• State Verified Answer
  • Replies 4 replies
  • Subscribers 95 subscribers
  • Views 1658 views
  • Users 0 members are here
Options
Related

deny roles

angela bajo
over 4 years ago

Does RBAC in OneIM support deny assigments or roles? we need this concept for one of our clients.

A normal rol defines a set of resources allowed, while a deny role would define a set of actions that are not allowed, or a set or deny resources.

Deny roles should take precedence over normal role assigment.

Have you ever done a development with this type of roles?

Regards

Parents
  • 0 over 4 years ago

    A example as a clarification of what we want to achieve:

    • Rol A gives access to resources R1, R2, R3
    • Rol B denies access to resource R2
    One person with rol A and B should have access to R1, R3
    Is it possible to get these type of denial roles?
    Regards,
  • 0 over 4 years ago in reply to angela bajo

    One Identity Manager does not support explicit deny roles. I personally feel that this is an error-prone concept that leads to many misunderstandings and service calls in customer projects and adds a lot of complexity to the access reporting in the end.

    OneIM supports the concept of exclusions between roles, category-based inheritance and some other ways to help you to solve your business problem.

  • 0 over 4 years ago in reply to Markus Weiss-Ehlers

    Markus, Thanks for your answer

    Personally I have the same opinion than you, but our client demand this concept that other systems have (I have seen it in Azure). It's about managing exceptions or exclusions not between roles, but between users. In my example: maybe 1000 users has role A, but only 10 of them do not need R2 (They usually work with roles with a large number of resources and users and small exceptions like this)

Reply
  • 0 over 4 years ago in reply to Markus Weiss-Ehlers

    Markus, Thanks for your answer

    Personally I have the same opinion than you, but our client demand this concept that other systems have (I have seen it in Azure). It's about managing exceptions or exclusions not between roles, but between users. In my example: maybe 1000 users has role A, but only 10 of them do not need R2 (They usually work with roles with a large number of resources and users and small exceptions like this)

Children
  • +1 over 4 years ago in reply to angela bajo

    In those cases, I advise to either build two roles. One Role A with R1 and R3 and another one (Role B) with R2 and assign both roles where fit. Another option would be to automatically assign only Role A and let Role B (or R2 directly) be requested via the shop.

    There are many options in OneIM but deny roles is not one of them (for a reason).