Chat now with support
Chat with Support

Identity Manager 8.1.5 - Business Roles Administration Guide

Managing business roles
One Identity Manager users for business roles Hierarchical role structure basic principles Basic principles for assigning company resources Basics of calculating inheritance Preparing business roles for company resource assignments Basic data for structuring business roles Editing business roles Assigning employees, devices, and workdesks to business roles Assigning business roles to company resources Analyzing role memberships and employee assignments Setting up IT operating data Additional tasks for managing business roles Reports about business roles
Role mining in One Identity Manager

Possible company resource assignments

Employees, devices, and workdesks can inherit company resources though indirect assignment. To do this, employees, devices, and workdesks may be members of as many roles as required. Employees, devices, and workdesks obtain the necessary company resources through defined rules.

To assign company resources to roles, apply the appropriate tasks to the roles.

The following table shows the possible assignments of company resources to employees, workdesks, and devices using roles.

NOTE: Company resources are defined in the One Identity Manager modules and are not available until the modules are installed.
Table 5: Possible assignments of company resources through roles
Assignable Company Resource Members in Roles
Employees Workdesks

Resources

Possible

-

Account definitions Possible  

Groups of custom target systems

Possible (assigns to all an employee's custom defined target systems user accounts, for which group inheritance is authorized)

-

Active Directory groups

Possible (assigns to all an employee's Active Directory user accounts and Active Directory contacts, for which group inheritance is authorized)

-

SharePoint groups

Possible (assigns to all an employee's SharePoint user accounts)

-

SharePoint roles

Possible (assigns to all an employee's SharePoint user accounts)

-

LDAP groups

Possible (assigns to all an employee's LDAP user accounts for which group inheritance is authorized)

-

Notes groups

Possible (assigns to all an employee's Notes user accounts)

-

SAP groups

Possible (assigns to all an employee's SAP user accounts in the same SAP client.

-

SAP profiles

Possible (assigns to all an employee's SAP user accounts in the same SAP client.

-

SAP roles

Possible (assigns to all an employee's SAP user accounts in the same SAP client.

-

SAP parameters

Possible (assigns to all an employee's SAP user accounts in the same SAP system)

-

Structural profiles

Possible (assigns to all an employee's SAP user accounts in the same SAP client.

-

BI analysis authorizations

Possible (assigns to all an employee's BI user accounts in the same system)

-

Azure Active Directory groups

Possible (assigns to all an employee's Azure Active Directory user accounts for which group inheritance is authorized)

-

Azure Active Directory administrator roles

Possible (assigns to all an employee's Azure Active Directory user accounts for which group inheritance is authorized)

-

Azure Active Directory subscriptions

Possible (assigns to all an employee's Azure Active Directory user accounts for which group inheritance is authorized)

-

Disabled Azure Active Directory service plans

Possible (assigns to all an employee's Azure Active Directory user accounts for which group inheritance is authorized)

-

Unix groups

Possible (assigns to all an employee's Unix user accounts)

-

PAM user groups

Possible (assigns to all an employee's PAM user accounts for which group inheritance is authorized)

-

System roles

Possible

Possible

Subscribable reports

Possible

-

Software

Possible

Possible

Related topics

Permitting assignments of employees, devices, workdesks, and company resources

The default method for assigning company resources is through secondary assignment. For this, employees, devices, and workdesks as well as company resources are added to roles through secondary assignment.

Secondary assignment of objects to role in a role class is defined by the following options:

  • Assignments allowed

    This option specifies whether assignments of respective object types to roles of this role class are allowed in general.

  • Direct assignments allowed

    Use this option to specify whether respective object types can be assigned directly to roles of this role class. Set this option if, for example, resources are assigned to departments, cost centers, or locations over the assignment form in the Manager.

    NOTE: If this option is not set, the assignment of each object type is only possible through requests in IT Shop, dynamic roles, or system roles.
Example

To assign employees in the Manager directly to a business role, set the Assignment allowed and the Direct assignment allowed option on "business role" for "employees".

If employees can only obtain membership in a business role through the IT Shop, set the Assignment allowed option but not the Direct assignment allowed option on the "business role" role class for the entry "employees". A corresponding assignment resource must be available in the IT Shop.

To configure secondary assignment to roles of a role class

  1. Select the role class under Basic configuration data | Role classes.
  2. Select the Configure role assignments task.
  3. Use the Allow assignments column to specify whether assignment is generally allowed.
    NOTE: You can only reset the Assignment allowed option if there are no assignments of the respective objects to roles of this role class and none can arise through existing dynamic roles.
  4. Use the Allow direct assignments column to specify whether a direct assignment is allowed.
    NOTE: You can only reset the Direct assignment allowed option if there are no direct assignments of the respective objects to roles of this role class.
  5. Save the changes.

Specifying the direction of inheritance

The direction of inheritance decides the distribution of company resources within a role hierarchy. The direction of inheritance is defined by the role classes.

The direction of inheritance can only be specified when a role class is added.

  • Set Inherited top down to specify top-down inheritance.
  • Set Inherited bottom up to specify bottom-up inheritance.
Detailed information about this topic

Using business roles to limit inheritance

There are particular cases where you may not want to have inheritance over several hierarchical levels. That is why it is possible to discontinue inheritance within a hierarchy. The effects of this depend on the chosen direction of inheritance.

  • Roles marked with the Block inheritance option do not inherit any assignments from parent levels in top-down inheritance. It can, however, pass on its own directly assigned company resources to lower level structures.

  • In bottom-up inheritance, the role labeled with the Block inheritance option inherits all assignments from lower levels in the hierarchy. However, it does not pass any assignments further up the hierarchy.

To discontinue inheritance

  1. Open the role's master data form.

  2. Set the Block inheritance option.

  3. Save the changes.

Company resource inheritance for single roles can be temporarily prevented. You can use this behavior, for example, to assign all required company resources to a role. Inheritance of company resources does not take place, however, unless inheritance is permitted for the role, for example, by running a defined approval process.

To prevent a role from inheriting

  1. Open the role's master data form.

  2. Set one or more of the following options:

    • To prevent employees from inheriting, set the Employees do not inherit option.

    • To prevent devices from inheriting, set the Devices do not inherit option.

    • To prevent workdesks from inheriting, set the Workdesks do not inherit option.

  3. Save the changes.

Inheritance of company resources can be done in the same way for single employees, devices, or workdesks. You can use this behavior to correct data after importing employees before and then apply inheritance.

To prevent an employee from inheriting

  1. Open the employee's master data form.

  2. Set the No inheritance option.

    The employee does not inherit company resources through roles.

    NOTE: This option does not have any effect on direct assignments. Company resource direct assignments remain assigned.
  3. Save the changes.

To prevent an device from inheriting

  1. Open the device's master data form.

  2. Set the No inheritance option.

    The device does not inherit company resources through roles.

    NOTE: This option does not have any effect on direct assignments. Company resource direct assignments remain assigned.
  3. Save the changes.

To prevent a workdesk from inheriting

  1. Open the workdesk's master data form.

  2. Set the No inheritance option.

    The workdesk does not inherit company resources through roles.

    NOTE: This option does not have any effect on direct assignments. Company resource direct assignments remain assigned.
  3. Save the changes.
Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating