Versions Compared

Version Old Version 14 New Version Current
Changes made by

Christina Burkhard

Valentin Bürgler

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
typeflat

Definition

Introduction

A role is an element to which authorizations can be assigned on the one hand and users on the otherthe key element of an efficient access management. It bundles a set of authorizations in a logical, assignable element. The authorizations can be resources and roles (sub-roles). The users can be core identities (natural persons) and master data elements.

Usage

New roles are named, assigned to a responsible identity and categorized. In the case of a specific role, the associated resources, the core identities to which the role was assigned and the responsible approval groups are mapped (optional).

A user can delegate his / her roles: The Delegate field can be found under my Data - My roles. By specifying a different core identity, the reason and a time interval, the respective role can be assigned to someone else. The assignment must be approved by the responsible user or approval group.

A child role can be added to each role in the menu under member. This Parent-child relationship leads to the inheritance of resources: every resource that the parent role has at its disposal is automatically assigned to the child role.

Role attributes

The following standard and module-dependent attributes are available.

...

Standard attribut

...

Description

...

Name

...

Friendly name of the role

...

Description

...

Description of the role

...

Owner

...

Owner of the role

...

Category

...

Category of the role

Assignment of roles

A role can be assigned to core identities (natural person) and master data elements (organizational units, clients, functions, etc.).

Here you can configure which role is assigned to which core identity type and under which conditions. Information about the relevant attribute and the condition must be defined: For example, the rule can be defined that only German-speaking external employees are given a given role. Sophisticated rules can also be created using regex.

...

Image Removed

Nest roles

Roles can be logically nested within one another. The following relationships exist for this on the role:

...

Relationship

...

Description

...

Members

...

A list of roles that are members of the current role

...

Members of

...

A list of roles in which the current role is a member

Anhand eines Beispiels kann diese Beziehung weiter verdeutlicht werden. Die Rolle "Webshop - All Tenants" ist Mitglied von "Webshop - Tenant Contoso" und "Webshop - Tenant Bestrun". Durch die Zuweisung eines Benutzers zur Rolle "Webshop - All Tenants", wird der Benutzer automatisch auch Mitglied der Rollen "Webshop - Tenant Contoso" und "Webshop - Tenant Bestrun"various resources of all managed systems into a logical unit that can be assigned, managed, versioned, approved and ordered. It can be used to abstract the complex infrastructure into logically grouped elements that are more understandable to the business. Each role is of a specific Role Type and has various other other properties that are described here.

Resource assignments

By placing resources into a role, each assigned Core Identity will be assigned the current resource with the specified access level given that the Core Identity type matches. When creating a resource assignment to the role you therefore have to select the appropriate identity type. This identity type will be used to determinate the Core Identity Type.

You also have the option to deny a resource assignment to ensure that every member of the current group is not allowed to be member of a given resource. This is an easy way to achieve a simple segregation of duty.

Core Identitites

All the Core Identities that are assigned to a role are displayed in the UI. Each such assignment has a reason, a valid from and a valid to. The assignment type further indicates whether this assignment was automatically created based on a rule, was assigned manually by a person or was received in the context of an delegation. You can add and remove those assignments given that you have the appropriate rights.

Approval Groups & Workflows

If a role assignment should be restricted by an approval process, you can use the tab Approval Groups tab to add, remove, and configure https://itsense.atlassian.net/wiki/spaces/IKB/pages/280887357/Approval+groups?atl_f=content-tree for the role. Once configured, any future assignment of the role is thereafter subject to the approval of these groups.

Starting from version 9.1, you also can configure your own approval workflows as described here. Note that the approval workflows will extend the approval groups. So if you have configured two approval groups and a workflow, all three need to pass.

Members and Member from

You can nest roles into other roles and therefore create a tree structure of roles. This structure is displayed in the members and members from tabs.

...

Members

Given the example from above, the members of the role All care areas are the three roles below. If I add someone to the the All care areas role, he only receives the roles assigned to that specific role.

Member from

Given the example from above, the member from of the role All care areas is empty, as it is not member from any other role. But if we take a look at Care area A, it is member from All care areas. This also means, If I assign a Core Identity to the Care area A, that Core Identity will also become member of All care areas and hence inherit the configured resources from that role.

Resource definition templates

By assigning a role to a Core Identity we can not only assign resources but we can also trigger the creation of resources and subsequently assigning the Core Identity to the created resource. This is particularly handy if you want to control the creation of resources such as mailboxes through roles. By creating a mailbox template and assigning it to the role you can trigger the creation of a mailbox for a Person by simply assigning a role.

Attribute Sets

Attribute Set are more complex attributes, that consist of other attributes. By assigning an attribute set to a role, all members of the role will receive an attribute set assignment given the configured Core Identity Type matches. When adding an attribute set to the role, you can also specify a weight which will be used in case of more than one attribute set of the same type assigned to a member. The assignment with the highest weight will be used in this case.

Assets

Assets can be a handy tool to manage physical or virtual objects to an entity within the CoreOne Suite. By assigning an asset type and a asset group to a role, you can trigger an automatic assignment of an asset to all members of the current role. This can be used to automatically assigned phone numbers, key cards or any other asset type that you might have configured.

Catalog to role assignments

Info

This feature is available from version 8 and higher

When the current role is assigned to someone, it gives him the permission to assign and / or receive entities from the given catalogs.