| Both sides previous revision
Previous revision
Next revision
|
Previous revision
Next revision
Both sides next revision
|
devel:documentation:roles [2019/02/13 09:28]
kotisovam [Devel guide] title edit, 1 section moved to admin guide |
devel:documentation:roles [2019/03/15 11:44]
kotisovam [Incompatible roles] rewrite of a paragraph to achieve clarity |
| <- .:identities | Identities ^ .:start | Documentation ^ .:role_change | Roles change request -> | <- .:identities | Identities ^ .:start | Documentation ^ .:role_change | Roles change request -> |
| |
| {{tag> role incompatible business automatic SoD Segregation of Duties }} | {{tag> role incompatible business automatic SoD Segregation Duties }} |
| |
| ====== Roles ====== | ====== Roles ====== |
| The old generation CzechIdM used to have a feature of [[https://blog.bcvsolutions.eu/neslucitelnost-roli/|Role's incompatibility]]. By incompatibility we mean that you can set restrictions on roles A and B that will stop any user or process from assigning these two roles to the same user at once. In the new generation CzechIdM, we now have a similar feature. The difference is, however, that our experience of CzechIdM deployments on projects have taught us that users prefer this incompatibility function to work merely as a **soft** mechanism. In other words, CzechIdM will allow a user (identity) to have incompatible roles as long as an administrator/security manager is notified about this incident. The security staff also get a new tool to generate a special report, listing all users with incompatible roles - the report is prepared in the reports module named ''Identities-assigned incompatible roles.'' | The old generation CzechIdM used to have a feature of [[https://blog.bcvsolutions.eu/neslucitelnost-roli/|Role's incompatibility]]. By incompatibility we mean that you can set restrictions on roles A and B that will stop any user or process from assigning these two roles to the same user at once. In the new generation CzechIdM, we now have a similar feature. The difference is, however, that our experience of CzechIdM deployments on projects have taught us that users prefer this incompatibility function to work merely as a **soft** mechanism. In other words, CzechIdM will allow a user (identity) to have incompatible roles as long as an administrator/security manager is notified about this incident. The security staff also get a new tool to generate a special report, listing all users with incompatible roles - the report is prepared in the reports module named ''Identities-assigned incompatible roles.'' |
| |
| When an incompatible role has been assigned to an identity, a **warning stating the incompatible role definition** is shown. Likewise, the same warning is shown for business role definition (business role contains incompatible subroles), and when an identity requests new roles (for example, the currently assigned role is incompatible with the newly requested one). | When an incompatible role has been assigned to an identity, a **warning stating the incompatible role definition** is shown. |
| | |
| | |
| | ==== Concurrence of incompatible roles and business roles ==== |
| | |
| | The same warning symbol is shown when an identity requests new role(s) which happen to be incompatible with one of the subroles nested within a business role composition. In this case, the informative symbol is ALSO shown next to a business role that IS NOT itself incompatible with the requested role. |
| | |
| | In other words, the meaning of the symbol is somewhat different then: it does not mean the respective role - marked by this symbol - is incompatible, but rather it serves as an indication that one of the subroles down the business role cascade is incompatible. |
| |
| |