Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
devel:documentation:roles [2019/03/15 12:24] tomiskar |
devel:documentation:roles [2019/08/14 14:15] doischert |
||
---|---|---|---|
Line 5: | Line 5: | ||
====== Roles ====== | ====== Roles ====== | ||
- | A role in CzechIdM is an entity representing a set (1 or many) of permissions/ | + | A role in CzechIdM is an entity representing a set (1 or more) of permissions on the end system or in CzechIdM itself |
- | * **automatically** – according to the organizational placement | + | |
- | * **manually** – through assigning based on the user’s request | + | |
- | * **by business role** - roles (sub) can be assigned automatically, when other role (superior) by defined | + | |
- | From the perspective | + | Users acquire roles: |
+ | * [[.roles: | ||
+ | * manually | ||
+ | * [[.roles: | ||
+ | * [[tutorial: | ||
- | ===== Roles and contracts ===== | + | Request for a role [[.role_change|can be approved]] by a specific user, usually helpdesk, user's manager or IT security. |
- | {{ :devel:adm:idm_entities.png? | + | === Business roles === |
+ | Roles can be aggregated into [[.roles:adm:business_roles|business roles]]. Provided role A is a subrole of role B, if role B is assigned (no matter how - automatically or manually) to the user, he or she acquires role A as well. | ||
+ | === Incompatible roles (segregation of duties) === | ||
+ | If an identity should not be placed into Security Group A and Security Group B in MS Active Directory at the same time, we can ensure it via CzechIdM mechanism of [[.roles: | ||
+ | |||
+ | ===== Roles and contracts ===== | ||
Roles are assigned to users via their contracts. If a contract is not valid (time validity) the roles on the contract are removed. In other words, the identity loses roles permissions in IdM and rights in connected systems. | Roles are assigned to users via their contracts. If a contract is not valid (time validity) the roles on the contract are removed. In other words, the identity loses roles permissions in IdM and rights in connected systems. | ||
- | ===== Roles and environment ===== | + | {{ : |
- | Role with the same base code could be created from / for different environment. Final role code is combined from the base code and environment identifier. When role is created (or synchronized), | + | ===== Automatic roles ===== |
- | * '' | + | ==== By org. structure ==== |
- | * '' | + | |
- | * '' | + | |
- | ===== Role permissions===== | + | The role can be linked to a Tree structure (e.g. a position in organizational structure). That role is assigned to and removed from a user based on adding/ |
- | + | ||
- | Role permissions define rights for administrator actions in CzechIdM. A permission for CzechIdM is not necessarily defined for every role. A permission is, for example, READ on USERS. A user having a role with this specific permission can see the read-only detail of all identities in CzechIdM. | + | |
- | + | ||
- | {{ : | + | |
- | + | ||
- | ===== Role criticality===== | + | |
- | The level of criticality can be set for every role. Criticality denotes, [[devel: | + | |
- | + | ||
- | ===== Business roles ===== | + | |
- | Business roles (composition) can be defined on role detail. Business role could contain sub roles - all sub roles are assigned automatically, | + | |
- | Sub roles defined by business roles are recalculated on the background (by [[devel: | + | |
- | + | ||
- | {{ : | + | |
- | + | ||
- | {{ : | + | |
- | + | ||
- | ===== Incompatible roles ===== | + | |
- | **Segregation of Duties** (SoD) can be ensured by incompatible roles. Their setup resembles that of business roles, described above. | + | |
- | + | ||
- | {{ : | + | |
- | + | ||
- | The old generation CzechIdM used to have a feature of [[https:// | + | |
- | + | ||
- | When an incompatible role has been assigned to an identity, a **warning stating the incompatible role definition** is shown. | + | |
- | + | ||
- | + | ||
- | ==== Concurrence of incompatible roles and business roles ==== | + | |
- | + | ||
