System roles make it easier to assign company resources that are frequently required or rather that are always assigned together. For example, new employees in the finance department should be provided, by default, with certain system entitlements for Active Directory and for SAP R/3. In order to avoid a lot of separate assignments, group these company resources into a package and assign this to the new employee. The packages are referred to as system role in the One Identity Manager.
Using system roles, you can group together arbitrary company resources. You can assign these system roles to employees, workdesks or roles or you can request them through the IT Shop. Employees and workdesks inherit company resources assigned to the system roles. You can structure system roles by assigning other system roles to them.
One Identity Manager components for managing system roles are available if the configuration parameter "QER/ESet" is set.
The following users are used for managing system roles.
Employee responsible for individual company resources
The users are defined using different application roles for administrators and managers.
Users with these application roles:
|One Identity Manager administrators||
Product owner for the IT Shop
Product owners must be assigned to the Request & Fulfillment | IT Shop | Product owner application role or a child application role.
Users with this application role:
The default application role Request & Fulfillment | IT Shop | Product owners | System roles can be used.
Any number of company resources and other system roles can be assigned to system roles. This mean you can structure system role hierarchically. The assignments are mapped in the ESetHasEntitlement table. The system role hierarchy is mapped through the relation UID_ESet - Entitlement. This is stored in the ESetCollection table. All the system roles are listed that the given system role inherits from. Each role also inherits from itself.
The following relations apply in the ESetCollection table:
The ESetHasEntitlement table contains the direct assignment (XOrigin = 1) and all system roles that are assigned to the child system roles (XOrigin = 2). The company resources that are assigned to a child system role are not resolved until inheritance for employees, workdesks and hierarchical role is calculated.
Objects assigned through inheritance are calculated by the DBQueue Processor. Tasks are added to the DBQueue when assignments relevant to inheritance are made. These tasks are processed by the DBQueue Processor and result in follow-on tasks for the DBQueue or in processes for process component "HandleObjectComponent" in the Job queue. Resulting assignments of permissions to user accounts in the target system are inserted, modified or deleted during process handling.
Figure 1: Overview of Inheritance Calculation