Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
devel:documentation:roles [2019/03/15 12:27]
tomiskar [Duplicate role] 		devel:documentation:roles [2019/03/20 12:41]
poulm link to "copy role from user tutorial"
Line 5: Line 5:
 ====== Roles ====== ====== Roles ======
  
-A role in CzechIdM is an entity representing a set (1 or many) of permissions/privileges on the end system or in CzechIdM itself. Users acquire roles: +A role in CzechIdM is an entity representing a set (1 or many) of privileges on the end system or in CzechIdM itself [[devel:documentation:roles:adm:authorization|(permission)]]. Users acquire roles: 
-  * **automatically** – according to the organizational placement of the identity, identity or contract attributes +  * [[devel:documentation:roles:adm:automatic_roles|automatically]] – according to the organizational placement of the identity, or identitie'attributes like adress or company.  
-  * **manually** – through assigning based on the user’s request in the CzechIdM self-service or by a CzechIdM administrator. +  * manually 
-  **by business role** - roles (sub) can be assigned automatically, when other role (superior) by defined role composition is assigned manually or by some automatic role.+    [[devel:documentation:roles:adm:role_assignment| by request]] in the CzechIdM self-service or by a CzechIdM administrator. 
 +    [[tutorial:adm:copying| copying]] from an existing user.
  
-From the perspective of the identity manager, it does not matter whether the user acquires an account in a specific application, is placed in a group in LDAP, his indication is set to “can use VPN”, or permission is set for him in the application. In all the cases, a role is assigned. A simplification carried out like this allows general rules to be applied for assigning all types of permissions (~roles) in the same way.+Request for the role [[devel:documentation:role_change|can be approved]] by specific user, usually helpdesk, user's manager or IT security.  
 + 
 +Roes can be aggregated into [[devel:documentation:roles:adm:business_roles|business roles]]. Provided role A is a subrole of role B, If role B is assigned (no matter how - automatically or manually) to the user, he acquires also role A. 
 + 
 +From the perspective of the identity manager, it does not matter whether the user acquires an account in a specific application, is placed in a group in LDAP, his indication is set to “can use VPN”, or permission is set for him in the application. In all the cases, a role is assigned. A simplification carried out like this allows general rules to be applied for assigning all types of permissions (~roles) in the same way.
  
 ===== Roles and contracts ===== ===== Roles and contracts =====
Line 24: Line 29:
   * ''environment'' - environment identifier, e.g. **dev**.   * ''environment'' - environment identifier, e.g. **dev**.
   * ''code'' - complex code. If environment is not used, then ''baseCode'' value is the same as ''code'' value, otherwise complex code is combined from base code, environment and joined with separator (''|'' by default). For example **roleOne|dev**.   * ''code'' - complex code. If environment is not used, then ''baseCode'' value is the same as ''code'' value, otherwise complex code is combined from base code, environment and joined with separator (''|'' by default). For example **roleOne|dev**.
- 
-===== Role permissions===== 
- 
-Role permissions define rights for administrator actions in CzechIdM. A permission for CzechIdM is not necessarily defined for every role. A permission is, for example, READ on USERS. A user having a role with this specific permission can see the read-only detail of all identities in CzechIdM. 
- 
-{{ :devel:documentation:permission_example.png?400 |}} 
- 
-===== Role criticality===== 
-The level of criticality can be set for every role. Criticality denotes, [[devel:documentation:role_change#roles_criticality_disintegration_to_subprocesses| who approves ]] its assignment. Role can have criticality from 0 to 5. 
- 
-===== Business roles ===== 
-Business roles (composition) can be defined on role detail. Business role could contain sub roles - all sub roles are assigned automatically, when business role is assigned to identity. Sub roles has the same validity as business role. When assigned business role is removed from identity, then all sub roles are removed automatically too. Sub roles are processed on the background asynchronously (by [[devel:documentation:architecture:dev:events#identityroleassignsubrolesprocessor|processors]]), only business roles (=> direct roles) are assigned synchronously. 
-Sub roles defined by business roles are recalculated on the background (by [[devel:documentation:application_configuration:dev:scheduled_tasks:task-scheduler#addnewrolecompositiontaskexecutor|long running tasks]]), when business role definition is created or removed - sub roles are assigned to identities, which already owns business (or any superior) role.  
- 
-{{ :devel:documentation:business_01.png |}} 
- 
-{{ :devel:documentation:business_02.png |}} 
  
 ===== Incompatible roles ===== ===== Incompatible roles =====
Line 63: Line 51:
 {{ :devel:documentation:incompatible-role-request-confirm.png |}} {{ :devel:documentation:incompatible-role-request-confirm.png |}}
  
 +For more information about the feature with more detailed description, please see the admin guide.
  
 ===== Automatically assigned roles by organization structure ===== ===== Automatically assigned roles by organization structure =====
Line 86: Line 75:
 <note>Some processes used to approve role assignments to a user may not support approving changes to automatic roles (for example, approval by the supervisor). In this case, the default process is used (**approval with role guarantee**).</note> <note>Some processes used to approve role assignments to a user may not support approving changes to automatic roles (for example, approval by the supervisor). In this case, the default process is used (**approval with role guarantee**).</note>
  
-===== Duplicate role =====+===== Duplicating roles =====
  
 Role can be duplicated by prepared bulk action. Bulk action is available on the roles table. Role can be duplicated by prepared bulk action. Bulk action is available on the roles table.
Line 95: Line 84:
   * **Select environment** - role will be duplicated to selected environment. If the same as role's environment is selected or environment input is leaved empty, the role is duplicated on the same environment with suffix added into role's base code, e.g. **roleOne** => **roleOne_1**. If the different environment is selected, then duplicate with the same base code is created (or updated).   * **Select environment** - role will be duplicated to selected environment. If the same as role's environment is selected or environment input is leaved empty, the role is duplicated on the same environment with suffix added into role's base code, e.g. **roleOne** => **roleOne_1**. If the different environment is selected, then duplicate with the same base code is created (or updated).
   * **Duplicate role attributes** - creates (or updates) configured role attributes.   * **Duplicate role attributes** - creates (or updates) configured role attributes.
-  * **Duplicate sub roles** - creates (or updates) sub roles by business role definition (recursively). +  * **Duplicate sub roles** - creates (or updates) sub roles by business role definition (recursively). If the same environment is selected, the only role composition is created - exists sub role is used. If the different environment (~target environment) is used, then sub roles with the same environment as original are duplicated recursively into target environment
-  * **Duplicate automatic roles** - creates (or updates) configured automatic roles.+  * **Duplicate automatic roles** - creates (or updates) configured automatic roles. Both automatic roles by the tree structure and by the attribute are duplicated.
  
 <note tip>When the role with the same base code already exist on the selected environment (environment has to be different), then new duplicate is not created, but the exists duplicate is updated.</note> <note tip>When the role with the same base code already exist on the selected environment (environment has to be different), then new duplicate is not created, but the exists duplicate is updated.</note>
Line 102: Line 91:
 Read [[.roles:dev:duplicate-role|more]] about action implementation and how it's possible to extend it. Read [[.roles:dev:duplicate-role|more]] about action implementation and how it's possible to extend it.
  
 +===== Deduplicating roles =====
 +
 +Since roles are assigned to a contract not to an identity, it may well happen that an identity ends up having some role duplicities. Partly, it may be due to the fact that role definitions are changed over time, and from a certain point on they start to be assigned in a different way (say, automatically). And one and the same identity may meet the updated condition as well, hence it gets the same role all over again.
 +
 +Deduplication is a bulk action that is available on User agenda. Deduplication allows removing only manually added roles that are duplicite with another automatic role or another manually added role. More on this feature in the admin guide and tutorial.
  
 ====== Read more ====== ====== Read more ======
Line 110: Line 104:
   * [[tutorial:adm:automatic_roles|Creating an automatically assigned role by organization structure]]   * [[tutorial:adm:automatic_roles|Creating an automatically assigned role by organization structure]]
   * [[tutorial:adm:automatic_roles_by_attribute|Creating an automatically assigned role by identity attribute]]   * [[tutorial:adm:automatic_roles_by_attribute|Creating an automatically assigned role by identity attribute]]
 +  * [[tutorial:adm:copying|Copying assigned roles from one user to another]]
 +  * [[tutorial:adm:deduplicating|Deduplicating roles]] (to be completed)
  
 ===== Admin guide ===== ===== Admin guide =====
 +  * [[.roles:adm:icons| Icons and description of roles]]
 +  * [[.roles:adm:duplicate-roles| Role duplicities]]
   * [[.roles:adm:authorization_policy|Authorization policies overview]]   * [[.roles:adm:authorization_policy|Authorization policies overview]]
   * [[.roles:adm:authorization|Permissions Setting Mechanism]]   * [[.roles:adm:authorization|Permissions Setting Mechanism]]
   * [[.roles:adm:automatic_roles|Automatic roles overview]]   * [[.roles:adm:automatic_roles|Automatic roles overview]]
   * [[.roles:dev:automatic_role_request]]   * [[.roles:dev:automatic_role_request]]
 +  * [[.roles:adm:copying-deduplicating-roles|Copying and deduplicating assigned roles]] (to be completed)
 +
 +
  
 ===== Devel guide ===== ===== Devel guide =====
Line 121: Line 122:
   * [[.identities:dev:contractual-relationship#automatically_assigned_roles|Automatic roles by organization structure: heredity of roles]]   * [[.identities:dev:contractual-relationship#automatically_assigned_roles|Automatic roles by organization structure: heredity of roles]]
   * [[.roles:dev:automatic-roles-by-attribute|Automatic roles by attribute, rules, and recalculation]]   * [[.roles:dev:automatic-roles-by-attribute|Automatic roles by attribute, rules, and recalculation]]
-  * [[.roles:dev:duplicate-role]]+  * [[.roles:dev:duplicate-role| Cloning roles]]
  
  • by doischert