Skip to main content

Roles

Description

Soffid allows you to create roles to specify permissions that can be assigned to a user, a group, or an account. These permissions determine what operations are allowed on a resource. You can use roles to delegate access to users, applications, or services. The main goal is to achieve optimal security administration.

Roles can be defined at different levels:

  • Organizational permissions.
  • Application permissions.
  • Low-level permissions.

When needed, generic roles can be created. When such a role is granted to any user, it is converted into a specific role by specifying an organization unit, information system, or a specific value. So, for instance, a generic emergency coordinator role can be created. The master emergency coordinator will have this role granted for the whole organization, while a remote office emergency coordinator will have this role granted for his single unit.

Note that a role can belong to an information system with a defined role definition process.

Screen overview

image.png

image.png

  • Users : owner users of the accounts
  • Accounts : a role is granted to a user throght an account
  • Agents : the target system owner of the role
  • Roles : a role can be inherited from another role
  • Groups : a role can be inherited from a group
  • Role assignment rules :  a role can be inherited from a rule
  • Information systems : where the roles are gathered
  • BPM editor : roles and information system need to be BPM enabled to be menaged on worlkflows
  • Scheduled tasks : the roles can managed from the reconcile process

Standard attributes

Role detail

  • Name: name used to identify the role
  • Description: detailed role description.
  • System: information storage system from a technical point of view (active directory, database, CSV, ...).
  • Category: this attribute can be used as a label to define the type of group, its use, or any other distinction you consider useful.
  • Information system: asset or application, from a functional point of view, on which the permissions are granted or revoked.
  • Domain type: you can set a limitation of the role scope  by selecting the domain. Initially, there are two domains defined, Groups and Information Systems. Soffid allows you to add more domains. (*1) (*2)
  • BPM enabled: if you check this option (value selected is Yes) this role will be available in the Permissions management workflows.
  • External id: new attribute in Soffid 4 to keep a record of the unique identifier of the object in the final system (useful for synchronisation and renaming).
  • Approval start: at this date, Soffid will connect to the system and will assign the role. If there is no approval start, it will be assigned at the moment.
  • Apploval end: at this date, Soffid will connect to the system and will revoke the role.
  • Created: account creation date.
  • Last change: last modified.
  • Created by: user who created the account
  • Updated by: last user who updated the account
Domain example (*1)

First, you can define the scope for one specific Role, for instance, you define role manager in Soffid System, with the scope Groups:

image.png


Then, you can assign this role to one or more users. To do this you must indicate the scope (can be one or more scoped):

image.png


So the user will have the role in the scopes indicated:

image.png


If you try to assign the role without domain, this error will be displayed:

image.png


Domain example (*2)

You can define the scope for one specific Role, for instance, you define role manager in Soffid System, with the scope Information Systems:

image.png


Then, you can assign this role to one or more users.

image.png


To do this you must indicate the scope (can be one or more scoped):

image.png

image.png

So the user will have the role in the scopes indicated:

image.png


If you try to assign the role without domain, this error will be displayed:

image.png


Granted roles

On the granted roles tab, you can assign the privileges of this role to another role in another system.

  • Role: (parent) name used to identify the role.
  • Database: (parent) agent of the target system owner of the role
  • Domain: (parent) domian type of the role
  • Role: (child) name used to identify the role.
  • Database:(child) agent of the target system owner of the role
  • Domain:(child) domian type of the role
  • Mandatory: the roles with this flag checked will be displayed in the user's effective roles tab
Assign privileges

To assign privileges you should click the button with the "Add new" button, then select the target role, the domain values when necessary, and click the finish button. At this point the record will be added to the list. 

Now you can check or uncheck the mandatory field.

  • Mandatory:  the roles with this flag checked will be displayed in the user's effective roles tab.
  • No Mandatory: roles with this flag unchecked will be displayed in the user's roles tab and can be managed. It is not automatically assigned to users who already had the parent role.

And finally, you should click the Apply changes button to save the changes. With this operation, all the permissions of this will be assigned to the target role.

💻 Image

image.png

💻 Image

This role belong to an Information System with a defined Role definition process. 

  1. This assignation is pending to approve
  2. This deletion is pending to approve

image.png

Revoke permissions

If you want to revoke permissions,  you must select one or more records from the list and click the "Delete granted role" button and then click the "Apply changes" button to save the changes.

💻 Image

image.png

Preview changes

In addition, you can check the preview changes, it display information about the action, the user or account, and the role or domain, and you can apply them.

💻 Image

image.png

Grantee roles

On the grantee roles tab, you can assign the privileges of a role of any other system to this role.

