• State Not Answered
  • Replies 3 replies
  • Subscribers 93 subscribers
  • Views 2221 views
  • Users 0 members are here
Options
Related

Direct Assignments

chris woodham
over 4 years ago

Has anyone had a scenario come up where a user wants to have assignments that are done by dynamic role be a direct assignment instead of indirect assignment?

Parents Reply Children
  • 0 over 4 years ago in reply to Markus Weiss-Ehlers

    Markus,

    The use case is the following:

    In their current Identity Management solution (SAP IDM) they have dynamic groups that assign birthright SAP roles as direct assignments. This was done this way so that the SAP security team could remove a birthright role and assign another role in its place if a change to the user occurred that would require this. The SAP security team has requested to have this same functionality in OneIM. 

    The reason the SAP security team does things in this manner is that the SAP roles that have been created have overlapping access. For example, one role will have access to 5 TCODES. This role would be the birthright role. The user is later promoted and requires a new role for their new position. The new SAP role has access to 8 TCODES with 5 of them being the same ones as the original role. The SAP team does not like to see a user's account being listed more than once as having access to a TCODE. I hope this made sense.

  • 0 over 4 years ago in reply to chris woodham

    Thanks for the explanation, Chris.

    The role concept of One Identity Manager is different than the one from SAP IDM, especially around enforcing role membership and entitlements. And as I've said, there is no way to generate direct role memberships if dynamic roles are used as OneIM is meant to enforce the dynamic role membership instead of handling this as a template like SAP IDM seems to do.

    Options to tackle this use-case are (not a complete list just my first thoughts):

    • Request the role-memberships for the birthright roles instead of using dynamic roles. In that case, the membership can be canceled later on and you have an audit trail showing the reason.
    • Enhance the condition of your dynamic role calculation that would exclude persons having the role that would supersede the birthright role.