Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
devel:documentation:roles [2019/01/16 12:25]
tomiskar 		devel:documentation:roles [2019/01/18 12:58]
svandav [Incompatible roles]
Line 1: Line 1:
 <- .:identities | Identities ^ .:start | Documentation ^ .:role_change | Roles change request -> <- .:identities | Identities ^ .:start | Documentation ^ .:role_change | Roles change request ->
  
-{{tag> role incompatible business automatic }}+{{tag> role incompatible business automatic SoD Segregation of Duties }}
  
 ====== Roles ====== ====== Roles ======
Line 43: Line 43:
  
 ===== Incompatible roles ===== ===== Incompatible roles =====
-Segregation of Duties can be defined by incompatible roles. Definition is almost the same as business roles definition above. +**Segregation of Duties** (SoD) can be defined by incompatible roles. Definition is almost the same as business roles definition above. 
  
 {{ :devel:documentation:incompatible-role-definition.png |}} {{ :devel:documentation:incompatible-role-definition.png |}}
  
-Old generation of CzechIdM had a feature of [[https://blog.bcvsolutions.eu/neslucitelnost-roli/|Role's incompatibility]]. The incompatibility means that you can define restrictions on roles A nad B that will forbid any user or process to assign those to roles together to the same user. In new generation of CezchIdM we have a similar feature now. However, due to our experiences from CzechIdM deployments on projects the incompatibility is "soft". It means that CzechIdM will allow the user to have incompatible roles assigned to the identity, but an administrator/security manager will be notified about this incident. Security also have tools to generate reports with users and their incompatible roles - report is developer in the report module with name ''Identities - assigned incompatible roles''.+Old generation of CzechIdM had a feature of [[https://blog.bcvsolutions.eu/neslucitelnost-roli/|Role's incompatibility]]. The incompatibility means that you can define restrictions on roles A nad B that will forbid any user or process to assign those to roles together to the same user. In new generation of CezchIdM we have a similar feature now. However, due to our experiences from CzechIdM deployments on projects the incompatibility is **soft**. It means that CzechIdM will allow the user to have incompatible roles assigned to the identity, but an administrator/security manager will be notified about this incident. Security also have tools to generate reports with users and their incompatible roles - report is developer in the report module with name ''Identities - assigned incompatible roles''.
  
-When identity has incompatible roles assigned, then warning with incompatible role definition is shown. The same warning is shown on business role definition (business role contains incompatible sub roles) and when identity requests new roles (for example currently assigned role is incompatible with the new one requested).+When identity has incompatible roles assigned, then **warning with incompatible role definition is shown**. The same warning is shown on business role definition (business role contains incompatible sub roles) and when identity requests new roles (for example currently assigned role is incompatible with the new one requested).
  
  
  • by doischert