Identity Manager 8.0.1 - Business Roles Administration Guide

Managing Business Roles Role Mining in One Identity Manager

Possible Company Resource Assignments

Possible Company Resource Assignments

Employees, devices and workdesks can inherit company resources though indirect assignment. To do this, employees, devices and workdesks may be members of as many roles as required. Employees, devices and workdesks obtain the necessary company resources through defined rules.

To assign company resources to roles, apply the appropriate tasks to the roles.

The following table shows the possible assignments of company resources to employees, workdesks and devices using roles.

NOTE: Company resources are defined in the One Identity Manager modules and are not available until the modules are installed.
Table 5: Possible Assignments of Company Resources through Roles
Assignable Company Resource Members in Roles
Employees Workdesks

Resources

possible

-

Account definitions possible  

Groups of custom target systems

possible (assigns to all an employee's custom defined target systems user accounts, for which group inheritance is authorized)

-

Active Directory groups

possible (assigns to all an employee's Active Directory user accounts and Active Directory contacts, for which group inheritance is authorized)

-

SharePoint groups

possible (assigns to all an employee's SharePoint user accounts)

-

SharePoint roles

possible (assigns to all an employee's SharePoint user accounts)

-

LDAP groups

possible (assigns to all an employee's LDAP user accounts, for which group inheritance is authorized)

-

Notes groups

possible (assigns to all an employee's Notes user accounts)

-

SAP groups

possible (assigns to all an employee's SAP user accounts in the same SAP client.

-

SAP profiles

possible (assigns to all an employee's SAP user accounts in the same SAP client.

-

SAP roles

possible (assigns to all an employee's SAP user accounts in the same SAP client.

-

Structural profiles

possible (assigns to all an employee's SAP user accounts in the same SAP client.

-

BI analysis authorizations

possible (assigns to all an employee's BI user accounts in the same system)

-

Azure Active Directory groups

possible (assigns to all an employee's Azure Active Directory user accounts, for which group inheritance is authorized)

-

Azure Active Directory Administrator Roles

possible (assigns to all an employee's Azure Active Directory user accounts, for which group inheritance is authorized)

-

Azure Active Directory Subscriptions

possible (assigns to all an employee's Azure Active Directory user accounts, for which group inheritance is authorized)

-

Disabled Azure Active Directory service plans

possible (assigns to all an employee's Azure Active Directory user accounts, for which group inheritance is authorized)

-

Unix groups

possible (assigns to all an employee's Unix groups)

-

System roles

possible

possible

Subscribable reports

possible

-

Applications

possible

possible

Related Topics

Permit Assignments of Employees, Devices, Workdesks and Company Resources

The default method for assigning company resources is through secondary assignment. For this, employees, devices and workdesks as well as company resources are added to roles through secondary assignment.

Secondary assignment of objects to role in a role class is defined by the following options:

  • Assignments allowed

    This option specifies whether assignments of respective object types to roles of this role class are allowed in general.

  • Direct assignments allowed

    Use this option to specify whether respective object types can be assigned directly to roles of this role class. Set this option if, for example, resources are assigned to departments, cost centers or locations over the assignment form in the Manager.

    NOTE: If this option is not set, the assignment of each object type is only possible through requests in the IT Shop or dynamic roles.
Example

To assign employees in Manager directly to a business role, set the option Assignment allowed and the option Direct assignment allowed on the role class "business role" for the entry "employees".

If employees can only obtain membership in a business role through the IT Shop, set the option Assignment allowed but not the option Direct assignment allowed on the role class "business role" for the entry "employees". A corresponding assignment resource must be available in the IT Shop.

To configure secondary assignment to roles of a role class

  1. Select the role class under Basic configuration data | Role classes.
  2. Select the task Configure role assignments.
  3. Use the column Allow assignments to specify whether assignment is generally allowed.

    NOTE: You can only reset the option Assignment allowed if there are no assignments of the respective objects to roles of this role class and none can arise through existing dynamic roles.
  4. Use the column Allow direct assignments to specify whether a direct assignment is allowed.

    NOTE: You can only reset the option Direct assignment allowed if there are no direct assignments of the respective objects to roles of this role class.
  5. Save the changes.

Specifying the Direction of Inheritance

The direction of inheritance decides the distribution of company resources within a role hierarchy. The direction of inheritance is defined by the role classes.

The direction of inheritance can only be specified when a role class is added.

  • Set the option Inherited top down to specify top-down inheritance.
  • Set the option Inherited bottom up to specify bottom-up inheritance.
Detailed information about this topic

Using Business Roles to Limit Inheritance

There are particular cases where you may not want to have inheritance over several hierarchical levels. That is why it is possible to discontinue inheritance within a hierarchy. The effects of this depend on the chosen direction of inheritance.

  • Roles marked with the option Block inheritance do not inherit any assignments from parent levels in top-down inheritance. It can, however, pass on its own directly assigned company resources to lower level structures.
  • In bottom-up inheritance, the role labeled with the option Block inheritance inherits all assignments from lower levels in the hierarchy. However, it does not pass any assignments further up the hierarchy.

To discontinue inheritance

  1. Open the role's master data form.

  2. Set the option Block inheritance.
  3. Save the changes.

Company resource inheritance for single roles can be temporarily prevented. You can use this behavior, for example, to assign all required company resources to a role. Inheritance of company resources does not take place, however, unless inheritance is permitted for the role, for example, by running a defined approval process.

To prevent a role from inheriting

  1. Open the role's master data form.

  2. Set the option
    • Employees do not inherit
    • Devices do not inherit

      - OR -

    • Workdesks do not inherit
  3. Save the changes.

Inheritance of company resources can be done in the same way for single employees, devices or workdesks. You can use this behavior to correct data after importing employees before and then apply inheritance.

To prevent an employee from inheriting

  1. Open the employee's master data form.

  2. Set the option No inheritance.

    The employee does not inherit company resources through roles.

    NOTE: This option does not affect direct assignments! Company resource direct assignments remain assigned.
  3. Save the changes.

To prevent an device from inheriting

  1. Open the device's master data form.

  2. Set the option No inheritance.

    The device does not inherit company resources through roles.

    NOTE: This option does not affect direct assignments! Company resource direct assignments remain assigned.
  3. Save the changes.

To prevent a workdesk from inheriting

  1. Open the workdesk's master data form.

  2. Set the option No inheritance.

    The workdesk does not inherit company resources through roles.

    NOTE: This option does not affect direct assignments! Company resource direct assignments remain assigned.
  3. Save the changes.
Related Topics
Related Documents