Managing system roles
System roles make it easier to assign company resources that are frequently required or rather that are always assigned together. For example, new employees in the finance department should be provided, by default, with certain system entitlements for Active Directory and for SAP R/3. In order to avoid a lot of separate assignments, group these company resources into a package and assign this to the new employee. The packages are referred to as system role in One Identity Manager.
Using system roles, you can group together arbitrary company resources. You can assign these system roles to employees, workdesks, or roles or you can request them through the IT Shop. Employees and workdesks inherit company resources assigned to the system roles. You can structure system roles by assigning other system roles to them.
NOTE: The System Roles Module must be installed as a prerequisite for managing system roles in One Identity Manager. For more information about installing, see the One Identity Manager Installation Guide.
One Identity Manager components for managing system roles are available if the QER | ESet configuration parameter is set.
Detailed information about this topic
One Identity Manager users for managing system roles
The following users are used for setting up and administration of system roles.
Table 1: Users
Employee responsible for individual company resources |
The users are defined using different application roles for administrators and managers.
Users with these application roles:
-
Create and edit system roles.
-
Assign system roles to departments, cost centers, locations, business roles, or the IT Shop.
-
Assign system roles to employees.
-
Assign system roles to workdesks. |
Product owners for the IT Shop |
Product owners must be assigned to the Request & Fulfillment | IT Shop | Product owners application role or a child application role.
Users with this application role:
The Request & Fulfillment | IT Shop | Product owners | System roles default application role can be used. |
One Identity Manager administrators |
administrator and administrative system users Administrative system users are not added to application roles.
administrators:
-
Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.
-
Create system users and permissions groups for non role-based login to administration tools in the Designer as required.
-
Enable or disable additional configuration parameters in the Designer as required.
-
Create custom processes in the Designer as required.
-
Create and configure schedules as required. |
Basics of calculating the inheritance of system roles
Any number of company resources and other system roles can be assigned to system roles. By assigning system roles to other system roles, you can structure system roles hierarchically. System roles can be assigned to employees and workdesks in the following ways:
An employee (workdesk, hierarchical role) inherits all company resources that are assigned to the assigned system role. Child system roles are resolved in this case. Prerequisite is that each company resource can really be inherited.
NOTE: The employee must own a user account in this target system in order to inherit a target system entitlement.
Figure 1: Inheriting company resources through system roles
Objects assigned through inheritance are calculated by the DBQueue Processor. Tasks are added to the DBQueue when assignments relevant to inheritance are made. These tasks are processed by the DBQueue Processor and result in follow-on tasks for the DBQueue or in processes for process component HandleObjectComponent in the Job queue. Resulting assignments of permissions to user accounts in the target system are inserted, modified, or deleted during process handling.
Detailed information about this topic
Details of system role inheritance
The company resource assignments to system roles are mapped in the ESetHasEntitlement table.
The system role hierarchy is mapped through the UID_ESet - Entitlement relation. The system role hierarchy is stored in the ESetCollection table. All the system roles are listed that the given system role inherits from. Each role also inherits from itself.
The following relations apply in the ESetCollection table:
The ESetHasEntitlement table contains the direct assignment (XOrigin = 1) and all system roles that are assigned to the child system roles (XOrigin = 2). The company resources that are assigned to a child system role are not resolved until inheritance for employees, workdesks, and hierarchical roles is calculated.
Assignment of system roles to hierarchical roles are mapped in the BaseTreeHasESet table.
Employees can directly obtain system roles. Employees continue to inherit all (including inherited) the system roles belonging to all hierarchical roles of which they are members (table PersonInBasetree) as well as system roles of all hierarchical roles that are referenced through foreign key relations (Person table, UID_BaseTree column). Direct and indirect assignments of system roles to employees are mapped in the PersonHasESet table. This behavior applies in the same way to assignments of system roles to workdesks.
Detailed information about this topic