Chat now with support
Chat with Support

Identity Manager 8.0 - System Roles Administration Guide

Excluding System Roles

Excluding System Roles

Table 7: Configuration Parameters for Editing Mutually Exclusive Roles
Configuration parameter Active Meaning
QER\Structures\ExcludeStructures Preprocessor relevant configuration parameter for defining the effectiveness of role memberships. If this parameter is set, mutually excluding roles can be defined (AERoleExcludesAERole, DepartmentExcludesDepartment, LocalityExcludesLocality, OrgExcludesOrg, ProfitCenterExcludesProf, ESetExcludesESet). Changes to the parameter require recompiling the database.

By assigning system roles to employees, workdesks or hierarchical roles and through the associated inheritance of company resources, an employee may obtain company resources which should not be assigned to the same person at the same time in this combination. To prevent this, you can declare mutually exclusive system roles. To do this you specify which system role of a pair of system roles, should be take effect if both are assigned. No company resources are inherited by the system role which is not effective.

Prerequisite
  • The configuration parameter "QER\Structures\ExcludeStructures" is set.

It is possible, to assign employees, workdesks and company resources directly, indirectly or by IT Shop request to an excluded system role. This can be done at any time. One Identity Manager subsequently determines whether the assignment takes effect and the company resources are inherited.

NOTE:

  • You cannot define a pair of mutually exclusive system roles. That means, the definition "System role A excludes System role B" AND "System role B excludes System role A" is not permitted.
  • You must declare each system role to be excluded from a system role separately. Exclusion definitions cannot be inherited.

To exclude system roles

  1. Select the category Entitlements | System Roles.
  2. Select the system role in the result list.
  3. Select Edit conflicting system roles in the task view.
  4. Assign the system roles that are mutually exclusive to the selected system role in Add assignments.

    - OR -

    Remove the system roles that no longer mutually exclusive in Remove assignments.

  5. Save the changes.
Detailed information about this topic

Appendix: Technical Details about Inheriting Applications

Assignments of company resources to system roles are mapped in the ESetHasEntitlement table. Assignments of system roles to roles are mapped in the <BaseTree>HasESet tables.

Employees can directly obtain system roles. Employees also inherit all the system roles belonging to all roles of which they are members (table PersonIn<Basetree>) as well as system roles of all roles that are referenced through foreign key relations (table Person, column UID_<BaseTree>). Direct and indirect assignments of system roles to employees are mapped in the table PersonHasESet.

A workdesk can obtain system roles directly. Workdesks also inherit all the system roles belonging to all roles of which they are members (table WorkDeskIn<Basetree>) as well as system roles of all roles that are referenced through foreign key relations (table Workdesk, column UID_<BaseTree>). Direct and indirect assignments of system roles to workdesks are mapped in the table WorkdeskhasESet.

System roles are resolved by inheritance. Their components become members of the company resource union set Prerequisite is that each company resource can really be inherited.

Example

A system role contain an Active Directory group and an SAP role. An employee only owns an Active Directory user account (table ADSAccount, column UID_Person). If the system role is assigned to the employee (table PersonHasESet), the Active Directory group is inherited by the Active Directory user account (table ADSAccountInADSGroup). The SAP role is not inherited. If this employee obtains an SAP user account (table SAPUser, column UID_Person) at a later date, the SAP role is inherited by the SAP user account (table SAPUserInSAPGroup).

Figure 1: Example of direct assignment of system roles to employees

Figure 2: Example of indirect assignment of system roles to employees

Related Documents