- | The same warning symbol is shown when an identity requests new role(s) which happen to be incompatible with one of the subroles nested within a business role composition. In this case, the informative symbol is ALSO shown next to a business role that IS NOT itself incompatible with the requested role. | + | |
- | + | ||
- | In other words, the meaning of the symbol is somewhat different then: it does not mean the respective role - marked by this symbol - is incompatible, | + | |
- | + | ||
- | + | ||
- | {{ : | + | |
- | + | ||
- | {{ : | + | |
- | + | ||
- | + | ||
- | ===== Automatically assigned roles by organization structure ===== | + | |
- | The role can be linked to a Tree structure (e.g. position in organizational structure). That role is assigned to and removed from a user based on adding/ | + | |
{{ : | {{ : | ||
- | ===== Automatically assigned roles by attribute ===== | + | ==== By identity attributes |
- | The role can be also linked | + | The role can be linked |
{{ : | {{ : | ||
- | After save identity (save from identity detail) it will be done recalculation for all automatic roles that has at least one rule with type IDENTITY, **recalculation from identity is done for all contracts for saved identity**. After save contract extended attributes (save from extended attribute detail) it will be done recalculation for all automatic roles that has at least one rule with type CONTRACT_EAV. | + | ====== Read more ====== |
- | ===== Requests for change automatically assigned roles ===== | + | ===== Admin guide ===== |
- | Automatically assigned | + | * [[.roles:adm:icons| Icons and description |
- | + | | |
- | This request gets the approval process from the criticality defined for that role. Critical role determines what process the application must accomplish to implement it. | + | * [[.roles: |
- | + | * [[.roles:adm:authorization|Permissions Setting Mechanism]] | |
- | Processes of defined by the role criticality is defined | + | * [[.roles: |
- | Processes for approval change of an automatic role are different then processes using for approving assign role to one user. For clarity, both processes (role assignment, change of the automatic role) are defined in one final process. | + | * [[.roles: |
- | + | * [[.roles:adm:duplicit_roles|Assigned roles deduplication]] | |
- | < | + | |
- | + | ||
- | ===== Duplicate role ===== | + | |
- | + | ||
- | Role can be duplicated by prepared bulk action. Bulk action is available after roles to be duplicated are selected in the roles table. | + | |
- | + | ||
- | {{ :devel:documentation: | + | |
- | + | ||
- | Action provide features: | + | |
- | * **Select environment** - role will be duplicated to selected environment with the role's base code preserved. If the same as role's environment is selected or environment input is leaved empty, the role is duplicated on the same environment with suffix added into role's base code, e.g. **roleOne** => **roleOne_1**. | + | |
- | * **Duplicate role attributes** - creates (or updates) configured role attributes. | + | |
- | * **Duplicate sub roles** - creates (or updates) sub roles by business role definition (recursively). | + | |
- | * **Duplicate automatic roles** - creates (or updates) configured automatic roles. | + | |
- | + | ||
- | <note tip>When the role with the same base code already exist on the selected environment (environment has to be different), then new duplicate is not created, but the exists duplicate is updated.</ | + | |
- | + | ||
- | Read [[.roles:dev:duplicate-role|more]] about action implementation and how it's possible to extend it. | + | |
- | + | ||
- | + | ||
- | ====== Read more ====== | + | |
===== Admin tutorials ===== | ===== Admin tutorials ===== | ||
Line 110: | Line 54: | ||
* [[tutorial: | * [[tutorial: | ||
* [[tutorial: | * [[tutorial: | ||
- | + | | |
- | ===== Admin guide ===== | + | * [[tutorial:adm:codeable_permission|Create a codeable evaluator]] |
- | | + | |
- | * [[.roles: | + | |
- | * [[.roles:adm:automatic_roles|Automatic roles overview]] | + | |
- | * [[.roles: | + | |
===== Devel guide ===== | ===== Devel guide ===== | ||
Line 121: | Line 61: | ||
* [[.identities: | * [[.identities: | ||
* [[.roles: | * [[.roles: | ||
- | * [[.roles: | + | * [[.roles: |