Chat now with support
Chat with Support

Identity Manager 8.0 - Business Roles Administration Guide

Managing Business Roles Role Mining in One Identity Manager

Secondary Assignment

You make a secondary assignment by classifying an employee, a device or a workdesk within a role hierarchy. Secondary assignment is the default method for assigning and inheriting company resources through roles. Specify on the role classes whether a secondary assignment of company resources to employees, device and workdesk is possible.

Figure 7: Secondary Assignment Inheritance Schema

Related Topics

Primary Assignment

Primary Assignment

You make a primary assignment by referencing a business role through a foreign key to the employee, device and workdesk objects. To do this, you use input fields for roles on the employee, device and workdesk master data forms. Primary assignment inheritance can be enable through configuration parameters. Primary assignment is enabled by default for employee objects.

Figure 8: A Primary Assignment Schema

NOTE: Changes to the configuration parameter result in the inheritance data being recalculated! That means: if the primary assignment is disabled at a later date, the inheritance data created in this way will be removed from the database.
Table 2: Configuration Parameters for Primary Assignment

Configuration Parameter

Active Meaning

QER\Structures\Inherite\Person

Employees can inherit through primary assignments.

QER\Structures\Inherite\Person\FromOrg

Employees inherit assignments from their primary business role (Person.UID_Org).

QER\Structures\Inherite\Hardware

Devices can inherit through primary assignments.

QER\Structures\Inherite\Hardware\FromOrg

Devices inherit assignments from their primary business role (Hardware.UID_Org).

QER\Structures\Inherite\Workdesk

Workdesks can inherit though primary assignment.

QER\Structures\Inherite\Workdesk\FromOrg

Workdesks inherit assignments from their primary business role (Workdesk.UID_Org).

Assigning through Dynamic Roles

Assignment through dynamic roles is a special case of indirect assignment. Dynamic roles are used to specify role memberships dynamically. Employees, devices and workdesks are not permanently assigned to a role, just when they fulfill certain conditions. A check is performed regularly to assess which employees, devices or workdesks fulfill these conditions. The means the role memberships change dynamically. For example, company resources can be assigned dynamically to all employees in a business role in this way; if an employee leaves the business role they immediately lose the resources assigned to them.

Assigning through IT Shop Requests

Assigning through IT Shop Requests

Assignment through the IT Shop is a special case of indirect assignment. Add employees to a shop as customers so that company resources can be assigned through IT Shop requests. All company resources assigned as product to this shop can be requested by the customers. Requested company resources are assigned to the employees after approval is granted. Role memberships can be requested through the IT Shop as well as company resources.

Figure 9: Assignment Schema through Requests

Related Documents