| Table of Contents | ||
|---|---|---|
|
Definition
Ein Rolle ist ein Element, dem auf der einen Seite Berechtigungen und auf der anderen Seite Benutzer zugeordnet werden können. Sie bündelt ein Set von Berechtigungen in einem logischen, zuweisbaren Element. Bei den Berechtigungen kann es sich um Ressourcen und Rollen (Subrollen) handeln. Bei den Benutzern kann es sich um Core Identitäten (natürliche Personen) und Stammdatenelemente handeln.
Verwendung
Neue Rollen werden benannt, einer verantwortlichen Identität zugeordnet und kategorisiert. Bei einer spezifischen Rolle werden die damit verbundenen Ressourcen, die Core Identitäten, denen die Rolle zugewiesen wurde und die verantwortlichen Approval Groups abgebildet (optional).
Ein Benutzer kann seine Rollen delegieren: Unter My Data → My Roles findet sich das Feld Delegate. Unter Angabe einer anderen Coreidentität, der Begründung und eines Zeitintervalls kann somit die jeweilige Rolle jemand anderem zugewiesen werden. Die Zuweisung ist dabei durch den zuständigen Benutzer, bzw. Approval Group, zu genehmigen.
Bei jeder Rolle lässt sich im Menü unter Member eine ChildRole einfügen. Diese Parent – Child Beziehung führt zur Vererbung von Ressourcen: jede Ressource, über die die Parent-Rolle verfügt, wird automatisch auch der Child-Rolle zugewiesen.
Rollen Attribute
Folgende Standard- und modulabhängige Attribute sind vorhanden:
...
Standard Attribut
...
Beschreibung
...
Name
...
Anzeigename der Rolle
...
Beschreibung
...
Beschreibung der Rolle
...
Besitzer
...
Besitzer der Rolle
...
Kategorie
...
Kategorie der Rolle
Zuweisung von Rollen
Eine Rolle kann Core Identitäten (natürliche Person) und Stammdatenelementen (Organisationseinheiten, Mandanten, Funktionen, etc.) zugewiesen werden.
Es lässt sich hier konfigurieren, welche Rolle unter welcher Bedingung welchem Coreidentitätstypen zugewiesen wird. Dabei sind Angaben über das massgebende Attribut und die Bedingung zu definieren: Beispielsweise kann die Regel definiert werden, dass nur deutschsprechende externe Mitarbeiter eine gegebene Rolle erhalten. Dabei können auch anspruchsvolle Regeln mittels Regex erstellt werden.
...
Rollen verschachteln
Rollen können logisch ineinander verschachtelt werden. Hierzu gibt es auf der Rolle die folgenden Beziehungen:
...
Beziehung
...
Beschreibung
...
Mitglieder
...
Eine Liste von Rollen, die Mitglied der aktuellen Rolle sind
...
Mitglied von
...
Eine Liste von Rollen, in welcher die aktuelle Rolle Mitglied ist
...
Introduction
A role is the key element of an efficient access management. It bundles various resources of all managed systems into a logical unit that can be assigned, managed, versioned, approved and ordered. It can be used to abstract the complex infrastructure into logically grouped elements that are more understandable to the business. Each role is of a specific Role Type and has various other other properties that are described here.
Resource assignments
By placing resources into a role, each assigned Core Identity will be assigned the current resource with the specified access level given that the Core Identity type matches. When creating a resource assignment to the role you therefore have to select the appropriate identity type. This identity type will be used to determinate the Core Identity Type.
You also have the option to deny a resource assignment to ensure that every member of the current group is not allowed to be member of a given resource. This is an easy way to achieve a simple segregation of duty.
Core Identitites
All the Core Identities that are assigned to a role are displayed in the UI. Each such assignment has a reason, a valid from and a valid to. The assignment type further indicates whether this assignment was automatically created based on a rule, was assigned manually by a person or was received in the context of an delegation. You can add and remove those assignments given that you have the appropriate rights.
Approval Groups & Workflows
If a role assignment should be restricted by an approval process, you can use the tab Approval Groups tab to add, remove, and configure https://itsense.atlassian.net/wiki/spaces/IKB/pages/280887357/Approval+groups?atl_f=content-tree for the role. Once configured, any future assignment of the role is thereafter subject to the approval of these groups.
Starting from version 9.1, you also can configure your own approval workflows as described here. Note that the approval workflows will extend the approval groups. So if you have configured two approval groups and a workflow, all three need to pass.
Members and Member from
You can nest roles into other roles and therefore create a tree structure of roles. This structure is displayed in the members and members from tabs.
...
Members
Given the example from above, the members of the role All care areas are the three roles below. If I add someone to the the All care areas role, he only receives the roles assigned to that specific role.
Member from
Given the example from above, the member from of the role All care areas is empty, as it is not member from any other role. But if we take a look at Care area A, it is member from All care areas. This also means, If I assign a Core Identity to the Care area A, that Core Identity will also become member of All care areas and hence inherit the configured resources from that role.
Resource definition templates
By assigning a role to a Core Identity we can not only assign resources but we can also trigger the creation of resources and subsequently assigning the Core Identity to the created resource. This is particularly handy if you want to control the creation of resources such as mailboxes through roles. By creating a mailbox template and assigning it to the role you can trigger the creation of a mailbox for a Person by simply assigning a role.
Attribute Sets
Attribute Set are more complex attributes, that consist of other attributes. By assigning an attribute set to a role, all members of the role will receive an attribute set assignment given the configured Core Identity Type matches. When adding an attribute set to the role, you can also specify a weight which will be used in case of more than one attribute set of the same type assigned to a member. The assignment with the highest weight will be used in this case.
Assets
Assets can be a handy tool to manage physical or virtual objects to an entity within the CoreOne Suite. By assigning an asset type and a asset group to a role, you can trigger an automatic assignment of an asset to all members of the current role. This can be used to automatically assigned phone numbers, key cards or any other asset type that you might have configured.
Catalog to role assignments
| Info |
|---|
This feature is available from version 8 and higher |
When the current role is assigned to someone, it gives him the permission to assign and / or receive entities from the given catalogs.