Inheritance Exclusion: Specifying Conflicting Roles

Inheritance Exclusion: Specifying Conflicting Roles

You can define conflicting roles to prevent employees, devices or workdesks from being assigned to several roles at the same time and from obtaining mutually exclusive company resources through these roles. At the same time, you specify which business roles need to be mutually exclusive. This means you may not assign these roles to one and the same employee (device, workdesk).

Example

The business role B has been entered as conflicting role in business role Jenna Miller and Hans Peter are members of business role A. Louise Lotte is member of business role B. Hans Peters cannot be assigned to business role B. Apart from that, One Identity Manager also prevents Jenna Miller from being assigned to business role B and Louise Lotte to business role A.

Figure 12: Members in Conflicting Roles

To configure inheritance exclusion

• Set the configuration parameter "QER\Structures\ExcludeStructures" in the Designer and compile the database.

Related Topics

• Define Inheritance Exclusion for Business Roles

Basic Data for Structuring Business Roles

The following basic information is relevant for building up hierarchical roles in One Identity Manager.

• Configuration Parameter

  Use configuration parameters to configure the behavior of the system's basic settings. One Identity Manager provides default settings for different configuration parameters. Check the configuration parameters and modify them as necessary to suit your requirements.

  Configuration parameters are defined in the One Identity Manager modules. Each One Identity Manager module can also install configuration parameters. You can find an overview of all configuration parameters in the category Base data | General | Configuration parameters in the Designer.

• Roles Classes

  Role classes form the basis of mapping from hierarchical roles in the One Identity Manager. Role classes are used to group similar roles together.

• Role Types

  Create role types in order to classify roles. Roles types can be used to map roles in the user interface, for example.

• Functional areas

  To analyze rule checks for different areas of your company in the context of identity audit, you can set up functional areas. Functional areas can be assigned to roles. You can enter criteria that provide information about risks from rule violations for functional areas and roles.

• Attestors

  In One Identity Manager, you can assign employees to business roles that can be brought in as attestors in attestation cases when the approval workflow is set up accordingly. To do this, assign the business roles to application roles for attestors. A default application role for attestors is available in One Identity Manager. Assign employees that are authorized to attest permissions, requests or other data stored in the One Identity Manager to this application role. You may create other application roles as required. For more detailed information about implementing and editing application roles, see the One Identity Manager Application Roles Administration Guide.

• Approvers and Approvers (IT)

  In One Identity Manager, you can assign employees to business roles that can be brought in as approvers in approval procedures for IT Shop requests when the approval workflow is set up accordingly. To do this, assign the business roles to application roles for approvers. Default application roles for approvers and approvers (IT) are available in One Identity Manager. Assign employees that are authorized to approve requests in the IT Shop to this application role. You may create other application roles as required. For more detailed information about implementing and editing application roles, see the One Identity Manager Application Roles Administration Guide.

Detailed information about this topic

• Roles Classes
• Role Types
• Functional areas
• Attestors
• Approvers and Approvers (IT)

Role Classes

Roles Classes

Business roles are grouped by role class in the navigation view. Each business role is assigned to exactly one role class. You must define suitable role classes before you can add business roles.

To edit role classes

1. Select the category Business roles | Basic configuration data | Role classes.
2. Select the role class in the result list. Select Change master data in the task view.

   - OR -

   Click in the result list toolbar.

3. Edit the role class's master data.
4. Save the changes.

Enter the following master data for a role class.

Related Topics

• Direction of Inheritance within a Hierarchy
• Permit Assignments of Employees, Devices, Workdesks and Company Resources

Role Types

Create role types in order to classify roles. Roles types can be used to map roles in the user interface, for example.

To edit role types

1. Select the category Business roles | Basic configuration data | Role types.
2. Select the role type in the result list. Select Change master data in the task view.

   - OR -

   Click in the result list toolbar.

3. Edit the role type's master data.
4. Save the changes.

Enter the following master data for a role type: