Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
devel:documentation:roles [2019/03/20 12:41] poulm link to "copy role from user tutorial" |
devel:documentation:roles [2022/12/15 13:45] (current) doischert |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | <- .:identities | + | <- .:contracts |
{{tag> role incompatible business automatic SoD Segregation Duties }} | {{tag> role incompatible business automatic SoD Segregation Duties }} | ||
Line 5: | Line 5: | ||
====== Roles ====== | ====== Roles ====== | ||
- | A role in CzechIdM is an entity representing a set (1 or many) of privileges | + | A role in CzechIdM is an entity representing a set (1 or more) of permissions |
- | * [[devel: | + | |
+ | Users acquire roles: | ||
+ | * [[.roles: | ||
* manually | * manually | ||
- | * [[devel: | + | * [[.roles: |
* [[tutorial: | * [[tutorial: | ||
- | Request for the role [[devel: | + | Request for a role [[.role_change|can be approved]] by a specific user, usually helpdesk, user's manager or IT security. |
- | Roes can be aggregated into [[devel: | + | === Business roles === |
+ | Roles can be aggregated into [[.roles: | ||
- | From the perspective | + | === Incompatible roles (segregation |
+ | If an identity | ||
===== Roles and contracts ===== | ===== Roles and contracts ===== | ||
+ | Roles are assigned to users via their contracts. If a contract is not valid (time validity) the roles on the contract are removed. In other words, the identity loses roles permissions in IdM and rights in connected systems. | ||
{{ : | {{ : | ||
- | Roles are assigned to users via their contracts. If a contract is not valid (time validity) the roles on the contract are removed. In other words, the identity loses roles permissions in IdM and rights in connected systems. | + | ===== Automatic |
+ | ==== By org. structure ==== | ||
- | ===== Roles and environment ===== | + | The role can be linked to a Tree structure (e.g. a position in organizational structure). That role is assigned to and removed from a user based on adding/ |
- | + | ||
- | Role with the same base code could be created from / for different environment. Final role code is combined from the base code and environment identifier. When role is created (or synchronized), | + | |
- | * '' | + | |
- | * '' | + | |
- | * '' | + | |
- | + | ||
- | ===== Incompatible roles ===== | + | |
- | **Segregation of Duties** (SoD) can be ensured by incompatible roles. Their setup resembles that of business roles, described above. | + | |
- | + | ||
- | {{ : | + | |
- | + | ||
- | The old generation CzechIdM used to have a feature of [[https:// | + | |
- | + | ||
- | When an incompatible role has been assigned to an identity, a **warning stating the incompatible role definition** is shown. | + | |
- | + | ||
- | + | ||
- | ==== Concurrence of incompatible roles and business roles ==== | + | |
- | + | ||
- | The same warning symbol is shown when an identity requests new role(s) which happen to be incompatible with one of the subroles nested within a business role composition. In this case, the informative symbol is ALSO shown next to a business role that IS NOT itself incompatible with the requested role. | + | |
- | + | ||
- | In other words, the meaning of the symbol is somewhat different then: it does not mean the respective role - marked by this symbol - is incompatible, | + | |
- | + | ||
- | + | ||
- | {{ : | + | |
- | + | ||
- | {{ : | + | |
- | + | ||
- | For more information about the feature with more detailed description, | + | |
- | + | ||
- | ===== Automatically assigned roles by organization structure ===== | + | |
- | The role can be linked to a Tree structure (e.g. position in organizational structure). That role is assigned to and removed from a user based on adding/ | + | |
{{ : | {{ : | ||
- | ===== Automatically assigned roles by attribute ===== | + | ==== By identity attributes |
- | The role can be also linked | + | The role can be linked |
{{ : | {{ : | ||
- | After save identity (save from identity detail) it will be done recalculation for all automatic roles that has at least one rule with type IDENTITY, **recalculation from identity | + | ===== Roles and accounts ===== |
+ | Roles can also be assigned directly to accounts. This is particularly when a user has multiple accounts and we want the role to apply to only one account or when we are managing technical accounts. | ||
- | ===== Requests for change automatically assigned roles ===== | + | ====== Read more ====== |
- | Automatically assigned roles have a significant safety impact. When creating, editing, or deleting, it is necessary that the process is approved. For this purpose, an agenda for requests for change of automatic roles has been created. | + | |
- | This request gets the approval process from the criticality defined for that role. Critical role determines what process the application must accomplish to implement it. | + | ===== Admin guide ===== |
- | + | * [[.roles:adm:icons| Icons and description of roles]] | |
- | Processes of defined by the role criticality is defined [[https:// | + | * [[.roles:adm:duplicate-roles| Copy roles]] |
- | Processes for approval change of an automatic role are different then processes using for approving assign role to one user. For clarity, both processes (role assignment, change of the automatic role) are defined in one final process. | + | * [[.roles: |
- | + | * [[.roles: | |
- | < | + | * [[.roles: |
- | + | | |
- | ===== Duplicating roles ===== | + | * [[.roles: |
- | + | ||
- | Role can be duplicated by prepared bulk action. Bulk action is available on the roles table. | + | |
- | + | ||
- | {{ :devel:documentation: | + | |
- | + | ||
- | Action provides features: | + | |
- | * **Select environment** - role will be duplicated to selected environment. If the same as role's environment is selected or environment input is leaved empty, the role is duplicated on the same environment with suffix added into role's base code, e.g. **roleOne** => **roleOne_1**. If the different environment is selected, then duplicate | + | |
- | * **Duplicate role attributes** - creates (or updates) configured role attributes. | + | |
- | * **Duplicate sub roles** - creates (or updates) sub roles by business role definition (recursively). If the same environment is selected, the only role composition is created - exists sub role is used. If the different environment (~target environment) is used, then sub roles with the same environment as original are duplicated recursively into target environment. | + | |
- | * **Duplicate automatic | + | |
- | + | ||
- | <note tip>When the role with the same base code already exist on the selected environment (environment has to be different), then new duplicate is not created, but the exists duplicate is updated.</ | + | |
- | + | ||
- | Read [[.roles:dev:duplicate-role|more]] about action implementation and how it's possible to extend it. | + | |
- | + | ||
- | ===== Deduplicating | + | |
- | + | ||
- | Since roles are assigned to a contract not to an identity, it may well happen that an identity ends up having some role duplicities. Partly, it may be due to the fact that role definitions are changed over time, and from a certain point on they start to be assigned in a different way (say, automatically). And one and the same identity may meet the updated condition as well, hence it gets the same role all over again. | + | |
- | + | ||
- | Deduplication is a bulk action that is available on User agenda. Deduplication allows removing only manually added roles that are duplicite with another automatic role or another manually added role. More on this feature in the admin guide and tutorial. | + | |
- | + | ||
- | ====== Read more ====== | + | |
===== Admin tutorials ===== | ===== Admin tutorials ===== | ||
Line 105: | Line 58: | ||
* [[tutorial: | * [[tutorial: | ||
* [[tutorial: | * [[tutorial: | ||
- | * [[tutorial: | + | * [[tutorial: |
- | + | ||
- | ===== Admin guide ===== | + | |
- | * [[.roles: | + | |
- | * [[.roles: | + | |
- | * [[.roles: | + | |
- | * [[.roles: | + | |
- | * [[.roles: | + | |
- | * [[.roles: | + | |
- | * [[.roles: | + | |
- | + | ||
===== Devel guide ===== | ===== Devel guide ===== |