Roles in CzechIdM – who approves their assigning?

Identity manager helps on the field of privileges management. It can solve tasks like roles evidence and distribution or role assignment to users. Another benefit of identity manager is that role assignment can usually be driven by workflow and user tasks. How does it work in CzechIdM, you will find out in the article.

Role entity

CzechIdM is RBAC identity manager, it means that CzechIdM restricts user’s access to managed systems by sets of permissions. In CzechIdM every permission or set of permissions (no metter if  CzechIdM or managed system) is represented by entity called Role. From the CzechIdM point of view there is no difference: the user has specific right in managed system, is a member of group of users (AD/LDAP) or has account with basic access. It is always role, that represent it in CzechIdM.

This paradigm is really effective and easy to understand. It allows IdM to apply general rules for roles management and distribution like automatic rolesroles requests approvalsynchronization and provisioning.

Role approval

Access to resources managed by identity manager should be always a subject to approval. The question always is, who approve it and what happen if the approval is done in several rounds?

CzechIdM offers standard approval workflow for role assignment approval.

Role change request

When somebody (user/administrator/user’s manager) asks for role change. CzechIdM process this wish as a request. This request is a subject to approval. Standard role has several consecutive rounds:

  1. Helpdesk
  2. User manager
  3. Manager
  4. Role defined approval
  5. Security

#1 Helpdesk and #2 User manager are groups of users each one defined in CzechIdM configuration. #3 Manager is the current manager of the user determined by their contracted position. #5 Security is again a group of users defined in application. All of those steps can be turned off in application configuration, so you can e.g. setup the IdM that roles are approved only by #3 round – Manager, all other rounds are skipped.

#4 round is a little bit more complex

Role defined approval

When the approval workflow get to the #4 round, it is devided into approval tasks per each role of the request. So if there were 4 roles in a request that should be assigned to the user, in this round every role is approved separately.

This principal allows us to apply approval mechanism specific to every role. In other words, in CzechIdM you can specify approvals of every role in CzechIdM. Lets say, you have 2 types of roles:

  • critical – role guarantee approves its assignment to users
  • non-critical – no one approves their assignment to users

In the example above only critical roles are approved in round #4.

Request resolution

When all tasks are resolved (either approved or denied) in round #4, the request is processed again as whole in round #5. When security approves the request, all changes in the request are applied and the user is notified about the change.

Enhanced approval

Approval task has many improvements:

  • If the applier is the same user that approve the request, the round is automatically skipped. The user need not to be bothered.
  • Every round 1-3 and 5 can be turned off in application configuration
  • Approvers of round 1-3 and 5 can return the request to the applier with some demand on change in request. E.g. “I won’t approve it, unless you add a text justification of the request” .
  • Standard approval workflow (as any other workflow) can be rewritten or replaced by new one

Read more

More details about role approval in CzechIdM can be found in Administrator’s guide. If you have any questions or comment, feel free to comment on redmine, github or email me on Also join our google group to keep in touch with CzechIdM news.

About Marcel Poul

Vedoucí realizace IdM projektů, BCV solutions. Problematice správy identit se věnuje více než 8 let. Dodává projekty IdM pro zákazníky ve státní správě, soukromé firmy i velké nadnárodní korporace. V BCV solutions se také věnuje analýze potřeb zákazníků a rozvoji SW produktu CzechIdM.

Leave a Reply