Installed Module: | System Roles Module |
You can define One Identity Manager products as a collection of different groups, roles or profiles in SAP. SAP products are system roles with the system role type "SAP product". Employees can obtain SAP products directly, inherit them though hierarchical role or request them in the IT Shop.
The employee’s user account is assigned the groups, roles and profiles in the SAP product independent of the assignment method. If an SAP product changes by adding or removing a group, role or a profile in One Identity Manager, user account memberships are changed accordingly.
To edit SAP products
- OR -
Click in the result list toolbar.
This opens the master data form for a system role.
Configuration parameter | Active Meaning |
---|---|
QER\CalculateRiskIndex | Preprocessor relevant configuration parameter controlling system components for calculating an employee's risk index. Changes to the parameter require recompiling the database.
If the parameter is set, values can be entered and calculated for the risk index. |
Enter the following data for a system role.
Property |
Description | ||
---|---|---|---|
Display Name |
Name for displaying the system roles in One Identity Manager tools. | ||
System role |
Unique identifier for the system role. | ||
Internal product names |
An additional internal name for the system role. | ||
System role type |
Specifies the type of company resources, which comprise the system role. | ||
Service item |
In order to use a service item within the IT Shop, assign a service item to it or add a new service item. For more information about service items, see the One Identity Manager IT Shop Administration Guide. | ||
System role manager |
You can assign any employee to be a manager for the system role. This employee can edit system role master data. They can be used as attestors for system role properties. | ||
Share date |
Specify a date for enabling the system role. If the date is in the future, the system role is considered to be disabled. If the date is reached, the system role is enabled. Employees inherit company resources that are assigned to the system role. If the share date is exceeded or no date is entered, the system role is handled as an enabled system role. Company resource inheritance can be controlled with the option Disabled in these cases.
| ||
Risk index (calculated) |
Maximum risk index values for all company resources. This property is only visible if the configuration parameter "QER\CalculateRiskIndex" is set. For more information about calculating risk indexes, see the One Identity Manager Risk Assessment Administration Guide. | ||
Comment |
Spare text box for additional explanation. | ||
Remarks |
Spare text box for additional explanation. | ||
Description |
Spare text box for additional explanation. | ||
Disabled |
Specifies whether employees inherit the company resources contained in the system role. If the option is set, the system role can be assigned to employees. However they cannot inherit the company resources contained in the system role. If the option is not set, the employees that are assigned the system role, immediately inherit company resources allocated to the system role. If the option is enabled at a later date, existing assignments are removed. | ||
IT Shop |
Specifies whether the system role can be requested through the IT Shop. This system role can be requested by staff through the Web Portal and the request granted by a defined approval procedure. The system role can still be assigned directly to employees and hierarchical roles. For more information about the IT Shop, see the One Identity Manager IT Shop Administration Guide. | ||
Only for use in IT Shop |
Specifies whether the system role can only be requested through the IT Shop. This system role can be requested by staff through the Web Portal and the request granted by a defined approval procedure. The system role may not assigned directly to hierarchical roles. | ||
Spare fields no. 01.....spare field no. 10 |
Additional company specific information. Use the Designer to customize display names, formats and templates for the input fields. |
For more detailed information about system roles, see the One Identity Manager System Roles Administration Guide.
SAP products can be assigned directly or indirectly to employees. In the case of indirect assignment, employees and SAP products are arranged in hierarchical roles. The number of SAP products assigned to an employee is calculated from the position in the hierarchy and the direction of inheritance.
If you add an employee to roles and that employee owns a user account, the user account is added to all groups, roles or profiles included in the SAP products owned by the employee. The groups, roles or profiles are not inherited if the SAP product is disabled or if the share date is still in the future.
Prerequisites for indirect assignment:
Furthermore, IT Shop products can be assigned to employees through SAP requests. SAP products can be assigned through IT Shop requests by adding employees to a shop as customers. All SAP products are assigned to this shop can be requested by the customers. Requested SAP products are assigned to the employees after approval is granted.
Assign SAP products to departments, cost centers and locations in order to assign employees to them through these organizations.
To assign an SAP product to departments, cost centers or locations
- OR -
Remove the organizations in Remove assignments.
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy