===== Incompatible roles =====

**Segregation of Duties** (SoD) can be ensured by the feature incompatible roles. Their setup resembles that of business roles.

{{ :devel:documentation:incompatible-role-definition.png |}}

The old generation of CzechIdM used to have a feature called [[https://blog.bcvsolutions.eu/neslucitelnost-roli/|Role's incompatibility]]. By incompatibility we mean that you can set restrictions on roles A and B that will stop any user or process from assigning these two roles to the same user at once. In the new generation CzechIdM, we now have a similar feature. The difference is, however, that our experience of CzechIdM deployments on projects have taught us that users prefer this incompatibility function to work merely as a **soft** mechanism. In other words, CzechIdM will allow a user (identity) to have incompatible roles as long as an administrator/security manager is notified about this incident. The security staff also get a new tool to generate a special report, listing all users with incompatible roles - the report is prepared in the reports module named ''Identities-assigned incompatible roles.''

When an incompatible role has been assigned to an identity, a **warning stating the incompatible role definition** is shown. 


==== Concurrence of incompatible roles and business roles ====

The same warning symbol is shown when an identity requests new role(s) which happens to be incompatible with one of the subroles nested within a business role composition. In this case, the informative symbol is ALSO shown next to a business role that IS NOT itself incompatible with the requested role. 

In other words, the meaning of the symbol is somewhat different then: it does not mean the respective role - marked by this symbol - is incompatible, but rather it serves as an indication that one of the subroles down the business role cascade is incompatible.


{{ :devel:documentation:incompatible-role-request.png |}}

{{ :devel:documentation:incompatible-role-request-confirm.png |}}