Managing permissions

Applies To: Forefront Identity Manager

Permissions provide the link between the BHOLD Core role model and the applications that actually enforce role-based access control (RBAC). That is, BHOLD Core defines and gives structure to roles and the users who belong to those roles, and permissions then tell an application what users should be allowed to do based on those roles. Permissions are descriptive, rather than prescriptive. It is the responsibility of the application to translate the permission into the application’s own access controls. For more information about applications in BHOLD, see Managing applications in this guide.

It’s important to remember that in RBAC, permissions are associated with users only by linking them to roles that the user is assigned to. For more information, see Managing roles and Managing users in this guide.

All activities in this topic require the BHOLD Core portal. For information about using the BHOLD Core portal to administer BHOLD Core, see Using the BHOLD Core portal in this guide.

The following are the basic tasks for managing permissions:

• Creating a permission

• Managing permission attributes

• Managing incompatible permissions (SoD)

• Managing permission supervisors

• Managing context adaptable permissions

• Limiting roles and users

• Removing a permission

Creating a permission

Just as users and organizational units (orgunits) must exist in an orgunit, a permission must be associated with an application and so is created in the context of an application.

To create a permission

1. In the BHOLD Core portal, in the left pane, click Applications.

2. On the Applications page, click the application you want to add a permission for.

3. On the Application/<application> page, expand Permissions, and then click Modify.

4. On the Application–permissions/<application> page, under Add permission, enter the following information, and then click Add.

   Field	Description	Required?
   Permission	The name of the permission.	Yes
   Description	A descriptive name for the permission. The description appears as the name of the permission in the BHOLD Core portal. If you do not provide a description, then by default the name provided in Permission is used as the descriptive name.	No
   Orgunit context adaptable	Select this checkbox if this permission will be a context-adaptable permission (CAP). If this checkbox is selected, this permission can only be linked to roles that are context adaptable. For more information, see Managing context adaptable permissions in this guide.	No
   Context formula under construction	Indicates that the CAP formula is not yet complete. Select this to prevent the permission from being linked to a role while the CAP formula is still being defined. Important: You cannot select both the Orgunit context adaptable and the Context formula under construction checkboxes when creating a permission. To designate context-adaptable permission and to prevent it from being linked until the CAP formula is finished, set these two values after creating the permission. For more information, see Managing context adaptable permissions in this guide	No
   Supervising role	To add a supervising role, in the Supervising role list, click the name of the role you want to supervise the permission.	Yes
   Maximum number of roles	Type the maximum number of roles to which the permission can be linked. If this value is 0, no limit is placed on the number of roles that can be linked to the permission.	No
   Maximum number of users	Type the maximum number of users to which the permission can be assigned. If this value is 0, no limit is placed on the number of users that can be assigned to the permission.	No

5. Repeat the previous step to create additional permissions, and then click Done when you are finished.

Managing permission attributes

For an existing permission, you can modify the description, its status as a context adaptable permission (CAP), and the maximum number of roles or users that can be linked to the permission. For information about modifying other permission data, see Managing incompatible permissions (SoD), Managing permission supervisors, and Managing context adaptable permissions in this guide.

To modify permission attributes

1. In the BHOLD Core portal, in the left pane, click Permissions.

2. On the Permissions page, in in the Application list, click the application whose permission you want to modify, in Search string, type the descriptive name of the permission you want to modify, and then click the Search button.

   Tip

   To list all permissions for the selected application, leave Search string empty when you click the Search button.

3. Under Permissions, click the permission you want to modify.

4. On the Permission/<permission> page, click Modify.

5. On the Modify permission attributes/<permission> page, change the attributes you want to modify, and then click OK.

   Note

   You cannot change the context adaptable permission (CAP) status if the permission has a CAP formula defined.

Managing incompatible permissions (SoD)

Role-based access control (RBAC) make it easier to implement the principle of separation of duties (SoD), which helps you ensure that users are not given privileges that are in conflict with your business rules and practices. For example, the principle of SoD would suggest that a user should not be able to submit a request for reimbursement and be able to approve that same request.

