Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
devel:documentation:roles [2018/11/15 09:27]
tomiskar 		devel:documentation:roles [2019/03/20 16:25]
poulm role parts moved into admin guide
Line 1: Line 1:
 +<- .:identities | Identities ^ .:start | Documentation ^ .:role_change | Roles change request ->
 +
 +{{tag> role incompatible business automatic SoD Segregation Duties }}
 +
 +====== Roles ======
 +
 +A role in CzechIdM is an entity representing a set (1 or many) of privileges on the end system or in CzechIdM itself [[.roles:adm:authorization|(permission)]]. From the perspective of the identity manager, it does not matter whether the user acquires an account in a specific application, is placed in a group in LDAP, his indication is set to “can use VPN”, or permission is set for him in the application. In all the cases, a role is assigned. A simplification carried out like this allows general rules to be applied for assigning all types of permissions (~roles) in the same way.
 +
 +Users acquire roles:
 +  * [[.roles:adm:automatic_roles|automatically]] – according to the organizational placement of the identity, or identities attributes like address or company. 
 +  * manually
 +    * [[.roles:adm:role_assignment| by request]] in the CzechIdM self-service or by a CzechIdM administrator.
 +    * [[tutorial:adm:copying| copying]] from an existing user.
 +
 +Request for a role [[.role_change|can be approved]] by a specific user, usually helpdesk, user's manager or IT security. 
 +
 +=== Business roles ===
 +Roes can be aggregated into [[.roles:adm:business_roles|business roles]]. Provided role A is a subrole of role B, If role B is assigned (no matter how - automatically or manually) to the user, he acquires also role A.
 +
 +=== Incompatible roles (segregation of duties) ===
 +If an identity should not be placed into Security Group A and Security Group B in MS Active Directory at the same time, we can ensure it via CzechIdM mechanism of [[.roles:adm:incompatible_roles|incompatible roles]].
 +
 +===== Roles and contracts =====
 +Roles are assigned to users via their contracts. If a contract is not valid (time validity) the roles on the contract are removed. In other words, the identity loses roles permissions in IdM and rights in connected systems.
 +
 +{{ :devel:adm:idm_entities.png?1000 | Entities relations}}
 +
 +===== Automatic roles =====
 +==== By org. structure ====
 +
 +The role can be linked to a Tree structure (e.g. position in organizational structure). That role is assigned to and removed from a user based on adding/removing the user (via their contract or other contract position) to/from the organizational tree structure. If a contract is not valid yet, roles are assigned but are disabled until the contract starts.
 +
 +{{ :devel:documentation:automatic_roles.png?600 |}}
 +
 +==== By identity attributes ====
 +The role can be also linked with value in attribute (value can be stored in Identity, Identity extended attribute, Contract and Contract extended attribute). That role is assigned to and removed from a user based on the value in the specific attribute. Recalculating of this automatic roles is done after saving identity, identity extended attribute attributes, contract, and contract extended attribute attributes. All necessary attributes that defined automatic role by attribute are defined by agenda "Automatic role by attribute".
 +
 +{{ :devel:documentation:automatic_role_by_attribute.png?600 |}}
 +
 +After saving identity (save from identity detail) it will be done recalculation for all automatic roles that have at least one rule with type IDENTITY, **recalculation from identity is done for all contracts for saved identity**. After saving contract extended attributes (save from extended attribute detail) it will be done recalculation for all automatic roles that have at least one rule with type CONTRACT_EAV.
 +
 +====== Read more ======
 +
 +===== Admin guide =====
 +  * [[.roles:adm:icons| Icons and description of roles]]
 +  * [[.roles:adm:duplicate-roles| Copy roles]]
 +  * [[.roles:adm:authorization_policy|Authorization policies overview]]
 +  * [[.roles:adm:authorization|Permissions Setting Mechanism]]
 +  * [[.roles:adm:automatic_roles|Automatic roles overview]]
 +  * [[.roles:adm:incompatible_roles|incompatible roles]]
 +  * [[.roles:adm:roles_assignment_deduplication|roles assignment deduplication]]
 +  * [[.roles:adm:duplicit_roles|Assigned roles deduplication]]
 +
 +===== Admin tutorials =====
 +  * [[tutorial:adm:new_role|Creating a role]]
 +  * [[tutorial:adm:add_permissions|Defining permissions for a role]]
 +  * [[tutorial:adm:automatic_roles|Creating an automatically assigned role by organization structure]]
 +  * [[tutorial:adm:automatic_roles_by_attribute|Creating an automatically assigned role by identity attribute]]
 +  * [[tutorial:adm:copying|Copying assigned roles from one user to another]]
 +
 +===== Devel guide =====
 +  * [[.security:dev:authorization|Authorization policies: base interfaces and classes]]
 +  * [[.identities:dev:contractual-relationship#automatically_assigned_roles|Automatic roles by organization structure: heredity of roles]]
 +  * [[.roles:dev:automatic-roles-by-attribute|Automatic roles by attribute, rules, and recalculation]]
 +  * [[.roles:dev:duplicate-role| Cloning roles]]
  
  • by doischert