Soffid does not impose the function and entitlement distribution along the organization. Quite the opposite, Soffid defines a wide list of elementary functions, that can be assigned to different Soffid roles. This assignments can be absolute or restricted to a certain scope. So, for example, the integrator can create a role that grants the ability to create and modify users from a business unit, but no capability to know about users outside this business unit.
This mechanism can also be used to avoid that any user could create or register identities that are not present on any authoritative identity source.
This two level authorization scheme allows the integrator to create high level business roles, with an underlying fine grade permission scheme. Once this roles are defined, they can be assign to users in a direct and easy way.
Optionally, the XACML add-on can be installed. This add-on allows the integrator to define access control rules based on the user identity, its location, date and time or the managed object.
The XACML addon has a graphical interface that assists in creating this access control rules.