Role Inheritance

Business roles can be modeled with inheritance when a set of business roles can be defined by increasingly specific criteria. Consider a Help Desk team made up of three support levels (business roles). Each higher numbered level may be able to do all the same activities as the lower numbered group(s) but also have extra tasks that the lower numbered groups do not do.

For example:

Help Desk Level 1

• Answer calls, troubleshoot basic issues

• Route complex problems to Level 2

Help Desk Level 2

• Diagnose problems routed from Level 1

• Refer problems not resolved within 24 hours to Level 3

• Answer calls and engage in basic troubleshooting when time available

Help Desk Level 3

• Resolve problems referred from Level 2

• Assist with Level 2 issues when time available

• Answer calls and engage in basic troubleshooting when time available

Perhaps the organization is structured so that all Help Desk personnel are assigned to the Department “Help Desk”. Additionally, all Level 2 and Level 3 Help Desk personnel are in the Denver location (while Level 1 personnel are not). Further, Level 3 personnel must hold the job title “Senior Engineer.”

These increasingly-specific shared attributes can be used to create the assignment rules for each of the inherited roles. When IdentityIQ applies the assignment rules to an inherited role structure, the role assigned to each Identity is the deepest one in the inheritance hierarchy that applies.

When the assignment rules run, Identities are assigned to only one of the roles in an inheritance structure. Only the most specific role – the deepest level in the hierarchy – that applies to the Identity is assigned. In other words, if an Identity’s attributes meet the criteria for Level 1 and Level 2, Level 2 is assigned; if they match all three Levels’ criteria, Level 3 is assigned.

IT roles are modeled with inheritance when entitlement access for one set of Identities is a superset of the access grant to another set of Identities. For example, perhaps all Engineering users have access to the bug tracking system and project planning tool, but only Developers have access to the version control system. The Developer IT role could inherit from the Engineering IT role. Detection of IT roles in an inheritance structure operates on the same basic premise as assignment of inheritance-based business roles: an Identity will only have one role in the hierarchy detected for it and it will be the deepest one that applies to that Identity. In the Engineering example, an Identity that has the Developer IT role detected for it will not also have the Engineering IT role detected. However, the Developer IT role is only detected if all entitlements for both roles are found on the Identity.