• State Suggested Answer
  • Replies 7 replies
  • Answers 2 answers
  • Subscribers 92 subscribers
  • Views 1611 views
  • Users 0 members are here
Options
Related

Assign One Identity manager Application Role to a Business Role

Shams Al Izzi
over 1 year ago

Hi All, 

I couldn't find a similar question on the forum or OID documentation. 

I've created a permission group in the designer and assigned it to a Custom/new One Identity Manager Application Role. 

Next step I would like to assign the One Identity manager application role (AERole) to a Business Role (ORG) which is not possible in the manager. 

Also tried to assign to a system role, failed. 

Any advice?

Thanks

  • 0 over 1 year ago

    You cannot assign business roles (Org) to an application role (AERole): But you can create a dynamic role for the application role that assigns any person assigned to the business role to the application role.


  • 0 over 1 year ago in reply to Markus Weiss-Ehlers

    Thanks, I wanted to avoid this solution because the customer team user is restricted in the manager to only use the "BusinessRoles". In this case we need to extend the manager with "One Identity manager Administration". 

    Will it be possible in the future releases to assign an AERole to an Org BusinessRole?  

  • 0 over 1 year ago in reply to Shams Al Izzi

    I do not understand the use case then. You created the permission group and assigned it to an application role. For that, you didn't use the customer team user, correct? But your customer team user should be able to assign, the application role to any business role on request. Correct?

  • 0 over 1 year ago in reply to Markus Weiss-Ehlers

    I used my SystemUser account to create the permission group and assign the permission group to an AERole. 

    The Customer team shouldn't be able to create a dynamic role for the application role.

    Preferably the customer team user (EmployeeRoleBased) is able to create a businessrole and directly assign an AERole  to a businessrole through the "Tasks" view in the manager. Just like direct assignment of an Active Directory Group/System Roles/ Resources/ Devices/ Subscribable reports etc to a businessRole through the "Tasks" view. 

    My first assumption is correct, this is not possible in the current version. 

  • 0 over 1 year ago in reply to Shams Al Izzi

    Your assumption is correct. You cannot assign an application role to a business role.

    But what you can do is the following.

    1. Create a dynamic group for the AERole that is based on some extended attribute assigned to the Business Role (ObjectHasExtendedAttribute). The extended attribute needs to be created first of course (Table ExtendedAttribute).

    2. The customer team user then uses the task "Assign extended attribute" to assign the attribute to the business role. The dynamic role will then put all members of the business role into the application role.

  • 0 over 1 year ago in reply to Markus Weiss-Ehlers

    The point is to minimize the required actions/steps to assign an AERole to a businessrole. This means we don't want to create a dynamic role for the AERole, neither does the customer team user. 

    So for now there is no direct solution,  a dynamic role for an AERole is always required to assign it to a businessrole.  

  • 0 over 1 year ago in reply to Shams Al Izzi

    About how-many Application Role with permission group are we talking here?

    And, the customer team user does not need to create the dynamic group just assign the extended attribute where a task already exists.

    Sounds to me, that this is not to much effort.

    There are no plans at all to make application roles assignable to business roles by an assignment table.