Although from a technical point of view the roles are arranged in repositories, from a organizational point of view they are grouped into applications or information systems. For each information system, the roles belonging to this information system and the list of information system owners are defined.
Assigning roles to user accounts can be done in four ways:
- Direct assignment of the role to a user account. In this case you can specify a start and end dates of , so that after the deadline, the assignment shall be revoked from the managed system.
- Assignment to all members of an business unit.
- Assignment to all holders of another role, either in the same application and the same repository or others.
- Assigned by rules that triggers this assignment based on user attributes.
To achieve separation of duty principle, system administrator can define information risk levels associated with a role or a set of roles. Thus, for each role or set of roles, you can assign a risk level from the values “Low”, “Medium”, or “Forbidden”.
If the risk level prohibits a particular combination of roles, Soffid will not allow any user to get the aforementioned combination of grants. However, there may be users who are having a forbidden combination of roles, as long as the were acquired prior to rule existence. In this case the risk analysis reports allow you to track them.