In the case of BHOLD, you can enforce SoD by declaring that two permissions are incompatible with each other. Then, when you attempt to take an action that would allow a user to receive both permissions, BHOLD Core blocks that action. For example, if you designate two permissions, Request Submitter and Request Approver, as incompatible permissions, BHOLD Core does not allow you to link the permissions to the same role. Even if the permissions are linked to separate roles, BHOLD Core does not allow you to assign both roles to the same user or organizational unit.

To declare incompatible permissions

1. In the BHOLD Core portal, in the left pane, click Permissions.

2. On the Permissions page, in in the Application list, click the application whose permission you want to modify, in Search string, type the descriptive name of the permission you want to modify, and then click the Search button.

   Tip

   To list all permissions for the selected application, leave Search string empty when you click the Search button.

3. Under Permissions, click the permission you want to declare an incompatible permission for.

4. On the Permission/<permission> page, expand Incompatible permissions, and then click Modify.

5. On the Permission–Incompatible permissions/<permission> page, in Application, click the application whose permission to want to declare incompatible, in Search string, type the name of the permission, and then click the Search button.

6. Under Permissions, next to the permission you want to declare incompatible, click Add.

7. Repeat the previous step to declare additional permissions incompatible, and then click Done.

It is important to remember that permission incompatibility is not transitive. That is, if permission A is incompatible with permission B, and permission B is incompatible with permission C, permissions A and C are not incompatible unless they are explicitly declared to be incompatible.

Managing permission supervisors

Users who are assigned to a supervisor role for a permission are able to modify the attributes of the permission, to change the permission’s context-adaptable status and formula, to link roles to the permission, to declare other permissions incompatible with the permission. Every permission must have at least one supervisor role. When permission is created, it automatically receives the default supervisor role. You can assign additional supervisor roles to a permission to give other users the ability to manage the permission.

For more information about creating and managing roles, see Managing roles in this guide.

To assign a supervisor role to a permission

1. In the BHOLD Core portal, in the left pane, click Permissions.

2. On the Permissions page, in in the Application list, click the application whose permission you want to modify, in Search string, type the descriptive name of the permission you want to modify, and then click the Search button.

   Tip

   To list all permissions for the selected application, leave Search string empty when you click the Search button.

3. Under Permissions, click the permission which you want to assign a supervisor role to.

4. On the Permission/<permission> page, expand Supervision, expand Supervisor roles, and then click Modify.

5. On the Permission–Supervisors/<permission> page, in the Role list, click the supervisor role you want to assign to the permission, click Add, and then click Done.

Managing context adaptable permissions

By creating permissions that can be automatically modified based on an object attribute, you can reduce the total number of permissions you have to manage. Context adaptable permissions (CAPs) let you define a formula as a permission attribute that modifies how the permission is applied by the application associated with the permission. For example, you can create a formula that changes the access permission to a file folder based on whether a user belongs to an organizational unit (orgunit) containing full-time or contract employees. If the user is moved from one orgunit to another, the new permission is automatically applied and the old permission is deactivated.The CAP formula can query the values of attributes that have been applied to applications, permissions, orgunits, and users.

When you create a CAP, you must specify a context formula. This formula is used by the application to determine the context for which the permission is to be applied, and so the format of the formula is determined by the requirements of the application.

After you create a CAP, you can link it to a role that is configured to work with CAPs.

To create a context adaptable permission

1. In the BHOLD Core portal, in the left pane, click Applications.

2. On the Applications page, click the application for which you want to create a context adaptable permission.

3. On the Application–permissions/<application> page, in Permission, type the name of the permission, in Description, type a descriptive name for the permission as it should appear in the BHOLD Core portal, and then select the Orgunit context adaptable check box.

   Note

   You can also add a supervising role or specify the maximum number of role and users for the permission. Fore more information, see Creating a permission earlier in this topic.

