Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
devel:documentation:roles [2017/11/03 15:10] poulm [Role permissions] |
devel:documentation:roles [2022/12/15 13:45] doischert |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | <- .:contracts | Contracts ^ .:start | Documentation ^ .: | ||
+ | |||
+ | {{tag> role incompatible business automatic SoD Segregation Duties }} | ||
+ | |||
+ | ====== Roles ====== | ||
+ | |||
+ | A role in CzechIdM is an entity representing a set (1 or more) of permissions on the end system or in CzechIdM itself [[.roles: | ||
+ | |||
+ | Users acquire roles: | ||
+ | * [[.roles: | ||
+ | * manually | ||
+ | * [[.roles: | ||
+ | * [[tutorial: | ||
+ | |||
+ | Request for a role [[.role_change|can be approved]] by a specific user, usually helpdesk, user's manager or IT security. | ||
+ | |||
+ | === Business roles === | ||
+ | Roles can be aggregated into [[.roles: | ||
+ | |||
+ | === Incompatible roles (segregation of duties) === | ||
+ | If an identity should not be placed into Security Group A and Security Group B in MS Active Directory at the same time, we can ensure it via CzechIdM mechanism of [[.roles: | ||
+ | |||
+ | ===== Roles and contracts ===== | ||
+ | Roles are assigned to users via their contracts. If a contract is not valid (time validity) the roles on the contract are removed. In other words, the identity loses roles permissions in IdM and rights in connected systems. | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | ===== Automatic roles ===== | ||
+ | ==== By org. structure ==== | ||
+ | |||
+ | The role can be linked to a Tree structure (e.g. a position in organizational structure). That role is assigned to and removed from a user based on adding/ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | ==== By identity attributes ==== | ||
+ | The role can be linked by value in attribute (value can be stored in Identity, Identity extended attribute, Contract and Contract extended attribute). That role is assigned to and removed from a user based on the value in the specific attribute. Recalculating of this automatic roles is done after saving the identity, identity extended attribute attributes, contract, and contract extended attribute attributes. All necessary attributes that define automatic role by attribute are defined by the agenda " | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | ===== Roles and accounts ===== | ||
+ | Roles can also be assigned directly to accounts. This is particularly when a user has multiple accounts and we want the role to apply to only one account or when we are managing technical accounts. | ||
+ | |||
+ | ====== Read more ====== | ||
+ | |||
+ | ===== Admin guide ===== | ||
+ | * [[.roles: | ||
+ | * [[.roles: | ||
+ | * [[.roles: | ||
+ | * [[.roles: | ||
+ | * [[.roles: | ||
+ | * [[.roles: | ||
+ | * [[.roles: | ||
+ | |||
+ | ===== Admin tutorials ===== | ||
+ | * [[tutorial: | ||
+ | * [[tutorial: | ||
+ | * [[tutorial: | ||
+ | * [[tutorial: | ||
+ | * [[tutorial: | ||
+ | * [[tutorial: | ||
+ | |||
+ | ===== Devel guide ===== | ||
+ | * [[.security: | ||
+ | * [[.identities: | ||
+ | * [[.roles: | ||
+ | * [[.roles: | ||