Chat now with support
Chat with Support

Identity Manager 8.0.5 - System Roles Administration Guide

Managing System Roles

System roles make it easier to assign company resources that are frequently required or rather that are always assigned together. For example, new employees in the finance department should be provided, by default, with certain system entitlements for Active Directory and for SAP R/3. In order to avoid a lot of separate assignments, group these company resources into a package and assign this to the new employee. The packages are referred to as system role in the One Identity Manager.

Using system roles, you can group together arbitrary company resources. You can assign these system roles to employees, workdesks or roles or you can request them through the IT Shop. Employees and workdesks inherit company resources assigned to the system roles. You can structure system roles by assigning other system roles to them.

One Identity Manager components for managing system roles are available if the configuration parameter "QER/ESet" is set.

  • Check whether the configuration parameter is set in the Designer. Otherwise, set the configuration parameter and compile the database.

One Identity Manager Users for Managing System Roles

The following users are used for managing system roles.

Table 1: Users
User Task

Employee responsible for individual company resources

The users are defined using different application roles for administrators and managers.

Users with these application roles:

  • Create and edit system roles.
  • Assign system roles to departments, cost centers, locations, business roles or the IT Shop.
  • Assign system roles to employees.
  • Assign system roles to workdesks.
One Identity Manager administrators
  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer, as required.
  • Create system users and permissions groups for non-role based login to administration tools, as required.
  • Enable or disable additional configuration parameters in the Designer, as required.
  • Create custom processes in the Designer, as required.
  • Create and configures schedules, as required.
  • Create and configure password policies, as required.

Basics for Calculating Inheritance

Any number of company resources and other system roles can be assigned to system roles. This mean you can structure system role hierarchically. The assignments are mapped in the table ESetHasEntitlement. The system role hierarchy is mapped through the relation UID_ESet - Entitlement. This is stored in the table ESetCollection. All the system roles are listed that the given system role inherits from. Each role also inherits from itself.

The following relations apply in the table ESetCollection:

  • UID_ESet is the system role that inherits.
  • It inherits from the system role UID_ESetChild.

The table ESetHasEntitlement contains the direct assignment (XOrigin = 1) and all system roles that are assigned to the child system roles (XOrigin = 2). The company resources that are assigned to a child system role are not resolved until inheritance for employees, workdesks and hierarchical role is calculated.

Related Topics

Technical Details of Calculating Inheritance

Objects assigned through inheritance are calculated by the DBQueue Processor. Tasks are added to the DBQueue when assignments relevant to inheritance are made. These tasks are processed by the DBQueue Processor and result in follow-on tasks for the DBQueue or in processes for process component "HandleObjectComponent" in the Job queue. Resulting assignments of permissions to user accounts in the target system are inserted, modified or deleted during process handling.

Figure 1: Overview of Inheritance Calculation

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating