Editing permissions groups
One Identity Manager provides permissions groups with a predefined user interface and special permissions for One Identity Manager schema's tables and columns. In certain isolated cases, it may be necessary to define custom permissions groups. You need custom permissions groups, for example, if:
-
The default permissions groups grant too many permissions
-
Selected default permissions groups are to be grouped to form a new permissions group
-
Additional role-based permissions groups are required for the custom application roles
-
Permissions for custom adjustments such as schema extensions, forms, or menu structures.
When the One Identity Manager database is installed using the , custom permissions groups that you can use are already created.
-
For non role-based login, the CCCViewPermissions and CCCEditPermissions permission groups are created. Administrative system users are automatically added to these permissions groups.
-
For role-based login, the CCCViewRole and CCCEditRole permission groups are created.
In the Designer, permissions groups are managed in the Permissions > Permissions groups category. Here you will find an overview of edit permissions and user interface components that are assigned to individual permissions groups. In addition, the system users are displayed to which the permissions groups are assigned.
Use the Designer to create and edit permissions groups with the User & Permissions Group Editor. The User & Permissions Group Editor displays the permissions groups in their hierarchy. Each permissions group is represented by a permissions group element. Each permissions group element has a tooltip. The contents of the tooltip is made up of the name and description of the permissions group.
You can run the following tasks:
-
Edit permissions group main data
-
Define new dependencies between permissions groups
-
Copy permissions groups
-
Create new permissions groups
Related topics
Dependencies between permissions groups
By structuring permissions groups hierarchically, permissions and user interface components can be passed down from one permissions group to another permissions group. This means that inheritance is top down within the hierarchy.
The following applies to permissions group dependencies:
-
A role-based permissions group can inherit from role-based permissions groups and non role-based permissions groups.
-
A non role-based permissions group can inherit from non role-based permissions groups. A non role-based permissions group must not inherit from role-based permissions groups.
Example:
Two permission groups are defined with the following permissions and user interface components.
A |
Viewable |
Menu structures and forms |
B |
Editable |
Task definitions |
Permissions group B is assigned below permissions group A in the hierarchy and inherits from permissions group A. Consequently, a user of permissions group B has access to the viewing permissions and editing permissions as well as the menu structure, forms, and task definitions.
Related topics
Permissions group dependencies
You edit dependencies between permissions groups in the hierarchical view of the User & Permissions Group Editor. Permissions groups that are higher up in the hierarchy are displayed further to the right in the User & Permissions Group Editor‘s hierarchical. When a permissions group is selected in the hierarchical view, dependencies to other permissions groups are marked in color thus showing the direction of inheritance.
Figure 1: Visual of the permissions group hierarchy (inheritance from right to left)
Table 21: Meaning of colors in the hierarchical representation
Blue |
The selected permissions group. |
Purple |
This permissions group is a child of the selected permissions group and directly inherits from the selected permissions group. |
Light purple |
This permissions group inherits indirectly from the selected permissions group over the hierarchy. |
Red |
This permissions group is a child of the selected permissions group and directly inherits from the selected permissions group. |
Light red |
This permissions group passes inheritance indirectly to the selected permissions group over the hierarchy. |
Green |
This permissions group does not inherit or pass inheritance to the selected permissions group. |
To specify dependencies of a permissions group
-
In the Designer, select the Permissions > Permissions groups category.
-
Select the permissions group and start the User & Permissions Group Editor using the Edit permissions group task.
-
In the hierarchical view of the permissions groups, select the permissions group and run one of the following actions.
-
Select the Inherit permissions from context menu and select the permissions groups from which the selected permissions group is to inherit.
-
Select the Permissions inherited by context menu and select the permissions groups to be included in the selected permissions group. Child permissions groups inherit permissions from the selected permissions group.
-
Select the Database > Save to database and click Save.
Copying permissions groups
The User & Permissions Group Editor provides a wizard for copying permissions and the user interface of an existing permissions group to a new permissions group.
To copy a permissions group
-
In the Designer, select the Permissions > Permissions groups category.
-
Select the permissions group you want to copy and start the User & Permissions Group Editor with the Edit permissions group task.
-
Select the Permissions groups > Copy permissions group menu item.
-
On the start page of the wizard for copying permissions groups, click Next.
-
On the Select permissions group page, enter the following information:
-
Select permissions group to copy: The permissions group is pre-selected.
-
Copy name: Name of the new permissions group. A name suggestion is already entered that you can modify. Ensure that the permissions group name begins with the prefix CCC.
-
On the Select copy options page, specify which permissions group relations are to be copied. You can select multiple options. The following copy options are available.
Table 22: Copy options for permissions groups
Permissions |
Enable this option to copy the table permissions and column permissions of the selected permissions group to the new permissions group. |
User interface |
Enable this option to copy the menu items, the forms and the task definitions of the selected permissions group to the new permissions group. |
System user |
Select this option if the system user should be copied to the new permissions group.
NOTE: Predefined system users are not included in the new permissions group. |
-
To start compiling, click Next.
The copying process may take some time.
-
The Copy permissions group page shows the individual copy steps and any error messages. If the copy action is complete, click Next.
-
To end the wizard, click Finish on the last page.
Related topics