Possible Company Resource Assignments
Employees, devices and workdesks can inherit company resources though indirect assignment. To do this, employees, devices and workdesks may be members of as many roles as required. Employees, devices and workdesks obtain the necessary company resources through defined rules.
To assign company resources to roles, apply the appropriate tasks to the roles.
The following table shows the possible assignments of company resources to employees, workdesks and devices using roles.
|
|
Note: Company resources are defined in the One Identity Manager modules and are not available until the modules are installed. |
| Assignable Company Resource | Members in Roles | |
|---|---|---|
| Employees | Workdesks | |
|
Resources |
possible |
- |
| Account definitions | possible | |
|
Groups of custom target systems |
possible (assigns to all an employee's custom defined target systems user accounts, for which group inheritance is authorized) |
- |
|
Active Directory groups |
possible (assigns to all an employee's Active Directory user accounts and Active Directory contacts, for which group inheritance is authorized) |
- |
|
SharePoint groups |
possible (assigns to all an employee's SharePoint user accounts) |
- |
|
SharePoint roles |
possible (assigns to all an employee's SharePoint user accounts) |
- |
|
LDAP groups |
possible (assigns to all an employee's LDAP user accounts, for which group inheritance is authorized) |
- |
|
Notes groups |
possible (assigns to all an employee's Notes user accounts) |
- |
|
SAP groups |
possible (assigns to all an employee's SAP user accounts in the same SAP client. |
- |
|
SAP profiles |
possible (assigns to all an employee's SAP user accounts in the same SAP client. |
- |
|
SAP roles |
possible (assigns to all an employee's SAP user accounts in the same SAP client. |
- |
|
Structural profiles |
possible (assigns to all an employee's SAP user accounts in the same SAP client. |
- |
|
BI analysis authorizations |
possible (assigns to all an employee's BI user accounts in the same system) |
- |
|
Azure Active Directory groups |
possible (assigns to all an employee's Azure Active Directory user accounts, for which group inheritance is authorized) |
- |
|
Azure Active Directory Administrator Roles |
possible (assigns to all an employee's Azure Active Directory user accounts, for which group inheritance is authorized) |
- |
|
Azure Active Directory Subscriptions |
possible (assigns to all an employee's Azure Active Directory user accounts, for which group inheritance is authorized) |
- |
|
Disabled Azure Active Directory service plans |
possible (assigns to all an employee's Azure Active Directory user accounts, for which group inheritance is authorized) |
- |
|
Unix groups |
possible (assigns to all an employee's Unix groups) |
- |
|
System roles |
possible |
possible |
|
Subscribable reports |
possible |
- |
|
Applications |
possible |
possible |
Related Topics
Permit Assignments of Employees, Devices, Workdesks and Company Resources
The default method for assigning company resources is through secondary assignment. For this, employees, devices and workdesks as well as company resources are added to roles through secondary assignment.
Secondary assignment of objects to role in a role class is defined by the following options:
- Assignment allowed
This option specifies whether assignments of respective object types to roles of this role class are allowed in general.
- Direct assignment allowed
Use this option to specify whether respective object types can be assigned directly to roles of this role class. Set this option if, for example, resources are assigned to departments, cost centers or locations over the assignment form in the Manager.
NOTE: If this option is not set, the assignment of each object type is only possible through requests in the IT Shop or dynamic roles.
Example
To assign employees in Manager directly to a
If employees can only obtain membership in a
To configure secondary assignment to roles of a role class
- Select the role class under Basic configuration data | Role classes.
- Select the task Configure role assignments.
- Use the column Allow assignments to specify whether assignment is generally allowed.
NOTE: You can only reset the option Assignment allowed if there are no assignments of the respective objects to roles of this role class and none can arise through existing dynamic roles. - Use the column Allow direct assignments to specify whether a direct assignment is allowed.
NOTE: You can only reset the option Direct assignment allowed if there are no direct assignments of the respective objects to roles of this role class. - Save the changes.
Specifying the Direction of Inheritance
The direction of inheritance decides the distribution of company resources within a role hierarchy. The direction of inheritance is defined by the role classes.
The direction of inheritance can only be specified when a role class is added.
- Set the option Inherited top down to specify top-down inheritance.
- Set the option Inherited bottom up to specify bottom-up inheritance.
Detailed information about this topic
Using Business Roles to Limit Inheritance
There are particular cases where you may not want to have inheritance over several hierarchical levels. That is why it is possible to discontinue inheritance within a hierarchy. The effects of this depend on the chosen direction of inheritance.
- Roles marked with the option Block inheritance do not inherit any assignments from parent levels in top-down inheritance. It can, however, pass on its own directly assigned company resources to lower level structures.
- In bottom-up inheritance, the role labeled with the option Block inheritance inherits all assignments from lower levels in the hierarchy. However, it does not pass any assignments further up the hierarchy.
To discontinue inheritance
-
Open the role's master data form.
- Set the option Block inheritance.
- Save the changes.
Company resource inheritance for single roles can be temporarily prevented. You can use this behavior, for example, to assign all required company resources to a role. Inheritance of company resources does not take place, however, unless inheritance is permitted for the role, for example, by running a defined approval process.
To prevent a role from inheriting
-
Open the role's master data form.
- Set the option
- Employees do not inherit
- Devices do not inherit
- OR -
- Workdesks do not inherit
- Save the changes.
Inheritance of company resources can be done in the same way for single employees, devices or workdesks. You can use this behavior to correct data after importing employees before and then apply inheritance.
To prevent an employee from inheriting
-
Open the employee's master data form.
- Set the option No inheritance.
The employee does not inherit company resources through roles.
NOTE: This option does not affect direct assignments! Company resource direct assignments remain assigned. - Save the changes.
To prevent an device from inheriting
-
Open the device's master data form.
- Set the option No inheritance.
The device does not inherit company resources through roles.
NOTE: This option does not affect direct assignments! Company resource direct assignments remain assigned. - Save the changes.
To prevent a workdesk from inheriting
-
Open the workdesk's master data form.
- Set the option No inheritance.
The workdesk does not inherit company resources through roles.
NOTE: This option does not affect direct assignments! Company resource direct assignments remain assigned. - Save the changes.