Access Rights.
When an identity management solution grows, organizing the structure of the entitlements becomes a challenge. To address that process, a flexible structure needs to be deployed, which will enable users to quickly and easily locate the entitlements they need.
cis141
Catalog
When an identity management solution grows, organizing the structure of the entitlements becomes a challenge. To address that process, a flexible structure needs to be deployed, which will enable users to quickly and easily locate the entitlements they need.
The CA Identity Portal Permission Model consists of the following entities:
- Application groups
- Applications
- Permissions
- Role Groups
- Roles
Permission Tree
The basic entity is the permission entity. A permission is the business representation of the entitlement the user requests. Once permission is requested, CA Identity Portal translates this business representation to the technical entitlements – the target permissions Target Permissions section for more information on creating target permissions).
The following rules define the permission model:
- A target permission can be linked to many permissions. Example: Active Directory Group membership, which can be a provisioning role in an IM solution and can be linked to several business permissions such as Network Access, Security Admins etc.
- Permission can be linked under another permission. In this case the permission will have a parent-child relationship. This relationship will ensure that a child permission cannot be granted without requesting/having the parent permission. This situation is common in profile-based applications. The basic access to the application is defined as the parent permission, while the specific profile/role in the application is defined as child permissions or sub-permissions. This behavior is enforced when defining the cart to behave in strict mode (refer to strict_mode in UI Configuration).
- Every permission must be linked to an application. A permission cannot be linked to more than one application.
- Application can contain multiple permissions.
- A group of applications contains one or more applications.
- There is no limit to the number of child permissions nesting in the permission model. In essence, every child permission can have its own sub child permission, and so on.
- Permission can be grouped in a group of permissions. Grouping permissions together means they are mutually exclusive (only one can be selected during access request). The target user (that is, the user for whom the request is made for) may have only one of those permissions.
Managing the Permissions Model
CA Identity Portal allows the administrator to draw the permission model in the way it will be presented to user.
Follow these steps:
- Navigate to the Admin UI.
- Click Modules.
- Click the Access Rights module.
- Click theAccess Rightstab.
- InCatalogtab, clickAdd application group.
- Specify a name for the application group.
- To create an application under the group of application, select the group and clickAdd application.
- To create permission, select the application and clickAdd permission.
- Specify a name for the permission and select a target permission.
- ClickSave.The changes are saved..
You can rearrange the list of applications in the Entitlement Tree.
Note:
You can have only one level of hierarchy in the right pane, the section of applications groups and Applications. You can have more than one level of hierarchy in the middle pane, the section of permissions and permissions groups.Configuring Entity Properties
CA Identity Portal enables administrators to enrich the permission tree with additional information in order to provide end-users more information about the permissions. This is used to help end-users finding the correct entitlement they wish. The information will be displayed with a small Info icon next to the entity.
To configure this additional information:
- Hover with the mouse cursor on the application or permission line and open the Options drop-down menu that appears in the right end of this line. Click on the Edit option. Choose the Properties tab in the Edit dialog.
- Enter property key and value, for example: Key=Description, Value=This permission requires a security administrator to approve.
- Clickto commit these changes.Save
Roles
- A CA Identity Portal role is a group of permissions which defines an organizational role.
- CA Identity Portal roles are suggestive roles that will be displayed to the end user during access request by role
- A group of roles contain one or more roles.
Managing the Roles Model
The roles model tree is managed in a very similar way to the permissions model.
Follow these steps:
- Navigate to the Admin UI.
- Click Modules.
- Click the Access Rights module.
- Click theAccess Rightstab.
- Click theRolestab.
- ClickAdd role group.
- Specify a name for the role group.
- ClickAdd role.
- Specify a name for the role.The permissions are displayed in the right hand side.
- Select the permissions that you want to grant to this role.
- ClickSave.
The role is created with the required permissions.