Attributing permissions from the same permissions group

book

Article ID: 207628

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

The CA Identity Manager (IM) Product Documentation states "Permission can be grouped in a group of permissions. Grouping permissions together means they are mutually exclusive (only one can be selected during access request). The target user (that is, the user for whom the request is made for) may have only one of those permissions."

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-portal/14-3/administrating/administrating-ca-identity-portal/ca-identity-portal-administration/about-modules/access-rights.html

How does this work in practice? Does this mean that permissions are restricted?

 

Environment

Release : 14.3

Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)

Resolution

If permissions are assigned via a Group only one item from that group can be selected from that group.  However, permissions that exist outside of the group can be selected as well. 

This needs some consideration when developing your permissions catalog.  Where only one permission can be selected from a list, these permissions can be grouped.  If you need to select multiple permissions they should not be grouped.

For example:

You could group job titles together as only one in the list can be applied at any given time. 

ie. Doctor, Nurse, Health Care Assistant.

or Employment Status.

ie. Full-Time, Part-Time

You would not Group Items where more than one could apply

For example;  System Roles where one user might occupy more than one function.

ie. System Administrator, HR User, Backup Operator, Accounts User, Print Operator, Firewall Administrator, etc.

 

Below are some examples of how this would look in the different IP Views.

 

Portal View

 

Catalog configuration.

 

Attachments