Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
devel:documentation:roles [2019/03/19 07:40] kotisovam [Admin guide] new page to admin |
devel:documentation:roles [2019/03/20 12:31] poulm page refactoring, sections moved into admin guide |
||
---|---|---|---|
Line 5: | Line 5: | ||
====== Roles ====== | ====== Roles ====== | ||
- | A role in CzechIdM is an entity representing a set (1 or many) of permissions/ | + | A role in CzechIdM is an entity representing a set (1 or many) of privileges on the end system or in CzechIdM itself |
- | * **automatically** – according to the organizational placement of the identity, | + | * [[devel: |
- | * **manually** – through assigning based on the user’s request in the CzechIdM self-service or by a CzechIdM administrator. | + | * [[devel: |
- | * **by business role** - roles (sub) can be assigned automatically, | + | |
- | From the perspective of the identity manager, it does not matter whether | + | Request for the role [[devel: |
- | ====== Role-differentiating icons ====== | + | Roes can be aggregated into **business roles**. Provided role A is a subrole of role B, If role B is assigned (no matter how - automatically or manually) to the user, he acquires also role A. |
+ | |||
+ | From the perspective of the identity manager, it does not matter whether the user acquires an account in a specific application, | ||
- | ...to be completed | ||
===== Roles and contracts ===== | ===== Roles and contracts ===== | ||
Line 27: | Line 27: | ||
* '' | * '' | ||
* '' | * '' | ||
- | |||
- | ===== Role permissions===== | ||
- | |||
- | Role permissions define rights for administrator actions in CzechIdM. A permission for CzechIdM is not necessarily defined for every role. A permission is, for example, READ on USERS. A user having a role with this specific permission can see the read-only detail of all identities in CzechIdM. | ||
- | |||
- | {{ : | ||
===== Role criticality===== | ===== Role criticality===== | ||
The level of criticality can be set for every role. Criticality denotes, [[devel: | The level of criticality can be set for every role. Criticality denotes, [[devel: | ||
- | |||
- | ===== Business roles ===== | ||
- | Business roles (composition) can be defined on role detail. Business role could contain sub roles - all sub roles are assigned automatically, | ||
- | Sub roles defined by business roles are recalculated on the background (by [[devel: | ||
- | |||
- | {{ : | ||
- | |||
- | {{ : | ||
===== Incompatible roles ===== | ===== Incompatible roles ===== | ||
Line 118: | Line 104: | ||
===== Deduplicating roles ===== | ===== Deduplicating roles ===== | ||
- | ...to be completed. | + | Since roles are assigned to a contract not to an identity, it may well happen that an identity ends up having some role duplicities. Partly, it may be due to the fact that role definitions are changed over time, and from a certain point on they start to be assigned in a different way (say, automatically). And one and the same identity may meet the updated condition as well, hence it gets the same role all over again. |
+ | |||
+ | Deduplication is a bulk action that is available on User agenda. Deduplication allows removing only manually added roles that are duplicite with another automatic role or another manually added role. More on this feature in the admin guide and tutorial. | ||
====== Read more ====== | ====== Read more ====== | ||
Line 128: | Line 116: | ||
* [[tutorial: | * [[tutorial: | ||
* [[tutorial: | * [[tutorial: | ||
- | * [[tutorial: | + | * [[tutorial: |
===== Admin guide ===== | ===== Admin guide ===== | ||
Line 145: | Line 133: | ||
* [[.identities: | * [[.identities: | ||
* [[.roles: | * [[.roles: | ||
- | * [[.roles: | + | * [[.roles: |