Chat now with support
Chat with Support

Identity Manager 8.0 - System Roles Administration Guide

Managing System Roles

System roles make it easier to assign company resources that are frequently required or rather that are always assigned together. For example, new employees in the finance department should be provided, by default, with certain system entitlements for Active Directory and for SAP R/3. In order to avoid a lot of separate assignments, group these company resources into a package and assign this to the new employee. The packages are referred to as system role in the One Identity Manager.

Using system roles, you can group together arbitrary company resources. You can assign these system roles to employees, workdesks or roles or you can request them through the IT Shop. Employees and workdesks inherit company resources assigned to the system roles. You can structure system roles by assigning other system roles to them.

One Identity Manager components for managing system roles are available if the configuration parameter "QER/ESet" is set.

  • Check whether the configuration parameter is set in the Designer. Otherwise, set the configuration parameter and compile the database.

One Identity Manager Users for Managing System Roles

One Identity Manager Users for Managing System Roles

The following users are used for managing system roles.

Table 1: Users
User Task

Employee responsible for individual company resources

The users are defined using different application roles for administrators and managers.

Users with these application roles:

  • Create and edit system roles.
  • Assign system roles to departments, cost centers, locations, business roles or the IT Shop.
  • Assign system roles to employees.
  • Assign system roles to workdesks.
One Identity Manager administrators
  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer, as required.
  • Create system users and permissions groups for non-role based login to administration tools, as required.
  • Enable or disable additional configuration parameters in the Designer, as required.
  • Create custom processes in the Designer, as required.
  • Create and configures schedules, as required.
  • Create and configure password policies, as required.

Effectiveness of System Roles

By assigning system roles to employees, workdesks or hierarchical roles and through the associated inheritance of company resources, an employee may obtain company resources which should not be assigned to the same person at the same time in this combination. To prevent this, you can declare mutually exclusive system roles. To do this you specify which system role of a pair of system roles, should be take effect if both are assigned. No company resources are inherited by the system role which is not effective.

Prerequisite
  • The configuration parameter "QER\Structures\ExcludeStructures" is set.

It is possible, to assign employees, workdesks and company resources directly, indirectly or by IT Shop request to an excluded system role. This can be done at any time. One Identity Manager subsequently determines whether the assignment takes effect and the company resources are inherited.

NOTE:

  • You cannot define a pair of mutually exclusive system roles. That means, the definition "System role A excludes System role B" AND "System role B excludes System role A" is not permitted.
  • You must declare each system role to be excluded from a system role separately. Exclusion definitions cannot be inherited.

The effect of the assignments is mapped in the tables PersonHasESet, BaseTreeHasESet and WorkdeskHasESet through the column XIsInEffect.

Example for the Effectiveness of System Roles
  • The system role "Marketing" contains all the applications and permissions for triggering requests.
  • The system role "Finance" contains all the applications and permissions for instructing payments.
  • The system role "Controlling" contains all the applications and permissions for verifying invoices.

Clara Harris directly assigns the system role "Marketing". She obtains the system role "Finance" through her membership in a business role, the system "Controlling" through an IT Shop request. Clara Harris obtains all the system roles without an exclusion definition and therefore the associated permissions.

By using suitable controls, you want to prevent an employee from being able to trigger a request and to pay invoices. That means, the system roles "Finance" and "Marketing" are mutually exclusive. An employee that checks invoices may not be able to make invoice payments as well. That means, the system roles "Finance" and "Controlling" are mutually exclusive.

Table 2: Specifying Mutually Exclusive System Roles (Table ESetExcludesESet)
Effective business role Excluded System Role
Marketing
Finance Marketing
Controlling Finance
Table 3: Effective Assignments
Employee Member in System Role Effective business role
Ben King Marketing Marketing
Jan Bloggs Marketing, finance Finance
Clara Harris Marketing, finance, controlling Controlling
Jenny Basset Marketing, Controlling Marketing, Controlling

Only the system role "Controlling" is in effect for Clara Harris. If the system role "Controlling" is removed from Clara, the "Finance" system role assignment is reinstated.

Jenny Basset retains the system roles "Marketing" and "Controlling" because there is no exclusion defined between the two system roles. That means that the employee is authorized to trigger request and to check invoices. If you want to prevent that as well, define further exclusion for the system role "Controlling".

Table 4: Excluded System Roles and Effective Assignments
Employee Member in System Role Excluded System Role (UID_ESetExcluded) Effective business role

Jenny Basset

 

Marketing  

Controlling

 

Controlling Finance

Marketing

Related Topics

System Role Types

System Role Types

System role types identify the type of company resources that the system role is used to grouped together. You can, for example, define system role types for system roles in which you group different target system groups.

To edit a system role type

  1. Select the category Entitlements | Basic configuration data | System role types.
  2. Select the system role type in the result list. Select Change master data in the task view.

    - OR -

    Click in the result list toolbar.

  3. Enter a name and description for the system role type.
  4. Save the changes.
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents