Both sides previous revision
Previous revision
|
Next revision
Both sides next revision
|
devel:documentation:roles [2019/03/20 12:31] poulm page refactoring, sections moved into admin guide |
devel:documentation:roles [2019/03/20 12:41] poulm link to "copy role from user tutorial" |
A role in CzechIdM is an entity representing a set (1 or many) of privileges on the end system or in CzechIdM itself [[devel:documentation:roles:adm:authorization|(permission)]]. Users acquire roles: | A role in CzechIdM is an entity representing a set (1 or many) of privileges on the end system or in CzechIdM itself [[devel:documentation:roles:adm:authorization|(permission)]]. Users acquire roles: |
* [[devel:documentation:roles:adm:automatic_roles|automatically]] – according to the organizational placement of the identity, or identitie's attributes like adress or company. | * [[devel:documentation:roles:adm:automatic_roles|automatically]] – according to the organizational placement of the identity, or identitie's attributes like adress or company. |
* [[devel:documentation:roles:adm:role_assignment|manually]] – through assigning based on the user’s request in the CzechIdM self-service or by a CzechIdM administrator. | * manually |
| * [[devel:documentation:roles:adm:role_assignment| by request]] in the CzechIdM self-service or by a CzechIdM administrator. |
| * [[tutorial:adm:copying| copying]] from an existing user. |
| |
Request for the role [[devel:documentation:role_change|can be approved]] by specific user, usually helpdesk, user's manager or IT security. | Request for the role [[devel:documentation:role_change|can be approved]] by specific user, usually helpdesk, user's manager or IT security. |
| |
Roes can be aggregated into **business roles**. Provided role A is a subrole of role B, If role B is assigned (no matter how - automatically or manually) to the user, he acquires also role A. | Roes can be aggregated into [[devel:documentation:roles:adm:business_roles|business roles]]. Provided role A is a subrole of role B, If role B is assigned (no matter how - automatically or manually) to the user, he acquires also role A. |
| |
From the perspective of the identity manager, it does not matter whether the user acquires an account in a specific application, is placed in a group in LDAP, his indication is set to “can use VPN”, or permission is set for him in the application. In all the cases, a role is assigned. A simplification carried out like this allows general rules to be applied for assigning all types of permissions (~roles) in the same way. | From the perspective of the identity manager, it does not matter whether the user acquires an account in a specific application, is placed in a group in LDAP, his indication is set to “can use VPN”, or permission is set for him in the application. In all the cases, a role is assigned. A simplification carried out like this allows general rules to be applied for assigning all types of permissions (~roles) in the same way. |
* ''environment'' - environment identifier, e.g. **dev**. | * ''environment'' - environment identifier, e.g. **dev**. |
* ''code'' - complex code. If environment is not used, then ''baseCode'' value is the same as ''code'' value, otherwise complex code is combined from base code, environment and joined with separator (''|'' by default). For example **roleOne|dev**. | * ''code'' - complex code. If environment is not used, then ''baseCode'' value is the same as ''code'' value, otherwise complex code is combined from base code, environment and joined with separator (''|'' by default). For example **roleOne|dev**. |
| |
===== Role criticality===== | |
The level of criticality can be set for every role. Criticality denotes, [[devel:documentation:role_change#roles_criticality_disintegration_to_subprocesses| who approves ]] its assignment. Role can have criticality from 0 to 5. | |
| |
===== Incompatible roles ===== | ===== Incompatible roles ===== |
| |
{{ :devel:documentation:incompatible-role-request-confirm.png |}} | {{ :devel:documentation:incompatible-role-request-confirm.png |}} |
| |
| |
===== Copying roles from a user ===== | |
| |
Copying roles from a user is a new feature that allows one user to easily copy roles/permissions from another user. You can get the same roles like one of your colleagues has by simply filing a request that admin then approves or declines. For more information please visit [[devel:documentation:roles:adm:copying-assigned-roles|admin guide]]. | |
| |
This feature is available in the role request detail, see the new button in the picture: | |
| |
{{ :devel:documentation:add_role.png |}} | |
| |
| |
For more information about the feature with more detailed description, please see the admin guide. | For more information about the feature with more detailed description, please see the admin guide. |