Inheritance Exclusion: Specifying Conflicting Roles
Inheritance Exclusion: Specifying Conflicting Roles
You can define conflicting roles to prevent employees, devices or workdesks from being assigned to several roles at the same time and from obtaining mutually exclusive company resources through these roles. At the same time, you specify which
|
|
NOTE: Only roles, which are defined directly as conflicting roles cannot be assigned to the same employee (device, workdesk). Definitions made on parent or child roles do not affect the assignment. |
Example
The business role B has been entered as conflicting role in business role Jenna Miller and Hans Peter are members of business role A. Louise Lotte is member of business role B. Hans Peters cannot be assigned to business role B. Apart from that, One Identity Manager also prevents Jenna Miller from being assigned to business role B and Louise Lotte to business role A.
Figure 12: Members in Conflicting Roles
To configure inheritance exclusion
- Set the configuration parameter "QER\Structures\ExcludeStructures" in the Designer and compile the database.
Related Topics
Basic Data for Structuring Business Roles
The following basic information is relevant for building up hierarchical roles in One Identity Manager.
- Configuration Parameter
Use configuration parameters to configure the behavior of the system's basic settings. One Identity Manager provides default settings for different configuration parameters. Check the configuration parameters and modify them as necessary to suit your requirements.
Configuration parameters are defined in the One Identity Manager modules. Each One Identity Manager module can also install configuration parameters. You can find an overview of all configuration parameters in the category Base data | General | Configuration parameters in the Designer.
- Roles Classes
Role classes form the basis of mapping from hierarchical roles in the One Identity Manager. Role classes are used to group similar roles together.
- Role Types
Create role types in order to classify roles. Roles types can be used to map roles in the user interface, for example.
- Functional areas
To analyze rule checks for different areas of your company in the context of identity audit, you can set up functional areas. Functional areas can be assigned to roles. You can enter criteria that provide information about risks from rule violations for functional areas and roles.
- Attestors
- Approvers and Approvers (IT)
Detailed information about this topic
Role Classes
Roles Classes
Business roles are grouped by role class in the navigation view. Each business role is assigned to exactly one role class. You must define suitable role classes before you can add business roles.
To edit role classes
- Select the category Business roles | Basic configuration data | Role classes.
- Select the role class in the result list. Select Change master data in the task view.
- OR -
Click
in the result list toolbar.
- Edit the role class's master data.
- Save the changes.
Enter the following master data for a role class.
|
Property |
Description | ||
|---|---|---|---|
|
Role classes |
Role class description The role class is displayed under this name in the navigation view. | ||
|
Attestors |
Applications role whose members are authorized to approve attestation instances for all roles in this role class. To create a new application role, click
| ||
|
Description |
Spare text box for additional explanation. | ||
|
Inherited top down |
Direction of inheritance top-down. | ||
|
Inherited bottom-up |
Direction of inheritance bottom-up | ||
|
Delegable |
Specifies whether memberships in roles of this role class can be delegated. | ||
|
Assignment allowed |
Specifies whether assignments of respective object types to roles of this role class are allowed in general. | ||
|
Assignment not allowed |
Specifies whether respective object types can be assigned directly to roles of this role class. |
Related Topics
- Direction of Inheritance within a Hierarchy
- Permit Assignments of Employees, Devices, Workdesks and Company Resources
Role Types
Create role types in order to classify roles. Roles types can be used to map roles in the user interface, for example.
To edit role types
- Select the category Business roles | Basic configuration data | Role types.
- Select the role type in the result list. Select Change master data in the task view.
- OR -
Click
- Edit the role type's master data.
- Save the changes.
Enter the following master data for a role type:
| Property | Description |
|---|---|
| Role type | Role type description |
| Description | Spare text box for additional explanation. |