Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
devel:documentation:roles [2017/11/07 17:48] poulm bigger pictures |
devel:documentation:roles [2019/05/02 05:13] kopro [Admin tutorials] add codeable evaluator |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | <- .: | ||
+ | |||
+ | {{tag> role incompatible business automatic SoD Segregation Duties }} | ||
+ | |||
+ | ====== Roles ====== | ||
+ | |||
+ | A role in CzechIdM is an entity representing a set (1 or many) of privileges on the end system or in CzechIdM itself [[.roles: | ||
+ | |||
+ | Users acquire roles: | ||
+ | * [[.roles: | ||
+ | * manually | ||
+ | * [[.roles: | ||
+ | * [[tutorial: | ||
+ | |||
+ | Request for a role [[.role_change|can be approved]] by a specific user, usually helpdesk, user's manager or IT security. | ||
+ | |||
+ | === Business roles === | ||
+ | Roes can be aggregated into [[.roles: | ||
+ | |||
+ | === Incompatible roles (segregation of duties) === | ||
+ | If an identity should not be placed into Security Group A and Security Group B in MS Active Directory at the same time, we can ensure it via CzechIdM mechanism of [[.roles: | ||
+ | |||
+ | ===== Roles and contracts ===== | ||
+ | Roles are assigned to users via their contracts. If a contract is not valid (time validity) the roles on the contract are removed. In other words, the identity loses roles permissions in IdM and rights in connected systems. | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | ===== Automatic roles ===== | ||
+ | ==== By org. structure ==== | ||
+ | |||
+ | The role can be linked to a Tree structure (e.g. position in organizational structure). That role is assigned to and removed from a user based on adding/ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | ==== By identity attributes ==== | ||
+ | The role can be also linked with value in attribute (value can be stored in Identity, Identity extended attribute, Contract and Contract extended attribute). That role is assigned to and removed from a user based on the value in the specific attribute. Recalculating of this automatic roles is done after saving identity, identity extended attribute attributes, contract, and contract extended attribute attributes. All necessary attributes that defined automatic role by attribute are defined by agenda " | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | ====== Read more ====== | ||
+ | |||
+ | ===== Admin guide ===== | ||
+ | * [[.roles: | ||
+ | * [[.roles: | ||
+ | * [[.roles: | ||
+ | * [[.roles: | ||
+ | * [[.roles: | ||
+ | * [[.roles: | ||
+ | * [[.roles: | ||
+ | |||
+ | ===== Admin tutorials ===== | ||
+ | * [[tutorial: | ||
+ | * [[tutorial: | ||
+ | * [[tutorial: | ||
+ | * [[tutorial: | ||
+ | * [[tutorial: | ||
+ | * [[tutorial: | ||
+ | |||
+ | ===== Devel guide ===== | ||
+ | * [[.security: | ||
+ | * [[.identities: | ||
+ | * [[.roles: | ||
+ | * [[.roles: | ||