• State Verified Answer
  • Replies 7 replies
  • Subscribers 94 subscribers
  • Views 4208 views
  • Users 0 members are here
Options
Related

Indirect Assignments of System Entitlements to Business Roles by System Roles

Frank Kuehn
over 3 years ago

Hi,

I observe a strange behaviour on indirect assignments of System Entitlements to Business Roles (OrgHasUNSGroupB) in One Identity Manager 8.1.2 compared to the old system as 6.1.4

Szenario:

1. Create a System Role (ESet)

2. Create and Assign a System Entitlement to this System Role (ESetHasEntitlement -> UNSGroupB)

3. Create and Assign a Busines Role to the System Role (OrgHasESet)

In both versions the Role Class (OrgRoot) does not allow an assignment of System Entitlements, neither direct nor indirect.

My Observation:

In 6.1.4 the System Entitlement was assigned to the Business Role which was assigned to the System Role with the System Entitlement Assignment (OrgHasUNSGroupBTotal Entry with viInherite = 2 indirect)

In 8.1.2 there is no System Entitlement assignment to the Business Role at all. I had expected an OrgHasUNSGroupB Entry with XOrigin = Indirect assignment

Does the system behaviour has changed in 8.1.2 compared to 6.1.4 or did I missed something, maybe a config parameter I didn't noticed?

The configuration looks good to me (also in comparison to to the old 6.1.4 system).

Any helpful answers are welcome. Many Thanks.

Parents Reply Children
  • 0 over 3 years ago in reply to Markus Weiss-Ehlers

    Hi Markus,

    does this behavior also apply to child esets which are asigned to an eset? Should in this case the child esets also not be inherited to business role as indirect assignments in OrgHasEset, provided the NoESetSplitting configuration parameter is activated?

    Thanks in advance and regards!

    Tung Nguyen

  • 0 over 3 years ago in reply to tung nguyen

    As far as I know, the ESetSplitting is done on the entitlement level, regardless if the entitlement is coming from a child system role or not.

  • 0 over 3 years ago in reply to Markus Weiss-Ehlers

    That is clear to me, however what I mean is actually the following scenario:

    - ESet1 is assigned directly to business role Org1 (OrgHasEset with XOrigin = 1)

    - ESet1 contains ESet2 as direct assignment in ESetHasEntitlement

    With the configuration parameter activated, is it to be expected that no OrgHasEset entry for the indirect assignment Eset2 to Org1 being created? As this is now the case for OrgHasUNSGroup.

  • 0 over 3 years ago in reply to tung nguyen

    As I have said before, OrgHasESet will not change if NoESetSplitting is activated just the inheritance of the (other) entitlements.

    SAMPLE 1

    An EsetA has as an entitlement QERResourceA (ESetHasEntitlement):

     

    NoESetSplitting=0:

    BaseTreeHasESet (BaseTreeX, EsetA) and

    BaseTreeHasQERResource (BaseTreeX, QERResourceA)

     

    NoESetSplitting=1:

    BaseTreeHasESet (BaseTreeX, EsetA)

     

    SAMPLE 2

    If an ESet A has another ESet B as entitlement then this assignment will appear in BaseTreehasESet.

    EsetA has EsetB as an entitlement (ESetHasEntitlement):

     

    NoESetSplitting=0:

    BaseTreeHasESet (BaseTreeX, EsetA) and

    BaseTreeHasESet (BaseTreeX, EsetB)

     

    NoESetSplitting=1:

    BaseTreeHasESet (BaseTreeX, EsetA) and

    BaseTreeHasESet (BaseTreeX, EsetB)