  • Role: (parent) name used to identify the role.
  • Database: (parent) agent of the target system owner of the role
  • Domain: (parent) domian type of the role
  • Role: (child) name used to identify the role.
  • Database:(child) agent of the target system owner of the role
  • Domain:(child) domian type of the role
  • Mandatory: the roles with this flag checked will be displayed in the user's effective roles tab
Assign privileges

To assign privileges you should click the button with the add (+) symbol, then select the source role, the domain values when necessary, and click the finish button. At this point the record will be added to the list. 

Now you can check or uncheck the mandatory field.

  • Mandatory:  the roles with this flag checked will be displayed in the user's effective roles tab.
  • No Mandatory: roles with this flag unchecked will be displayed in the user's roles tab and can be managed. It is not automatically assigned to users who already had the parent role.

And finally, you should click the Apply changes button to save the changes. With this operation, all the permissions of this will be assigned to the target role.

Image

image.png

💻 Image

This role belong to an Information System with a defined Role definition process. 

  1. This assignation is pending to approve
  2. This deletion is pending to approve

image.png

Revoke permissions

If you want to revoke permissions,  you must select one or more records from the list and click the button with the subtraction symbol (-) click the Apply changes button to save the changes.

Preview changes

In addition, you can check the preview changes, it display information about the action, the user or account, and the role or domain, and you can apply them.

Grantee groups

On the grantee groups tab, you can assign the privileges from a specific group to this role, or revoke the privileges.

  • Group: (parent) name of the group.
  • Role: (child) name used to identify the role.
  • Database:(child) agent of the target system owner of the role
  • Domain:(child) domian type of the role
  • Mandatory: the roles with this flag checked will be displayed in the user's effective roles tab
Assign privileges

To assign privileges you must click the button with the "Add new" button, then select the group, finish, and apply changes. Thus, the roles indicated, in the corresponding system, will be assigned to all users belonging to this group.

Now you can check or uncheck the mandatory field.

  • Mandatory:  the roles with this flag checked will be displayed in the user's effective roles tab.
  • No Mandatory: roles with this flag unchecked will be displayed in the user's roles tab and can be managed. It is not automatically assigned to users who already had the parent role.

And finally, you should click the "Apply changes" button to save the changes. With this operation, all the permissions of this will be assigned to the target role.

💻 Image

image.png

Revoke permissions

If you want to revoke permissions,  you must select one or more records from the list and click the "Delete granted role" button and click the "Apply changes" button to save the changes.

Preview changes

In addition, you can check the preview changes, it display information about the action, the user or account, and the role or domain, and you can apply them.

Users

On the users tab, you can assign or revoke roles. To assign a role you must click the button with the "Add new" and choose one or more users, fill the scope when it is mandatory, and set membership properties. Each role needs an account to be applied to, so, if a user has no account on a system and a role on that system is granted, a new account will be created on this system. In case a user has more than one account on a system, you should indicate which of the suitable accounts will be granted the role.

It is also possible to revoke roles to the user from the entitlement details or by selecting one or more records from the list and clicking the "Delete user" button.

The users with the role assigned by rules will be displayed with different colors. Soffid does not allow to revoke roles, on that page, that were assigned by rules. 

Additionally, you can download a CSV file with the basic users data.

Attributes:

  • Account: account owner of the role
  • Description: description of the account (usually the user full name).
  • Start date: at this date, Soffid will connect to the system and will assign the role. If there is no approval start, it will be assigned at the moment.
  • End date: at this date, Soffid will connect to the system and will revoke the role.
  • Domain value: domain value of the granted role
  • Domain description: domain type of the granted role
  • Risk: risk related with SoD rules
  • Category: this attribute can be used as a label to define the type of group, its use, or any other distinction you consider useful.
  • Recertification: date of the last recertification
  • Holder group: holder group of the granted role
💻 Image

image.png


1) This assignation is pending to approve

2) This deletion is pending to approve

3) This assignation is by an assignment rule

Role assignment rules

You can consult the Role assignment rules related to this role.

  • Name: name of the role assignment rule
  • Description: decription of the role assignment rule
💻 Image

image.png

For more information, you can visit the Role assignment rules page.

Actions

Roles table

"Query buttons"

Allows you to query roles through different search systems, Quick, Basic and Advanced.

"Table filter"

It allows you to filter a column in the table based on the results loaded in it.

Add new

Allows you to add a new role in the system. 

To add a new role it will be mandatory to fill in the required fields

Delete role

Allows you to remove one or more roles by selecting one or more records and next clicking this button.

