Chat now with support
Chat with Support

Identity Manager On Demand - Starling Edition Hosted - Business Roles Administration Guide

Managing business roles
One Identity Manager users for business roles Hierarchical role structure basic principles Basic principles for assigning company resources Basics of calculating inheritance Preparing business roles for company resource assignments Base data for business roles Creating and editing business roles Assigning identities, devices, and workdesks to business roles Assigning business roles to company resources Analyzing role memberships and identity assignments Setting up IT operational data for business roles Creating dynamic roles for business roles Assigning departments, cost centers, and locations to business roles Defining inheritance exclusion for business roles Assigning extended properties to business roles Creating assignment resources for application roles Dynamic roles for business roles with incorrectly excluded identities Certification of business roles Reports about business roles
Role mining in One Identity Manager

Possible assignments of company resources through business roles

Identities, devices, and workdesks can inherit company resources though indirect assignment. To do this, identities, devices, and workdesks may be members of as many roles as required. Identities, devices, and workdesks obtain the necessary company resources through defined rules.

To assign company resources to roles, apply the appropriate tasks to the roles.

The following table shows the possible assignments of company resources to identities, workdesks, and devices using roles.

NOTE: Company resources are defined in the One Identity Manager modules and are not available until the modules are installed.

Table 5: Possible assignments of company resources through roles
Assignable Company Resource Members in Roles
Identities Workdesks

Resources

Possible

-

Account definitions Possible  

Groups of custom target systems

Possible (assigns to all an identity's custom defined target systems user accounts, for which group inheritance is authorized)

-

System entitlements of custom target systems

Possible (assigns to all an identity's custom defined target systems user accounts, for which system entitlement inheritance is authorized)

-

Active Directory groups

Possible (assigns to all an identity's Active Directory user accounts and Active Directory contacts, for which Active Directory group inheritance is authorized)

-

SharePoint groups

Possible (assigns to all an identity's SharePoint user accounts for which SharePoint group inheritance is authorized)

-

SharePoint roles

Possible (assigns to all an identity's SharePoint user accounts for which SharePoint role inheritance is authorized)

-

LDAP groups

Possible (assigns to all an identity's LDAP user accounts for which LDAP group inheritance is authorized)

-

Notes groups

Possible (assigns to all an identity's Notes user accounts for which Notes group inheritance is authorized)

-

SAP groups

Possible (assigns to all an identity's SAP user accounts, in the same SAP system and for which SAP group inheritance is authorized)

-

SAP profiles

Possible (assigns to all an identity's SAP user accounts, in the same SAP system and for which SAP profile inheritance is authorized)

-

SAP roles

Possible (assigns to all an identity's SAP user accounts, in the same SAP system and for which SAP role inheritance is authorized)

-

SAP parameters

Possible (assigns to all an identity's SAP user accounts in the same SAP system)

-

Structural profiles

Possible (assigns to all an identity's SAP user accounts, in the same SAP system and for which structural profile inheritance is authorized)

-

BI analysis authorizations

Possible (assigns to all an identity's BI user accounts, in the same system and for which group inheritance is authorized)

-

Azure Active Directory groups

Possible (assigns to all an identity's Azure Active Directory user accounts for which Azure Active Directory group inheritance is authorized)

-

Azure Active Directory administrator roles

Possible (assigns to all an identity's Azure Active Directory user accounts for which Azure Active Directory administrator role inheritance is authorized)

-

Azure Active Directory subscriptions

Possible (assigns to all an identity's Azure Active Directory user accounts for which Azure Active Directory subscription inheritance is authorized)

-

Disabled Azure Active Directory service plans

Possible (assigns to all an identity's Azure Active Directory user accounts for which disabled Azure Active Directory service plans inheritance is authorized)

-

Cloud groups

Possible (assigns to all an identity's user accounts for which cloud group inheritance is authorized)

-

Cloud system entitlements

Possible (assigns to all an identity's user accounts for which cloud system entitlement inheritance is authorized)

-

Unix groups

Possible (assigns to all an identity's Unix user accounts for which Unix group inheritance is authorized)

