You can define conflicting roles to prevent employees, devices or workdesks from being assigned to several roles at the same time and from obtaining mutually exclusive company resources through these roles. At the same time, you specify which
|
NOTE: Only roles, which are defined directly as conflicting roles cannot be assigned to the same employee (device, workdesk). Definitions made on parent or child roles do not affect the assignment. |
The business role B has been entered as conflicting role in business role Jenna Miller and Hans Peter are members of business role A. Louise Lotte is member of business role B. Hans Peters cannot be assigned to business role B. Apart from that, One Identity Manager also prevents Jenna Miller from being assigned to business role B and Louise Lotte to business role A.
Figure 12: Members in Conflicting Roles
To configure inheritance exclusion
The following basic information is relevant for building up hierarchical roles in One Identity Manager.
Use configuration parameters to configure the behavior of the system's basic settings. One Identity Manager provides default settings for different configuration parameters. Check the configuration parameters and modify them as necessary to suit your requirements.
Configuration parameters are defined in the One Identity Manager modules. Each One Identity Manager module can also install configuration parameters. You can find an overview of all configuration parameters in the category Base data | General | Configuration parameters in the Designer.
Role classes form the basis of mapping from hierarchical roles in the One Identity Manager. Role classes are used to group similar roles together.
Create role types in order to classify roles. Roles types can be used to map roles in the user interface, for example.
To analyze rule checks for different areas of your company in the context of identity audit, you can set up functional areas. Functional areas can be assigned to roles. You can enter criteria that provide information about risks from rule violations for functional areas and roles.
Business roles are grouped by role class in the navigation view. Each business role is assigned to exactly one role class. You must define suitable role classes before you can add business roles.
To edit role classes
- OR -
Click in the result list toolbar.
Enter the following master data for a role class.
Property |
Description | ||
---|---|---|---|
Role classes |
Role class description The role class is displayed under this name in the navigation view. | ||
Attestors |
Applications role whose members are authorized to approve attestation instances for all roles in this role class. To create a new application role, click
| ||
Description |
Spare text box for additional explanation. | ||
Inherited top down |
Direction of inheritance top-down. | ||
Inherited bottom-up |
Direction of inheritance bottom-up | ||
Delegable |
Specifies whether memberships in roles of this role class can be delegated. | ||
Assignment allowed |
Specifies whether assignments of respective object types to roles of this role class are allowed in general. | ||
Assignment not allowed |
Specifies whether respective object types can be assigned directly to roles of this role class. |
Create role types in order to classify roles. Roles types can be used to map roles in the user interface, for example.
To edit role types
- OR -
Click in the result list toolbar.
Enter the following master data for a role type:
Property | Description |
---|---|
Role type | Role type description |
Description | Spare text box for additional explanation. |
© 2023 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy