The following tables show how assignments to system roles and the system role hierarchy is mapped in the One Identity Manager database.
Table 8: System roles: assignments (ESetHasEntitlement)
| System role A |
System role A1 |
1 |
| System role A |
System role A2 |
1 |
| System role A |
System role A11 |
2 |
| System role A |
System role A12 |
2 |
| System role A1 |
System role A11 |
1 |
| System role A1 |
System role A12 |
1 |
| System role A1 |
System entitlement |
1 |
| System role A2 |
Software |
1 |
| System role A11 |
Active Directory group |
1 |
| System role A12 |
SAP role |
1 |
| System role B |
Resource |
1 |
Table 9: System role hierarchy (table ESetCollection)
| System role A |
System role A |
| System role A |
System role A1 |
| System role A |
System role A2 |
| System role A |
System role A11 |
| System role A |
System role A12 |
| System role A1 |
System role A1 |
| System role A1 |
System role A11 |
| System role A1 |
System role A12 |
| System role A11 |
System role A11 |
| System role A12 |
System role A12 |
| System role A2 |
System role A2 |
| System role B |
System role B |
Figure 2: Inheriting an Active Directory group through a directly assigned system role
Figure 3: Inheriting software through an IT Shop request
Figure 4: Inheriting a resource through an indirectly assigned system role
The following images show how exclusion excluding a system role affects how inheritance is calculated. Excluded system roles can still be assigned to employees. An option on the column XIsInEffect defines whether this assignment applies. Assigning an excluded system role leads to the entry XIsInEffect = 0, if the other system role from the exclusion definition is assigned at the same time.
Table 10: Excluded system roles (table ESetExcludesESet)
| System role A12 |
System role A11 |
| System role B |
System role B1 |
| System role B |
System role A2 |
Table 11: System roles: inheritance (table ESetHasEntitlement)
| System role A |
System role A1 |
1 |
| System role A |
System role A2 |
1 |
| System role A |
System role A11 |
0 |
| System role A |
System role A12 |
1 |
| System role A1 |
System role A11 |
0 |
| System role A1 |
System role A12 |
1 |
| System role A2 |
Software |
1 |
| System role A11 |
Active Directory group |
1 |
| System role A12 |
SAP role |
1 |
| System role B |
Resource R1 |
1 |
| System role B1 |
Resource R2 |
1 |
Figure 5: Inheritance through directly assigned system roles
Figure 6: Inheritance through an IT Shop request
Table 12: Configuration parameters for calculating assignments to hierarchical roles
|
QER | Structures | Inherite | NoESetSplitting |
Specifies whether or not the components of a system role are already split in the hierarchical role. If this parameter is set, the system roles are not broken down into their individual components until the target of the inheritance. |
If this configuration parameter is set, system roles that are assigned to hierarchical roles are not split in the calculation of inheritance. This means that the assignments of company resources to hierarchical roles are not written to the corresponding assignment tables (<BaseTree>Has...). The system roles whose assignments are in effect (PersonHasESet.XIsIneffect = 1) are not split until the calculation of user inheritance.
This configuration parameter is activated by default.
Figure 7: Inheritance by indirectly assigned system roles when the configuration parameter is activated
Figure 8: Inheritance by different hierarchical roles when the configuration parameter is activated
If the configuration parameter is not activated, the system roles whose assignments are in effect (BaseTreeHasESet.XIsIneffect = 1) are split in the inheritance calculation for the hierarchical roles. If the excluding system roles are assigned to different hierarchical roles, both assignments are effective. This makes the resulting company resource assignments to hierarchical roles also effective. If an employee is a member of both hierarchical roles, the company resources of the excluded system role are inherited by this employee.
Figure 9: Inheritance by different hierarchical roles when the configuration parameter is deactivated
If the mutually exclusive system roles are assigned to the same hierarchical role, the exclusion definition takes effect when calculating BaseTreeHasESet.
Figure 10: Inheritance through the same hierarchical role when the configuration parameter is deactivated