4. Click Add, and then click Done.

5. In the left pane, click Permissions.

6. On the Permissions page, in in the Application list, click the application of the permission you just created, in Search string, type the descriptive name of the permission, and then click the Search button,a and thenUnder Permissions, click the permission.

7. On the Permission/<permission> page, click Modify.

8. On the Modify permission attributes/<permission> page, select the Context formula under construction check box, and then click OK.

9. On the Permission/<permission> page, expand Permission context params, and then click Modify.

10. On the Permission–Permission parameters/<permission> page, in Order, type a number to specify the position of the parameter in the formula, and then do one of the following:

    • To specify a string parameter (such as a formula prefix indicating the permission name), type the parameter string in Text.

    • To specify an object type (such as Orgunit.bholdDescription to indicate the name of the context organizational unit), in the Object type list, click the object type.

11. Click OK.

12. Repeat the previous three steps to add additional context formula parameters, and then click Done when the formula is complete.

13. To attach an object to the permission context, expand Permission context attachments, click Modify, in the Object type list, click the type of object you want to attach, click OK, and then click Done.

Before you can link a CAP to a role, the role must be configured to work with CAPs, and the CAP must be prepared to be linked.

To link a context adaptable permission to a role

1. In the BHOLD Core portal, in the left pane, click Roles.

2. On the Roles page, click the role you want to link to the CAP.

3. On the Role/<role> page, if Orgunit context adaptable is set to No, click Modify, on the Modify role attributes/<role> page, select the Orgunit context adaptable check box, and then click OK.

4. In the left pane, click Permissions.

5. On the Permissions page, in the Application list, click the application of the CAP you want link to a role, in Search String, type the descriptive name of the CAP (or leave blank to list all of the permissions for the application), and then click the Search button.

6. On the Permission/<permission> page, if Context formula under construction is set to Yes click Modify, on the Modify permission attributes/<permission> page, clear the Context formula under construction check box, and then click OK.

7. On the Permission/<permission> page, expand Roles, and then click Modify.

8. On the Permission–Roles/<permission> page, in Attribute type, click Description, in Search string (Roles), type the name of the role you want to link to the CAP, and then click the Search button.

   Tip

   Leave Search string (Roles) empty to list all available roles that are orgunit context adaptable.

9. Under UnLinked Roles, click Add next to the role you want to link to the CAP, and then click Done.

Limiting roles and users

One way to ensure that a permission is not being assigned inappropriately is to apply limits to the number of users or roles that the permission can be assigned to. That way you can make sure that errors in the implementation of features such as inheritance or attribute-based authorization (ABA) rules do not result in a permission being assigned to more users or roles than is desired. This limitation in the number of users or roles that a permission can be assigned to is known as cardinality. You can also apply the principles of cardinality to users (to limit the number of permissions or roles assigned to the user) and to roles (to limit the number of permissions and users the role can be assigned to).

To limit roles and users for a permission

1. In the BHOLD Core portal, in the left pane, click Permissions.

2. On the Permissions page, click the permission for which you want to manage cardinality.

3. On the Permission/<permission> page, click Modify.

4. In Maximum number of roles, type a number specifying the maximum number of roles you want to allow to be assigned to the permission, or leave blank to allow an unlimited number.

5. In Maximum number of users, type a number specifying the maximum number of users you want to allow to be assigned to the permission, or leave blank to allow an unlimited number.

6. Click OK, and then click Done.

Removing a permission

You can remove a permission from BHOLD Core only if it is not linked to a role.

To remove a permission

1. In the BHOLD Core portal, in the left pane, click Permissions.

2. On the Permissions page, in the Application list, click the application of the permission you want to remove, in Search string, type the name of the permission, and then click the Search button.

   Tip

   To list all permissions for the selected application, leave Search string empty when you click the Search button.

3. On the Permission/<permission> page, click Remove, and then click OK.

   Note

   If Remove is not available, expand Roles, click Modify, and then click Remove next to each role.

See also

• Microsoft BHOLD Core Operations Guide

  • Introduction to administering Microsoft BHOLD Core

  • Administering Microsoft BHOLD Core

    • Managing applications