Role

Owned by Marc Burkhard
Last updated: 30. Oct 2024 by valentin.buergler
4 min read

Introduction

A role is the key element of an efficient access management. It bundles various resources of all managed systems into a logical unit that can be assigned, managed, versioned, approved and ordered. It can be used to abstract the complex infrastructure into logically grouped elements that are more understandable to the business. Each role is of a specific Role Type and has various other other properties that are described here.

Resource assignments

By placing resources into a role, each assigned Core Identity will be assigned the current resource with the specified access level given that the Core Identity type matches. When creating a resource assignment to the role you therefore have to select the appropriate identity type. This identity type will be used to determinate the Core Identity Type.

You also have the option to deny a resource assignment to ensure that every member of the current group is not allowed to be member of a given resource. This is an easy way to achieve a simple segregation of duty.

Core Identitites

All the Core Identities that are assigned to a role are displayed in the UI. Each such assignment has a reason, a valid from and a valid to. The assignment type further indicates whether this assignment was automatically created based on a rule, was assigned manually by a person or was received in the context of an delegation. You can add and remove those assignments given that you have the appropriate rights.

Approval Groups & Workflows

If a role assignment should be restricted by an approval process, you can use the tab Approval Groups tab to add, remove, and configure Approval groups for the role. Once configured, any future assignment of the role is thereafter subject to the approval of these groups.

Starting from version 9.1, you also can configure your own approval workflows as described here. Note that the approval workflows will extend the approval groups. So if you have configured two approval groups and a workflow, all three need to pass.

Members and Member from

You can nest roles into other roles and therefore create a tree structure of roles. This structure is displayed in the members and members from tabs.

 

Members

Given the example from above, the members of the role All care areas are the three roles below. If I add someone to the the All care areas role, he only receives the roles assigned to that specific role.

Member from

Given the example from above, the member from of the role All care areas is empty, as it is not member from any other role. But if we take a look at Care area A, it is member from All care areas. This also means, If I assign a Core Identity to the Care area A, that Core Identity will also become member of All care areas and hence inherit the configured resources from that role.

Resource definition templates

By assigning a role to a Core Identity we can not only assign resources but we can also trigger the creation of resources and subsequently assigning the Core Identity to the created resource. This is particularly handy if you want to control the creation of resources such as mailboxes through roles. By creating a mailbox template and assigning it to the role you can trigger the creation of a mailbox for a Person by simply assigning a role.

Attribute Sets

Attribute Set are more complex attributes, that consist of other attributes. By assigning an attribute set to a role, all members of the role will receive an attribute set assignment given the configured Core Identity Type matches. When adding an attribute set to the role, you can also specify a weight which will be used in case of more than one attribute set of the same type assigned to a member. The assignment with the highest weight will be used in this case.

Assets

Assets can be a handy tool to manage physical or virtual objects to an entity within the CoreOne Suite. By assigning an asset type and a asset group to a role, you can trigger an automatic assignment of an asset to all members of the current role. This can be used to automatically assigned phone numbers, key cards or any other asset type that you might have configured.

Catalog to role assignments

This feature is available from version 8 and higher

When the current role is assigned to someone, it gives him the permission to assign and / or receive entities from the given catalogs.

© ITSENSE AG. Alle Rechte vorbehalten. ITSENSE und CoreOne sind eingetragene Marken der ITSENSE AG.