Roles in CzechIdM – who approves their assigning?
Identity manager helps on the field of privileges management. It can solve tasks like roles evidence and distribution or role assignment to users. Another benefit of identity manager is that role assignment can usually be driven by workflow and user tasks. How does it work in CzechIdM, you will find out in the article.
CzechIdM is RBAC identity manager, it means that CzechIdM restricts user’s access to managed systems by sets of permissions. In CzechIdM every permission or set of permissions (no metter if CzechIdM or managed system) is represented by entity called Role. From the CzechIdM point of view there is no difference: the user has specific right in managed system, is a member of group of users (AD/LDAP) or has account with basic access. It is always role, that represent it in CzechIdM.
This paradigm is really effective and easy to understand. It allows IdM to apply general rules for roles management and distribution like automatic roles, roles requests approval, synchronization and provisioning.
Access to resources managed by identity manager should be always a subject to approval. The question always is, who approve it and what happen if the approval is done in several rounds?
CzechIdM offers standard approval workflow for role assignment approval.
Role change request
When somebody (user/administrator/user’s manager) asks for role change. CzechIdM process this wish as a request. This request is a subject to approval. Standard role has several consecutive rounds:
Role defined approval
#1 Helpdesk and #2 User manager are groups of users each one defined in CzechIdM configuration. #3 Manager is the current manager of the user determined by their contracted position. #5 Security is again a group of users defined in application. All of those steps can be turned off in application configuration, so you can e.g. setup the IdM that roles are approved only by #3 round – Manager, all other rounds are skipped.
#4 round is a little bit more complex
Role defined approval
When the approval workflow get to the #4 round, it is devided into approval tasks per each role of the request. So if there were 4 roles in a request that should be assigned to the user, in this round every role is approved separately.
This principal allows us to apply approval mechanism specific to every role. In other words, in CzechIdM you can specify approvals of every role in CzechIdM. Lets say, you have 2 types of roles:
- critical – role guarantee approves its assignment to users
- non-critical – no one approves their assignment to users
In the example above only critical roles are approved in round #4.
When all tasks are resolved (either approved or denied) in round #4, the request is processed again as whole in round #5. When security approves the request, all changes in the request are applied and the user is notified about the change.
Approval task has many improvements:
- If the applier is the same user that approve the request, the round is automatically skipped. The user need not to be bothered.
- Every round 1-3 and 5 can be turned off in application configuration
- Approvers of round 1-3 and 5 can return the request to the applier with some demand on change in request. E.g. “I won’t approve it, unless you add a text justification of the request” .
- Standard approval workflow (as any other workflow) can be rewritten or replaced by new one
More details about role approval in CzechIdM can be found in Administrator’s guide. If you have any questions or comment, feel free to comment on redmine, github or email me on firstname.lastname@example.org. Also join our google group to keep in touch with CzechIdM news.