-

E-Business Suite permissions

Possible (assigns to all an identity's E-Business Suite user accounts, in the same E-Business Suite system and for which E-Business Suite group inheritance is authorized)

-

PAM user groups

Possible (assigns to all an identity's PAM user accounts for which PAM group inheritance is authorized)

-

Google Workspace products and SKUs

Possible (assigns to all an identity's Google Workspace user accounts, in the same customer and for which Google Workspace products and SKU inheritance is authorized)

-

Google Workspace groups

Possible (assigns to all an identity's Google Workspace user accounts, in the same customer and for which Google Workspace group inheritance is authorized)

-

SharePoint Online groups

Possible (assigns to all an identity's SharePoint Online user accounts for which SharePoint Online group inheritance is authorized)

-

SharePoint Online roles

Possible (assigns to all an identity's SharePoint Online user accounts for which SharePoint Online role inheritance is authorized)

-

Office 365 groups

Possible (assigns to all an identity's Azure Active Directory user accounts for which Office 365 group inheritance is authorized)

-

Exchange Online mail-enabled distribution groups

Possible (assigns to all an identity's Exchange Online mailboxes, Exchange Online mail users and Exchange Online mail contacts for which Exchange Online mail-enabled distribution group inheritance is authorized)

-

OneLogin roles

Possible (assigns to all an identity's OneLogin user accounts for which OneLogin role inheritance is authorized)

 

System roles

Possible

Possible

Subscribable reports

Possible

-

Software

Possible

Possible

Related topics

Allowing assignments of identities, devices, workdesks, and company resources to business roles

The default method for assigning company resources is through secondary assignment. For this, identities, devices, and workdesks as well as company resources are added to roles through secondary assignment.

Secondary assignment of objects to role in a role class is defined by the following options:

  • Assignments allowed: This option specifies whether assignments of respective object types to roles of this role class are allowed in general.

  • Direct assignments allowed: Use this option to specify whether respective object types can be assigned directly to roles of this role class. Set this option if, for example, resources are assigned to departments, cost centers, or locations over the assignment form in the Manager.

    NOTE: If this option is not set, the assignment of each object type is only possible through requests in the IT Shop, dynamic roles, or system roles.

Example:

To assign identities directly to a business role in the Manager, enable the Assignment allowed and the Direct assignment allowed options on the Identities entry in the Business role role class.

If identities can only obtain membership in a business role through the IT Shop, enable the Assignment allowed option but not the Direct assignment allowed option on the Identities entry in the Business role role class. A corresponding assignment resource must be available in the IT Shop.

To configure assignments to roles of a role class

  1. In the Manager, select role classes in the Business roles > Basic configuration data > Role classes category.

  2. Select the Configure role assignments task.

  3. Use the Allow assignments column to specify whether assignment is generally allowed.

    NOTE: You can only reset the Assignment allowed option if there are no assignments of the respective objects to roles of this role class and none can arise through existing dynamic roles.

  4. Use the Allow direct assignments column to specify whether a direct assignment is allowed.

    NOTE: You can only reset the Direct assignment allowed option if there are no direct assignments of the respective objects to roles of this role class.

  5. Save the changes.

Specifying the direction of inheritance

The direction of inheritance decides the distribution of company resources within a role hierarchy. The direction of inheritance is defined by the role classes.

The direction of inheritance can only be specified when a role class is added.

  • Set Inherited top down to specify top-down inheritance.

  • Set Inherited bottom up to specify bottom-up inheritance.

Detailed information about this topic

Blocking inheritance using business roles

There are particular cases where you may not want to have inheritance over several hierarchical levels. That is why it is possible to discontinue inheritance within a hierarchy. The effects of this depend on the chosen direction of inheritance.

  • Roles marked with the Block inheritance option do not inherit any assignments from parent levels in top-down inheritance. It can, however, pass on its own directly assigned company resources to lower level structures.

  • In bottom-up inheritance, the role labeled with the Block inheritance option inherits all assignments from lower levels in the hierarchy. However, it does not pass any assignments further up the hierarchy.

To discontinue inheritance for business roles

  1. In the Manager, in the Organizations category, select a business role.

  2. Select the Change main data task.

  3. Set the Block inheritance option.

  4. Save the changes.
Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating