Managing Business Roles
Business roles map company structures with similar functionality that exist in addition to departments, cost centers, and locations. This might be projects groups, for example. Various company resources can be assigned to business roles, for example, authorizations in different SAP systems or applications. You can add employees to single business roles as members. Employees obtain their company resources through these assignments when the One Identity Manager is appropriately configured.
The One Identity Manager components for managing business roles are available if the configuration parameter "QER/Org" is set.
- Check whether the configuration parameter is set in the Designer. Otherwise, set the configuration parameter and compile the database.
One Identity Manager Users for Business Roles
One Identity Manager Users for Business Roles
The following users are used for managing business roles.
| User | Task | ||
|---|---|---|---|
|
Business roles administrators |
Administrators must be assigned to the application role Identity Management | Business roles | Administrators. Users with this application role:
| ||
|
One Identity Manager administrators
|
| ||
|
Business Role Attestors
|
Attestors must be assigned to the application role Identity Management | Business roles | Attestors or a child application role. Users with this application role:
|
Hierarchical Role Structure Basics
Hierarchical Role Structure Basics
Hierarchies can either be created following the top-down or the bottom-up model in the One Identity Manager. In the top-down model, roles are defined based on the area of activity and the company resources required to fulfill the activities are assigned to the roles. In the case of the bottom-up model, company resource assignments are analyzed and the roles result from this.
Direction of Inheritance within a Hierarchy
The direction of inheritance decides the distribution of company resources within a hierarchy. One Identity Manager knows basically two directions of inheritance:
- Top-down inheritance
The default structure within a company is realized through top-down inheritance in One Identity Manager. With its help, a company’s multilevel form can be represented with main departments and respective subdepartments.
- Bottom-up inheritance
Where as in "top-down" inheritance assignments are inherited in the direction of more detailed classifications, "bottom-up" inheritance operates in the other direction. This inheritance direction was introduced to map project groups in particular. The aim being, to provide someone coordinating several project groups with the company resources in use by each of the project groups.
The effect on the allocation of company resources is explained in the following example for assigning an application.
Example for Assigning Company Resources Top-Down
In the diagram above a section of a company’s structure is illustrated. Applications assigned to the respective departments are also entered. An employee in retail is assigned all the applications that are allocated to their department and all those on the full structure path. In this case that is internet software, address administration, mail, and text editing.
Figure 1: Assignment through Top-Down Inheritance
Example for Assigning Company Resources Bottom-Up
The next figure shows bottom-up inheritance based on a project framework. Applications assigned to the respective project groups are also entered. An employee from the project group "Project lead" receives applications from the project group as well as those from the projects groups below. In this case, it is project management, CASE tool, development environment, assembler tool and prototyping tool.
Figure 2: Assignment through Bottom-Up Inheritance
