| Both sides previous revision
Previous revision
Next revision
|
Previous revision
Next revision
Both sides next revision
|
devel:documentation:roles [2019/01/29 14:33]
kotisovam [Incompatible roles] corrections |
devel:documentation:roles [2019/03/19 07:27]
kotisovam [Admin guide] new page in admin guide |
| <- .:identities | Identities ^ .:start | Documentation ^ .:role_change | Roles change request -> | <- .:identities | Identities ^ .:start | Documentation ^ .:role_change | Roles change request -> |
| |
| {{tag> role incompatible business automatic SoD Segregation of Duties }} | {{tag> role incompatible business automatic SoD Segregation Duties }} |
| |
| ====== Roles ====== | ====== Roles ====== |
| From the perspective of the identity manager, it does not matter whether the user acquires an account in a specific application, is placed in a group in LDAP, his indication is set to “can use VPN”, or a permission is set for him in the application. In all the cases, a role is assigned. A simplification carried out like this allows general rules to be applied for assigning all types of permissions (~roles) in the same way. | From the perspective of the identity manager, it does not matter whether the user acquires an account in a specific application, is placed in a group in LDAP, his indication is set to “can use VPN”, or a permission is set for him in the application. In all the cases, a role is assigned. A simplification carried out like this allows general rules to be applied for assigning all types of permissions (~roles) in the same way. |
| |
| | ====== Role-differentiating icons ====== |
| | |
| | ...to be completed |
| ===== Roles and contracts ===== | ===== Roles and contracts ===== |
| |
| The old generation CzechIdM used to have a feature of [[https://blog.bcvsolutions.eu/neslucitelnost-roli/|Role's incompatibility]]. By incompatibility we mean that you can set restrictions on roles A and B that will stop any user or process from assigning these two roles to the same user at once. In the new generation CzechIdM, we now have a similar feature. The difference is, however, that our experience of CzechIdM deployments on projects have taught us that users prefer this incompatibility function to work merely as a **soft** mechanism. In other words, CzechIdM will allow a user (identity) to have incompatible roles as long as an administrator/security manager is notified about this incident. The security staff also get a new tool to generate a special report, listing all users with incompatible roles - the report is prepared in the reports module named ''Identities-assigned incompatible roles.'' | The old generation CzechIdM used to have a feature of [[https://blog.bcvsolutions.eu/neslucitelnost-roli/|Role's incompatibility]]. By incompatibility we mean that you can set restrictions on roles A and B that will stop any user or process from assigning these two roles to the same user at once. In the new generation CzechIdM, we now have a similar feature. The difference is, however, that our experience of CzechIdM deployments on projects have taught us that users prefer this incompatibility function to work merely as a **soft** mechanism. In other words, CzechIdM will allow a user (identity) to have incompatible roles as long as an administrator/security manager is notified about this incident. The security staff also get a new tool to generate a special report, listing all users with incompatible roles - the report is prepared in the reports module named ''Identities-assigned incompatible roles.'' |
| |
| When an incompatible role has been assigned to an identity, a **warning stating the incompatible role definition** is shown. Likewise, the same warning is shown for business role definition (business role contains incompatible subroles), and when an identity requests new roles (for example, the currently assigned role is incompatible with the newly requested one). | When an incompatible role has been assigned to an identity, a **warning stating the incompatible role definition** is shown. |
| | |
| | |
| | ==== Concurrence of incompatible roles and business roles ==== |
| | |
| | The same warning symbol is shown when an identity requests new role(s) which happen to be incompatible with one of the subroles nested within a business role composition. In this case, the informative symbol is ALSO shown next to a business role that IS NOT itself incompatible with the requested role. |
| | |
| | In other words, the meaning of the symbol is somewhat different then: it does not mean the respective role - marked by this symbol - is incompatible, but rather it serves as an indication that one of the subroles down the business role cascade is incompatible. |
| |
| |
| {{ :devel:documentation:incompatible-role-request-confirm.png |}} | {{ :devel:documentation:incompatible-role-request-confirm.png |}} |
| |
| | |
| | ===== Copying roles from a user ===== |
| | |
