Calculating Inheritance through Hierarchical Roles
Employees, devices and workdesks can only be members in roles that are extensions of the BaseTree table. These role are display in views, each of which represents a certain of the table BaseTree.
| View | Meaning |
|---|---|
|
Department |
Graphical representation of departments |
|
locality |
Graphical representation of locations |
|
PROFITCENTER |
Graphical representation of cost centers |
|
AERole |
Application Role Mapping |
|
|
NOTE: Because the views are sections of the table BaseTree, all the inheritance mechanisms described below also apply to the views. |
Inheritance comes from the table BaseTree. The BaseTree table can map any number of hierarchical role structures using the UID_Org - UID_ParentOrg relationship. The complete transitive closure of the tree is stored in the table BaseTreeCollection. As transitive closure, all roles that the given role is inherited from, are labeled in a full list. Depending on the section of the table BaseTree there is a corresponding, so-called Collection table containing the transitive closure section.
The following relations apply in the table BaseTreeCollection:
- UID_Org is the role that inherits.
- UID_ParentOrg is the role that passes down inheritance.
This principle also applies to bottom-up trees that pass inheritance from bottom to top, even if the parent relationship from the BaseTree table appears to be reversed. The recursive loop is also included in the transitive closure as base element. That means that each role inherits from itself.
Each role in a role hierarchy must be related to the table OrgRoot ("Role classes"). BaseTreeRoot is the anchor for transitive closures. Meaning transitive closures are only ever formed for one role class. Roles from different role classes may not be in one and the same role hierarchical or point to each other through a parent-child relationship.
Figure 11: Representation of a Hierarchical Structure with a Transitive Closure using the Example of an OrgCollection
A role inherits everything that is assigned to its the parents in the transitive closure including those things assigned to itself. If the number of roles from which the role has inherited something changes, the assigned objects are recalculated for all members of this role. If the number of assigned objects of one class changes, the objects assigned in this class are recalculated for all members of the role. If an application is assigned to a parent application, the members of the table BaseTreeHasApp are recalculated.
The members of a role inherit all assignments that belong to them according to the table BaseTree and also previous structures according to the table BaseTreeCollection through primary and secondary role structures.
Calculation of Assignments
When inheritance is calculated, an entry is made for each assignment in the corresponding assignment table. Each table, in which assignments are mapped, has a column XOrigin. The origin of an assignment is stored in this column as a bit field. Each time an entry is made in the assignment table the bit position is changed according to the assignment type. Each assignment type changes only its allocated bit position.
That means:
- Bit 0: direct assignment.
- Bit 1: indirect assignment but not through a dynamic role.
- Bit 2: assignment through a dynamic role.
- Bit 3: assignment through an assignment request.
The column XIsInEffect shows whether an assignment is in effect. For example, if an employee is disabled, marked for deletion or classified as a security risk, inheritance of company resources can be prohibited for this employee. The group assignment is maintained, this assignment, however, will not be put in effect.
The DBQueue Processor monitors changes to the column XOrigin. The column XIsInEffect is recalculated when changes are made to the value in XOrigin.
|
Bit 3 |
Bit 2 |
Bit 1 |
Bit 0 |
Value in XOrigin | Meaning |
|---|---|---|---|---|---|
| 0 | 0 | 0 | 1 | 1 | Only directly assigned. |
| 0 | 0 | 1 | 0 | 2 | Only indirectly assigned. |
| 0 | 0 | 1 | 1 | 3 | Directly and indirectly assigned. |
| 0 | 1 | 0 | 0 | 4 | Assigned through dynamic roles. |
| 0 | 1 | 0 | 1 | 5 | Assigned directly and through dynamic roles. |
| 0 | 1 | 1 | 0 | 6 | Assigned indirectly and through dynamic roles. |
| 0 | 1 | 1 | 1 | 7 | Assigned directly, indirectly and through dynamic roles. |
| 1 | 0 | 0 | 0 | 8 | Assignment request |
| 1 | 0 | 0 | 1 | 9 | Assignment request and direct assignment. |
| 1 | 0 | 1 | 0 | 10 | Assignment request and indirect assignment. |
| 1 | 0 | 1 | 1 | 11 | Assignment request, direct and indirect assignment. |
| 1 | 1 | 0 | 0 | 12 | Assignment request and through dynamic roles. |
| 1 | 1 | 0 | 1 | 13 | Assignment request, directly and through dynamic roles. |
| 1 | 1 | 1 | 0 | 14 | Assignment request, indirectly and through dynamic roles. |
| 1 | 1 | 1 | 1 | 15 | Assignment request, directly, indirectly and through dynamic roles. |
Preparing Hierarchical Roles for Company Resource Assignments
One Identity Manager supplies a configuration, which support immediate usage of hierarchical roles for departments, cost centers, locations and application roles. However, it may be necessary to make additional role assignments depending on the company structure.
