Indirect Assignments of System Entitlements to Business Roles by System Roles

Hi,

What exactly do you mean by "there is no System Entitlement assignment to the Business Role at all"?

Do you mean you are unable to assign a system entitlement directly to the Business Role or the users assigned to the Business Role are not receiving the system entitlement?

I just ran through your scenario and it works for me.

Have you reviewed the role assignments for the role class itself?  Tasks | Configure role assignments.

Trevor

Hi,

I mean that there is no entry in the Table OrgHasUNSGroupB for the given Org and UNSGroupB.

In your walk-through, did you allowed your role class to assign system entitlements ("groups" in 8.x) ?

In my scenario role assignments are NOT allowed for system entitlements / groups.

To avoid side effects, we don't want to open up the entire role class for UNS.

If this was a bug in 6.1.4 and it's no longer working in 8.x then we may have to allow these assignments.

Frank

Hi,

I mean that there is no entry in the Table OrgHasUNSGroupB for the given Org and UNSGroupB.

In your walk-through, did you allowed your role class to assign system entitlements ("groups" in 8.x) ?

In my scenario role assignments are NOT allowed for system entitlements / groups.

To avoid side effects, we don't want to open up the entire role class for UNS.

If this was a bug in 6.1.4 and it's no longer working in 8.x then we may have to allow these assignments.

Frank

With version 8.1, we introduced some new configuration parameters to support some new features around the system roles.

The configuration parameter QER | Structures | Inherite | NoESetSplitting was introduced to allow the exclusion of entitlements that are assigned to a business role via a system role. The system wasn't able to remove these entitlements before 8.1.

When this configuration parameter is activated, the entitlements assigned to the system role will not be persistet as assignments to the business role tables.

I suggest checking the following explanations in the documentation about the inner workings of the inheritance calculation for the system roles.

https://support.oneidentity.com/de-de/technical-documents/identity-manager/8.1/system-roles-administration-guide/7#TOPIC-1136811

https://support.oneidentity.com/de-de/technical-documents/identity-manager/8.1/system-roles-administration-guide/7#TOPIC-1136810

Hi Markus,

does this behavior also apply to child esets which are asigned to an eset? Should in this case the child esets also not be inherited to business role as indirect assignments in OrgHasEset, provided the NoESetSplitting configuration parameter is activated?

Thanks in advance and regards!

Tung Nguyen

As far as I know, the ESetSplitting is done on the entitlement level, regardless if the entitlement is coming from a child system role or not.

That is clear to me, however what I mean is actually the following scenario:

- ESet1 is assigned directly to business role Org1 (OrgHasEset with XOrigin = 1)

- ESet1 contains ESet2 as direct assignment in ESetHasEntitlement

With the configuration parameter activated, is it to be expected that no OrgHasEset entry for the indirect assignment Eset2 to Org1 being created? As this is now the case for OrgHasUNSGroup.

As I have said before, OrgHasESet will not change if NoESetSplitting is activated just the inheritance of the (other) entitlements.

SAMPLE 1

An EsetA has as an entitlement QERResourceA (ESetHasEntitlement):

NoESetSplitting=0:

BaseTreeHasESet (BaseTreeX, EsetA) and

BaseTreeHasQERResource (BaseTreeX, QERResourceA)

NoESetSplitting=1:

BaseTreeHasESet (BaseTreeX, EsetA)

SAMPLE 2

If an ESet A has another ESet B as entitlement then this assignment will appear in BaseTreehasESet.

EsetA has EsetB as an entitlement (ESetHasEntitlement):

NoESetSplitting=0:

BaseTreeHasESet (BaseTreeX, EsetA) and

BaseTreeHasESet (BaseTreeX, EsetB)

NoESetSplitting=1:

BaseTreeHasESet (BaseTreeX, EsetA) and

BaseTreeHasESet (BaseTreeX, EsetB)