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

Download CSV file

Allows you to download a csv file with the basic roles data.

Import

Allows you to upload a CSV file with the role list to add or update roles to Soffid.

First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button.

Bulk actions

Allows massive operations to be performed on all system roles.  With that operation, updates can be made to any of the role's parameters. First of all, you must select the records that you want to update, once you have selected them, you must choose the bulk action on the hamburger icon. For more information visit the Bulk action page.

Role details

Apply changes (disk button)

Allows you to apply the pending changes.

Delete role

Allows you to delete a role. You can choose that option on the hamburger icon.

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.
Expand all Displays all the attributes of the different blocks.
Collapse all Hide all attributes of the different blocks.
"Types of views" Change the view type: Classic view, Modern view, Compact design.

Preview changes

Shows the pending changes on users or accounts.  Soffid displays the information about the user or accounts, the action and de Role. You can choose if you want to apply the changes, or close the previer changes window.

Undo

Allows you to quit without applying any changes.

Apply changes

Allows you to apply the pending changes.
Granted roles

Add new

Allows you to add a new granted role. To add a granted role, first you need to click the "Add new" button. Second, you need to write or search for a role. Once you have selected the role, if it is necessary, the next step will be to set the scope. Then, you need to finish the process. And finally, you need to apply changes.

Delete granted role

Allows you to delete one or more granted roles.

To delete you need to select the records and then click this button.

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

And finally, you need to apply changes.

Download CSV file

Allows you to download a CSV file with the granted roles. 
View

Allows you to add or remove columns to the table.

It is also possible to change the order of the columns.

Preview changes

Shows the pending changes on users or accounts.  Soffid displays the information about the user or accounts, the action and de Role. You can choose if you want to apply the changes, or close the previer changes window.

Undo

Allows you to quit without applying any changes.

Apply changes

Allows you to apply the pending changes.
Grantee roles

Add new

Allows you to add a new grantee role. To add a grantee role, first you need to click the "Add new" button. Second, you need to write or search for a role. Once you have selected the role, if it is necessary, the next step will be to set the source scope and the scope. Then, you need to finish the process. And finally, you need to apply changes.

Delete granted role

Allows you to delete one or more grantee roles.

To delete you need to select the records and then click this button.

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

And finally, you need to apply changes.

Download CSV file

Allows you to download a CSV file with the grantee roles. 
View

Allows you to add or remove columns to the table.

It is also possible to change the order of the columns.

Preview changes

Shows the pending changes on users or accounts.  Soffid displays the information about the user or accounts, the action and de Role. You can choose if you want to apply the changes, or close the previer changes window.

Undo

Allows you to quit without applying any changes.

Apply changes

Allows you to apply the pending changes.
Grantee groups 

Add new

Allows you to add a new grantee group. To add a grantee group, first you need to click the "Add new" button. Second, you need to write or search for a group. Once you have selected the group, if it is necessary, the next step will be to set the scope. Then, you need to finish the process. And finally, you need to apply changes.

Delete grantee group

Allows you to delete one or more grantee groups.

To delete you need to select the records and then click this button.

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

And finally, you need to apply changes.

Preview changes

Shows the pending changes on users or accounts.  Soffid displays the information about the user or accounts, the action and de Role. You can choose if you want to apply the changes, or close the previer changes window.

Undo

Allows you to quit without applying any changes.

Apply changes

Allows you to apply the pending changes.
Users

Add new

Allows you to add users or accounts to assign the role. To add users or accounts, fist of all, you need to click the "Add new" button. Second, you need to search the users and/or accounts and select the users and/or accounts you want to add. Once you have selected the users and/or accounts, if it is necessary, the next step will be to set the scope. Then you need to fill in the membership properties and finish the process. Finally, you need to apply changes.

Delete user

Allows you to delete one or more users and/or accounts, that is, Soffid will revoke the role.

To delete one, you can select the record and click this button.

To delete more at the same time, you need to select the records and then click this button.

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

And finally, you need to apply changes.

Download CSV file

Allows you to download a CSV file with all the information about users. 

Import

Allows you to upload a CSV file with the user list to assign permission.

First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button.
View

Allows you to add or remove columns to the table.

It is also possible to change the order of the columns.

Preview changes

Shows the pending changes on users or accounts.  Soffid displays the information about the user or accounts, the action and de Role. You can choose if you want to apply the changes, or close the previer changes window.

Undo

Allows you to quit without applying any changes.

Apply changes

Allows you to apply the pending changes.

Back to top