You should check the following settings and make adjustments as required:
- Specify whether employees, devices and workdesks and company resources may be assigned to roles.
Employee, device, workdesk and company resource assignments are predefined for departments, cost centers, location and application roles.
- Define the direction of inheritance with the hierarchy.
Top-down inheritance is defined for departments, cost centers, locations and application roles.
- Limit inheritance for specific roles if necessary.
You can specify whether inheritance of company resources can be limited for single employees, devices or workdesks.
- Define mutually exclusive roles if required.
You can prevent employees, devices or workdesks being added to roles which contain mutually excluding company resources by specifying "conflicting roles".
Detailed information about this topic
- Possible Assignments of Company Resources through Roles
- Permit Assignments of Employees, Devices, Workdesks and Company Resources
- Using Roles to Limit Inheritance
- Inheritance Exclusion: Specifying Conflicting Roles
Possible Assignments of Company Resources through Roles
Employees, devices and workdesks can inherit company resources though indirect assignment. To do this, employees, devices and workdesks may be members of as many roles as required. Employees, devices and workdesks obtain the necessary company resources through defined rules.
To assign company resources to roles, apply the appropriate tasks to the roles.
The following table shows the possible assignments of company resources to employees, workdesks and devices using roles.
|
|
Note: Company resources are defined in the One Identity Manager modules and are not available until the modules are installed. |
| Assignable Company Resource | Members in Roles | |
|---|---|---|
| Employees | Workdesks | |
|
Resources |
possible |
- |
| Account definitions | possible | |
|
Groups of custom target systems |
possible (assigns to all an employee's custom defined target systems user accounts, for which group inheritance is authorized) |
- |
|
Active Directory groups |
possible (assigns to all an employee's Active Directory user accounts and Active Directory contacts, for which group inheritance is authorized) |
- |
|
SharePoint groups |
possible (assigns to all an employee's SharePoint user accounts) |
- |
|
SharePoint roles |
possible (assigns to all an employee's SharePoint user accounts) |
- |
|
LDAP groups |
possible (assigns to all an employee's LDAP user accounts, for which group inheritance is authorized) |
- |
|
Notes groups |
possible (assigns to all an employee's Notes user accounts) |
- |
|
SAP groups |
possible (assigns to all an employee's SAP user accounts in the same SAP client. |
- |
|
SAP profiles |
possible (assigns to all an employee's SAP user accounts in the same SAP client. |
- |
|
SAP roles |
possible (assigns to all an employee's SAP user accounts in the same SAP client. |
- |
|
Structural profiles |
possible (assigns to all an employee's SAP user accounts in the same SAP client. |
- |
|
BI analysis authorizations |
possible (assigns to all an employee's BI user accounts in the same system) |
- |
|
Azure Active Directory groups |
possible (assigns to all an employee's Azure Active Directory user accounts, for which group inheritance is authorized) |
- |
|
Azure Active Directory Administrator Roles |
possible (assigns to all an employee's Azure Active Directory user accounts, for which group inheritance is authorized) |
- |
|
Azure Active Directory Subscriptions |
possible (assigns to all an employee's Azure Active Directory user accounts, for which group inheritance is authorized) |
- |
|
Disabled Azure Active Directory service plans |
possible (assigns to all an employee's Azure Active Directory user accounts, for which group inheritance is authorized) |
- |
|
Unix groups |
possible (assigns to all an employee's Unix groups) |
- |
|
System roles |
possible |
possible |
|
Subscribable reports |
possible |
- |
|
Applications |
possible |
possible |