Managing system roles
System roles make it easier to assign company resources that are frequently required or rather that are always assigned together. For example, new employees in the finance department should be provided, by default, with certain system entitlements for Active Directory and for SAP R/3. In order to avoid a lot of separate assignments, group these company resources into a package and assign this to the new employee. The packages are referred to as system role in One Identity Manager.
Using system roles, you can group together arbitrary company resources. You can assign these system roles to employees, workdesks, or roles or you can request them through the IT Shop. Employees and workdesks inherit company resources assigned to the system roles. You can structure system roles by assigning other system roles to them.
One Identity Manager components for managing system roles are available if the "QER | ESet" configuration parameter is set.
- In the Designer, check if the configuration parameter is set. Otherwise, set the configuration parameter and compile the database.
One Identity Manager users for managing system roles
The following users are used for setting up and administration of system roles.
Table 1: Users
Employee responsible for individual company resources
The users are defined using different application roles for administrators and managers.
Users with these application roles:
- Create and edit system roles.
- Assign system roles to departments, cost centers, locations, business roles, or the IT Shop.
- Assign system roles to employees.
- Assign system roles to workdesks.
|One Identity Manager administrators
Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.
Create system users and permissions groups for non role-based login to administration tools in the Designer as required.
Enable or disable additional configuration parameters in the Designer as required.
Create custom processes in the Designer as required.
Create and configure schedules as required.
Create and configure password policies as required.
Product owner for the IT Shop
Product owners must be assigned to the Request & Fulfillment | IT Shop | Product owners application role or a child application role.
Users with this application role:
- Approve through requests.
- Edit service items and service categories under their management.
The Request & Fulfillment | IT Shop | Product owners | System roles default application role can be used.
Basics of calculating inheritance
Any number of company resources and other system roles can be assigned to system roles. This mean you can structure system role hierarchically. The assignments are mapped in the ESetHasEntitlement table. The system role hierarchy is mapped through the UID_ESet - Entitlement relation. This is stored in the ESetCollection table. All the system roles are listed that the given system role inherits from. Each role also inherits from itself.
The following relations apply in the ESetCollection table:
- UID_ESet is the system role that inherits.
- It inherits from the UID_ESetChild system role.
The ESetHasEntitlement table contains the direct assignment (XOrigin = 1) and all system roles that are assigned to the child system roles (XOrigin = 2). The company resources that are assigned to a child system role are not resolved until inheritance for employees, workdesks, and hierarchical roles is calculated.
Technical details for calculating inheritance
Objects assigned through inheritance are calculated by the DBQueue Processor. Tasks are added to the DBQueue when assignments relevant to inheritance are made. These tasks are processed by the DBQueue Processor and result in follow-on tasks for the DBQueue or in processes for process component HandleObjectComponent in the Job queue. Resulting assignments of permissions to user accounts in the target system are inserted, modified, or deleted during process handling.
Figure 1: Overview of inheritance calculation