|Configuration parameter||Active Meaning|
|QER\Structures\ExcludeStructures||Preprocessor relevant configuration parameter for defining the effectiveness of role memberships. If this parameter is set, mutually excluding roles can be defined (AERoleExcludesAERole, DepartmentExcludesDepartment, LocalityExcludesLocality, OrgExcludesOrg, ProfitCenterExcludesProf, ESetExcludesESet). Changes to the parameter require recompiling the database.|
By assigning system roles to employees, workdesks or hierarchical roles and through the associated inheritance of company resources, an employee may obtain company resources which should not be assigned to the same person at the same time in this combination. To prevent this, you can declare mutually exclusive system roles. To do this you specify which system role of a pair of system roles, should be take effect if both are assigned. No company resources are inherited by the system role which is not effective.
It is possible, to assign employees, workdesks and company resources directly, indirectly or by IT Shop request to an excluded system role. This can be done at any time. One Identity Manager subsequently determines whether the assignment takes effect and the company resources are inherited.
To exclude system roles
Assign the system roles that are mutually exclusive to the selected system role in Add assignments.
- OR -
Remove the system roles that no longer mutually exclusive in Remove assignments.
Assignments of company resources to system roles are mapped in the ESetHasEntitlement table. Assignments of system roles to roles are mapped in the <BaseTree>HasESet tables.
Employees can directly obtain system roles. Employees also inherit all the system roles belonging to all roles of which they are members (table PersonIn<Basetree>) as well as system roles of all roles that are referenced through foreign key relations (table Person, column UID_<BaseTree>). Direct and indirect assignments of system roles to employees are mapped in the table PersonHasESet.
A workdesk can obtain system roles directly. Workdesks also inherit all the system roles belonging to all roles of which they are members (table WorkDeskIn<Basetree>) as well as system roles of all roles that are referenced through foreign key relations (table Workdesk, column UID_<BaseTree>). Direct and indirect assignments of system roles to workdesks are mapped in the table WorkdeskhasESet.
System roles are resolved by inheritance. Their components become members of the company resource union set Prerequisite is that each company resource can really be inherited.
A system role contain an Active Directory group and an SAP role. An employee only owns an Active Directory user account (table ADSAccount, column UID_Person). If the system role is assigned to the employee (table PersonHasESet), the Active Directory group is inherited by the Active Directory user account (table ADSAccountInADSGroup). The SAP role is not inherited. If this employee obtains an SAP user account (table SAPUser, column UID_Person) at a later date, the SAP role is inherited by the SAP user account (table SAPUserInSAPGroup).
Figure 1: Example of direct assignment of system roles to employees
Figure 2: Example of indirect assignment of system roles to employees