Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
devel:documentation:roles [2018/08/24 13:51] svandav [Business roles] |
devel:documentation:roles [2019/01/18 12:58] svandav [Incompatible roles] |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | <- .: | ||
+ | {{tag> role incompatible business automatic SoD Segregation of Duties }} | ||
+ | |||
+ | ====== Roles ====== | ||
+ | |||
+ | A role in CzechIdM is an entity representing a set (1 or many) of permissions/ | ||
+ | * **automatically** – according to the organizational placement of the identity, identity or contract attributes | ||
+ | * **manually** – through assigning based on the user’s request in the CzechIdM self-service or by a CzechIdM administrator. | ||
+ | * **by business role** - roles (sub) can be assigned automatically, | ||
+ | |||
+ | From the perspective of the identity manager, it does not matter whether the user acquires an account in a specific application, | ||
+ | |||
+ | ===== Roles and contracts ===== | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | Roles are assigned to users via their contracts. If a contract is not valid (time validity) the roles on the contract are removed. In other words, the identity loses roles permissions in IdM and rights in connected systems. | ||
+ | |||
+ | ===== Roles and environment ===== | ||
+ | |||
+ | Role with the same base code could be created from / for different environment. Final role code is combined from the base code and environment identifier. When role is created (or synchronized), | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | ===== Role permissions===== | ||
+ | |||
+ | Role permissions define rights for administrator actions in CzechIdM. A permission for CzechIdM is not necessarily defined for every role. A permission is, for example, READ on USERS. A user having a role with this specific permission can see the read-only detail of all identities in CzechIdM. | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | ===== Role criticality===== | ||
+ | The level of criticality can be set for every role. Criticality denotes, [[devel: | ||
+ | |||
+ | ===== Business roles ===== | ||
+ | Business roles (composition) can be defined on role detail. Business role could contain sub roles - all sub roles are assigned automatically, | ||
+ | Sub roles defined by business roles are recalculated on the background (by [[devel: | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | ===== Incompatible roles ===== | ||
+ | **Segregation of Duties** (SoD) can be defined by incompatible roles. Definition is almost the same as business roles definition above. | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | Old generation of CzechIdM had a feature of [[https:// | ||
+ | |||
+ | When identity has incompatible roles assigned, then **warning with incompatible role definition is shown**. The same warning is shown on business role definition (business role contains incompatible sub roles) and when identity requests new roles (for example currently assigned role is incompatible with the new one requested). | ||
+ | |||
+ | |||
+ | {{ : | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | ===== Automatically assigned roles by organization structure ===== | ||
+ | The role can be linked to a Tree structure (e.g. position in organizational structure). That role is assigned to and removed from a user based on adding/ | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | ===== Automatically assigned roles by attribute ===== | ||
+ | The role can be also linked with value in attribute (value can be stored in Identity, Identity extended attribute, Contract and Contract extended attribute). That role is assigned to and removed from a user based on the value in the specific attribute. Recalculating of this automatic roles is done after saving identity, identity extended attribute attributes, contract and contract extended attribute attributes. All necessary attributes that defined automatic role by attribute are defined by agenda " | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | After save identity (save from identity detail) it will be done recalculation for all automatic roles that has at least one rule with type IDENTITY, **recalculation from identity is done for all contracts for saved identity**. After save contract extended attributes (save from extended attribute detail) it will be done recalculation for all automatic roles that has at least one rule with type CONTRACT_EAV. | ||
+ | |||
+ | ===== Requests for change automatically assigned roles ===== | ||
+ | Automatically assigned roles have a significant safety impact. When creating, editing, or deleting, it is necessary that the process is approved. For this purpose, an agenda for requests for change of automatic roles has been created. | ||
+ | |||
+ | This request gets the approval process from the criticality defined for that role. Critical role determines what process the application must accomplish to implement it. | ||
+ | |||
+ | Processes of defined by the role criticality is defined [[https:// | ||
+ | Processes for approval change of an automatic role are different then processes using for approving assign role to one user. For clarity, both processes (role assignment, change of the automatic role) are defined in one final process. | ||
+ | |||
+ | < | ||
+ | ====== Read more ====== | ||
+ | |||
+ | ===== Admin tutorials ===== | ||
+ | * [[tutorial: | ||
+ | * [[tutorial: | ||
+ | * [[tutorial: | ||
+ | * [[tutorial: | ||
+ | ===== Devel guide ===== | ||
+ | * [[.security: | ||
+ | * [[.identities: | ||
+ | * [[.roles: | ||
+ | * [[.roles: |