Assigned employees obtain all the write permissions of the permission group to which the application role (or a parent application role) is assigned. In addition, employees obtain the company resources assigned to the application role. Employees of the parent application role are inherited if no employees are directly assigned to an application role.
|NOTE: The application role Base roles | Everyone (Change), Base roles | Everyone (Lookup), Base roles | Employee Managers and Base roles | Birthright Assignments are automatically assign to employees. Do not make any manually assignments to these application roles.|
To assign employees to an application role
- OR -
Remove employees from Remove assignments.
For role-based login, the application roles require a link to a permissions group in which write permissions for One Identity Manager are defined. The application role is given access permissions of the associated permissions group. If there is no permissions group assigned, the application role gets write permissions from the parent application role.
Different role-based authentication modules are available for role-based login on One Identity Manager tools. First, the employee memberships in application roles are determined during log in with role-based authentication. Assignments of permissions group to application roles are used to determine which permissions groups apply to the employee. A dynamic system user is determined from these permissions groups that will be used for the employee’s login.
Some of the default application roles are already assigned permissions groups. The permissions groups have write permissions to tables and columns and are equipped with menu items, forms, methods and program functions for editing application data with the Manager and the Web Portal.
You can assign customized permissions groups to application roles so that the write permissions for application roles meet your company requirements. You need to ensure that your custom permissions groups contain all the write permissions of the default permissions groups for these application roles. This allows users with these application roles to use all default One Identity Manager functionality.
|NOTE: You can simplify grouping of permissions by using hierarchical linking of permissions groups. Permissions from hierarchical permissions groups are inherited from top to bottom. That means that a permissions group contains all the permissions belonging parent permissions groups.|
Proceed as follows:
||NOTE: Set the option Only use for role-based authentication.|
The default permissions group must be assigned as a subgroup. This means that the new permissions group inherits the properties.
If a user logs into the Manager or the Web Portal with this type of altered application role they get, in additional to the default permissions for this application role, the custom defined edit permissions.
For detailed information about creating permissions groups and editing entitlements, see the One Identity Manager Configuration Guide.
After you have entered the master data, you can apply different tasks to it. The task view contains different forms with which you can run the following tasks.
Use this task to assign employees to an application role through dynamic roles. For more detailed information about using dynamic roles, see the One Identity Manager Identity Management Base Module Administration Guide.
|NOTE: The task Create dynamic role is only available for application roles, which do not have the option Dynamic roles not allowed set.|
To create a dynamic role
This is preset with the selected application role. If these objects fulfill the dynamic role conditions, they become members in the application role.
The dynamic role identifier is made up by default of the object class and the full name of the application role.
To edit a dynamic role
Application roles are grouped by category in the navigation. Those application roles are shown corresponding to the application roles you are allowed to edit