cancel
Showing results for 
Search instead for 
Did you mean: 

identity store schema

joachimvanpraet
Active Participant
0 Kudos

Hi,

I have some questions related to the identity store schema.

1.

When I create a custom entry type (CUST_ENTR) with a MXREF to a privilege created from a group in ADS.

Will the group in ADS be assigned to the MX_PERSON object who have a MXREF to the CUST_ENTR?

2.

Is it possible to add some parameters on a relationship?

f.e.: I want to know which system has created the relationship between MX_PERSON and MX_ROLE.

kr,

Joachim

View Entire Topic
former_member192665
Participant
0 Kudos

Hi Joachim,

1. I think you have to test this. My comment is that if you look at how roles and privileges are linked then you see that the role has an MXMEMBER_MX_PRIVILEGE set when linked to a privilege and not MXREF_MX_PRIVILEGE. So if you want membership in CUST_ENTR to yield an assignment to the privilege then I would set the MXMEMBER... on CUST_ENTR and not MXREF...

2. Not as far as I know, the only attributes that linkages can have are valid from, valid to and business reason.

Can you describe what you're trying to do? Perhaps there is another solution to this.

Greets,

Kai

-


http://kaidentity.blogspot.com/

joachimvanpraet
Active Participant
0 Kudos

Hi Kai,

Thanks for your reply.

What I'm trying to do is to add parameters on the link between user and role, this to reduce the number of roles.

Example:

have 7 privileges (roles in AD):

- Application_user

- Application_Doctor

- Application_Nurse

- Application_Secretary

- RegionA

- RegionB

- RegionC

Each user for this application needs the Application_user privilege and in addition another application privilege and a region.

Now we want to create functional roles.

Normally we will do this:

Functional role // Assigned Privileges

Role_Doctor_RegionA // Application_user, Application_Doctor, RegionA

Role_Doctor_RegionB // Application_user, Application_Doctor, RegionB

Role_Doctor_RegionC // Application_user, Application_Doctor, RegionC

Role_Nurse_RegionA // Application_user, Application_Nurse, RegionA

Role_Nurse_RegionB // Application_user, Application_Nurse, RegionB

Role_Nurse_RegionC // Application_user, Application_Nurse, RegionC

Role_Secretary (for secretary no region defined) // Application_user, Application_Secretary

Now we want to reduce the number of functional roles and therefore we add a property on the relation between user and role.

Functional role // Assigned Privileges

Role_Doctor // Application_user, Application_Doctor

Role_Nurse // Application_user, Application_Nurse

Role_Secretary // Application_user, Application_Secretary

When we assign a role in IDM we will ask the user to assign a property on the relation between user and role.

Using this property, we determine via a mapping table which regions are to be assigned to this user for this role.

kr,

Joachim

former_member192665
Participant
0 Kudos

Hi,

got it. As far as I can see something like what you are looking for is not available in IdM 7.1, however, there might be enhancements in 7.2 which fit your needs.

The only option I see right now is to write provisioning tasks which check in which region the user resides and act accordingly then you can assign only one role for Nurse, Doctor and so on and the logic that splits into different region resides within the provisioning tasks.

Greets,

Kai

-


http://kaidentity.blogspot.com/

joachimvanpraet
Active Participant
0 Kudos

Kai,

Your answer is what I expected.

We currently store the region in a MX_PERSON attribute.

Thanks for your help.

kr,

Joachim