| | Copying roles from a user is a new feature that allows one user to easily copy roles/permissions from another user. You can get the same roles like one of your colleagues has by simply filing a request that admin then approves or declines. For more information please visit [[devel:documentation:roles:adm:copying-assigned-roles|admin guide]]. |
| | |
| | This feature is available in the role request detail, see the new button in the picture: |
| | |
| | {{ :devel:documentation:add_role.png |}} |
| | |
| | |
| | For more information about the feature with more detailed description, please see the admin guide. |
| |
| ===== Automatically assigned roles by organization structure ===== | ===== Automatically assigned roles by organization structure ===== |
| |
| <note>Some processes used to approve role assignments to a user may not support approving changes to automatic roles (for example, approval by the supervisor). In this case, the default process is used (**approval with role guarantee**).</note> | <note>Some processes used to approve role assignments to a user may not support approving changes to automatic roles (for example, approval by the supervisor). In this case, the default process is used (**approval with role guarantee**).</note> |
| | |
| | ===== Duplicating roles ===== |
| | |
| | Role can be duplicated by prepared bulk action. Bulk action is available on the roles table. |
| | |
| | {{ :devel:documentation:screenshot_from_2019-03-15_13-11-55.png?600 |}} |
| | |
| | Action provides features: |
| | * **Select environment** - role will be duplicated to selected environment. If the same as role's environment is selected or environment input is leaved empty, the role is duplicated on the same environment with suffix added into role's base code, e.g. **roleOne** => **roleOne_1**. If the different environment is selected, then duplicate with the same base code is created (or updated). |
| | * **Duplicate role attributes** - creates (or updates) configured role attributes. |
| | * **Duplicate sub roles** - creates (or updates) sub roles by business role definition (recursively). If the same environment is selected, the only role composition is created - exists sub role is used. If the different environment (~target environment) is used, then sub roles with the same environment as original are duplicated recursively into target environment. |
| | * **Duplicate automatic roles** - creates (or updates) configured automatic roles. Both automatic roles by the tree structure and by the attribute are duplicated. |
| | |
| | <note tip>When the role with the same base code already exist on the selected environment (environment has to be different), then new duplicate is not created, but the exists duplicate is updated.</note> |
| | |
| | Read [[.roles:dev:duplicate-role|more]] about action implementation and how it's possible to extend it. |
| | |
| | ===== Deduplicating roles ===== |
| | |
| | ...to be completed. |
| | |
| ====== Read more ====== | ====== Read more ====== |
| |
| * [[tutorial:adm:automatic_roles|Creating an automatically assigned role by organization structure]] | * [[tutorial:adm:automatic_roles|Creating an automatically assigned role by organization structure]] |
| * [[tutorial:adm:automatic_roles_by_attribute|Creating an automatically assigned role by identity attribute]] | * [[tutorial:adm:automatic_roles_by_attribute|Creating an automatically assigned role by identity attribute]] |
| | * [[tutorial:adm:copying|Copying assigned roles from one user to another]] |
| | * [[tutorial:adm:deduplicating|Deduplicating roles]] |
| |
| ===== Admin guide ===== | ===== Admin guide ===== |
| | * [[.roles:adm:icons| Icons and description of roles]] |
| | * [[.roles:adm:authorization_policy|Authorization policies overview]] |
| * [[.roles:adm:authorization|Permissions Setting Mechanism]] | * [[.roles:adm:authorization|Permissions Setting Mechanism]] |
| | * [[.roles:adm:automatic_roles|Automatic roles overview]] |
| | * [[.roles:dev:automatic_role_request]] |
| | * [[.roles:adm:copying-deduplicating-roles|Copying and deduplicating roles]] |
| | * [[.roles:adm:copying-assigned-roles|Copying assigned roles from one user to another]] |
| | |
| | |
| |
| ===== Devel guide ===== | ===== Devel guide ===== |
| * [[.security:dev:authorization|Authorization policies]] | * [[.security:dev:authorization|Authorization policies: base interfaces and classes]] |
| * [[.identities:dev:contractual-relationship#automatically_assigned_roles|Automatic roles by organization structure]] | * [[.identities:dev:contractual-relationship#automatically_assigned_roles|Automatic roles by organization structure: heredity of roles]] |
| * [[.roles:dev:automatic-roles-by-attribute|Automatic roles by attribute]] | * [[.roles:dev:automatic-roles-by-attribute|Automatic roles by attribute, rules, and recalculation]] |
| * [[.roles:dev:automatic_role_request]] | * [[.roles:dev:duplicate-role]] |