finance" and "Controlling" system roles are mutually exclusive.

Table 2: Specifying mutually exclusive system roles (table ESetExcludesESet)
Effective business role Excluded System Role
Finance Marketing
Controlling Finance
Table 3: Effective assignments
Employee Assigned system role Effective business role
Pat Identity1 Marketing Marketing
Jan User3 Marketing, finance Finance
Jo User1 Marketing, finance, controlling Controlling
Chris User2 Marketing, Controlling Marketing, Controlling

Only the "Controlling" system role is in effect for Jo User1. If the "Controlling" system role is removed from Jo User1, the "Finance" system role assignment is reinstated.

Chris User2 retains the "Marketing" and "Controlling" system roles because there is no exclusion defined between the two system roles. That means that the employee is authorized to trigger request and to check invoices. If you want to prevent that as well, define further exclusion for the "Controlling" system role.

Table 4: Excluded system roles and effective assignments
Employee Assigned system role Excluded System Role (UID_ESetExcluded) Effective business role

Chris User2

 

Marketing

 

Controlling

 

Controlling

Finance

Marketing

Detailed information about this topic

Disabled system roles

System roles can be disabled to temporarily to prevent, for example, employees and workdesks from inheriting their company resources. If a system role is disabled, the DBQueue Processor recalculates inheritance of its company resources. Existing assignments to employees and workdesks are removed. The disabled system role remains assigned however, the assignment no longer has any effect (PersonHasESet.XIsInEffect = 0). Once the system role is re-enabled, company resource inheritance is recalculated again. The company resources contained in the system role are assigned to employees and workdesks.

You cannot request a disabled system role in the Web Portal but you can assign a disabled system role directly to employees, workdesks, hierarchical roles, dynamic roles, and IT Shop shelves.

Related topics

Creating and editing system roles

To create or edit a system role

  1. In the Manager, select the Entitlements > System roles category.

  2. Select the system role in the result list. Select the Change main data task.

    - OR -

    Click in the result list.

  3. Edit the system role's main data.

  4. Save the changes.
Detailed information about this topic

General main data of system roles

Enter the following data for a system role.

Table 5: System role main data

Property

Description

Display name

Name for displaying the system roles in One Identity Manager tools.

System role

Unique identifier for the system role.

Internal product name

An additional internal name for the system role.

System role type

Specifies the type of company resources, which comprise the system role.

Service item

In order to use a service item within the IT Shop, assign a service item to it or add a new service item. For more information about service items, see the One Identity Manager IT Shop Administration Guide.

System role manager

Manager responsible for the system role. Assign any new employee. This employee can edit system role main data. They can be used as attestors for system role properties.

If the system role can be requested in the IT Shop, the manager will automatically be a member of the application role for product owners assigned the service item.

Share date

Specify a date for enabling the system role. If the date is in the future, the system role is considered to be disabled. If the date is reached, the system role is enabled. Employees inherit company resources that are assigned to the system role.

If the share date is exceeded or no date is entered, the system role is handled as an enabled system role. Company resource inheritance can be controlled with the Disabled option in these cases.

NOTE: Configure and enable the Share system roles schedule in the Designer to check the share date. For more information about schedules, see the One Identity Manager Operational Guide.

Risk index (calculated)

Maximum risk index values for all company resources. The property is only visible if the QER | CalculateRiskIndex configuration parameter is enabled. For more information about calculating the risk index, see the One Identity Manager Risk Assessment Administration Guide.

Comment

Text field for additional explanation.

Remarks

Text field for additional explanation.

Description

Text field for additional explanation.

Deactivated

Specifies whether employees and workdesks inherit the company resources contained in the system role.

If this option is set, the system role can be assigned to employees, workdesks, hierarchical roles, and IT Shop shelves. However they cannot inherit the company resources contained in the system role. The system role cannot be requested in the Web Portal.

If this option is not set, company resources assigned to the system role are inherited. If the option is enabled at a later date, existing assignments are removed.

IT Shop

Specifies whether the system role can be requested through the IT Shop. This system role can be requested by staff through the Web Portal and granted through a defined approval process. The system role can still be assigned directly to employees and hierarchical roles. For more information about IT Shop, see the One Identity Manager IT Shop Administration Guide.

Only for use in IT Shop

Specifies whether the system role can only be requested through the IT Shop. This system role can be requested by staff through the Web Portal and granted through a defined approval process. The system role may not be assigned directly to hierarchical roles.

Spare field no. 01 ... Spare field no. 10

Additional company-specific information. Use the Designer to customize display names, formats, and templates for the input fields.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating