For role-based login, the application roles require a link to a permissions group in which write permissions for One Identity Manager are defined. The application role is given access permissions of the associated permissions group. If there is no permissions group assigned, the application role gets write permissions from the parent application role.
Different role-based authentication modules are available for role-based login on One Identity Manager tools. First, the employee memberships in application roles are determined during log in with role-based authentication. Assignments of permissions group to application roles are used to determine which permissions groups apply to the employee. A dynamic system user is determined from these permissions groups that will be used for the employee’s login.
Some of the default application roles are already assigned permissions groups. The permissions groups have write permissions to tables and columns and are equipped with menu items, forms, methods and program functions for editing application data with the Manager and the Web Portal.
You can assign customized permissions groups to application roles so that the write permissions for application roles meet your company requirements. You need to ensure that your custom permissions groups contain all the write permissions of the default permissions groups for these application roles. This allows users with these application roles to use all default One Identity Manager functionality.
|NOTE: You can simplify grouping of permissions by using hierarchical linking of permissions groups. Permissions from hierarchical permissions groups are inherited from top to bottom. That means that a permissions group contains all the permissions belonging parent permissions groups.|
Proceed as follows:
||NOTE: Set the option Only use for role-based authentication.|
The default permissions group must be assigned as a subgroup. This means that the new permissions group inherits the properties.
If a user logs into the Manager or the Web Portal with this type of altered application role they get, in additional to the default permissions for this application role, the custom defined edit permissions.
For detailed information about creating permissions groups and editing entitlements, see the One Identity Manager Configuration Guide.