on 03-12-2010 3:33 PM
Hi,
I have some questions related to the identity store schema.
1.
When I create a custom entry type (CUST_ENTR) with a MXREF to a privilege created from a group in ADS.
Will the group in ADS be assigned to the MX_PERSON object who have a MXREF to the CUST_ENTR?
2.
Is it possible to add some parameters on a relationship?
f.e.: I want to know which system has created the relationship between MX_PERSON and MX_ROLE.
kr,
Joachim
Hi Joachim,
1. I think you have to test this. My comment is that if you look at how roles and privileges are linked then you see that the role has an MXMEMBER_MX_PRIVILEGE set when linked to a privilege and not MXREF_MX_PRIVILEGE. So if you want membership in CUST_ENTR to yield an assignment to the privilege then I would set the MXMEMBER... on CUST_ENTR and not MXREF...
2. Not as far as I know, the only attributes that linkages can have are valid from, valid to and business reason.
Can you describe what you're trying to do? Perhaps there is another solution to this.
Greets,
Kai
-
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Kai,
Thanks for your reply.
What I'm trying to do is to add parameters on the link between user and role, this to reduce the number of roles.
Example:
have 7 privileges (roles in AD):
- Application_user
- Application_Doctor
- Application_Nurse
- Application_Secretary
- RegionA
- RegionB
- RegionC
Each user for this application needs the Application_user privilege and in addition another application privilege and a region.
Now we want to create functional roles.
Normally we will do this:
Functional role // Assigned Privileges
Role_Doctor_RegionA // Application_user, Application_Doctor, RegionA
Role_Doctor_RegionB // Application_user, Application_Doctor, RegionB
Role_Doctor_RegionC // Application_user, Application_Doctor, RegionC
Role_Nurse_RegionA // Application_user, Application_Nurse, RegionA
Role_Nurse_RegionB // Application_user, Application_Nurse, RegionB
Role_Nurse_RegionC // Application_user, Application_Nurse, RegionC
Role_Secretary (for secretary no region defined) // Application_user, Application_Secretary
Now we want to reduce the number of functional roles and therefore we add a property on the relation between user and role.
Functional role // Assigned Privileges
Role_Doctor // Application_user, Application_Doctor
Role_Nurse // Application_user, Application_Nurse
Role_Secretary // Application_user, Application_Secretary
When we assign a role in IDM we will ask the user to assign a property on the relation between user and role.
Using this property, we determine via a mapping table which regions are to be assigned to this user for this role.
kr,
Joachim
Hi,
got it. As far as I can see something like what you are looking for is not available in IdM 7.1, however, there might be enhancements in 7.2 which fit your needs.
The only option I see right now is to write provisioning tasks which check in which region the user resides and act accordingly then you can assign only one role for Nurse, Doctor and so on and the logic that splits into different region resides within the provisioning tasks.
Greets,
Kai
-
User | Count |
---|---|
96 | |
6 | |
5 | |
5 | |
5 | |
5 | |
4 | |
4 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.