AR1
AR4
AR6
Examples of Displaing User Access
1. System configuration
Let’s have the following structure of services (representing applications), roles and their assignments:
Services: We have 5 applications represented by 5 services - APP_A .. APP_E
| Service name |
|---|
APP_A |
APP_B |
APP_C |
APP_D |
APP_E |
Roles and their structure: We have following 9 application roles. The roles have inducement of application (representing access to the application) except role AR9. Role AR9 does not provide access anywhere.
| Role name | Role archetype | Induced service |
|---|---|---|
AR1 |
App role |
APP_A |
AR2 |
App role |
APP_A |
AR3 |
App role |
APP_A |
AR4 |
App role |
APP_B |
AR5 |
App role |
APP_B |
AR6 |
App role |
APP_C |
AR7 |
App role |
APP_D |
AR8 |
App role |
APP_E |
AR9 |
App role |
There are 2 business roles BR1 and BR2 with following structure of induced application roles. The table below also shows services induced by the application roles.
| Role name | Role archetype | Induced roles | Services |
|---|---|---|---|
BR1 |
Business role |
APP_A |
|
BR2 |
Business role |
AR4 |
APP_C |
The user has directly assigned:
-
application roles AR1, AR9
-
business role BR1
-
service APP_E
-
application role AR1 with relation approver
2. Option 1: Business view - user access
The assignments above will be represented according the following table:
| Assignment | Type | Description | Access to | Access level | Expiration date | |
|---|---|---|---|---|---|---|
[role or service] |
[archetype name] |
[business details of the role - description of the role as an example] |
[indirectly assigned services] |
[relation of assignment or last inducement] |
[business details of the assignment] |
[note to assignment - just for this example] |
AR1 |
App role |
Description of role AR1 |
APP_A |
|||
BR1 |
Bus. role |
Description of BR1 role |
APP_A |
31/03/2023 |
User has information, that this assignment, and relevant access, expires. |
|
APP_E |
Application |
APP_E |
Editor |
Direct assignment of service APP_E |
||
AR9 |
App role |
Description of role AR9 |
||||
AR1 |
App role |
Description of role AR1 |
Approver |
Assignment with relation "Approver" does not provide any access. That is why application is not listed. |
User can read clearly all his (direct) assignments and the access that is provided by each of them. Additional business information of the assigned role (description as an example) or assignment (expiration date as an example) increases overall visibility.
|
The Access level can be described by relation of the inducement of the service. But we also use the relation (of assignments) for defining approvers of the role. See last assignment of AR1. This may be confusing. Probably, the best would be to split the Relation and Access level to two columns. |
Information provided
- Where do I have access ?
-
Just see all applications listed in the view.
- Why do I have access to APP_B ?
-
Because you have role BR1 assigned.
- Why do I have access to APP_A assigned more than once ?
-
Because you have the acess to APP_A assigned via role AR1 and also via role BR1.
- Why the role BR1 gives me access to APP_A ?
-
Because the role contains role AR1. (This information is available after displaying content of the BR1 business role.)
Limitations of this view
In case the role BR1 has large number of inducements, the list of applications should be limited - for sake of readability. In this case, not all applications can be listed here.
3. Option 2: Business view - user access by application
| Application name | Provided by | Type of role | Description | Access level | Expiration date |
|---|---|---|---|---|---|
[service name] |
[name of the directly assigned role, service or org] |
[archetype of the object] |
[business details of the role - description of the role as an example] |
[relation of assignment or last inducement] |
[business details of the assignment] |
APP_A |
AR1 |
App role |
Description of role AR1 |
||
APP_A |
BR1 |
Bus. role |
Description of BR1 role |
31/03/2023 |
|
APP_B |
BR1 |
Bus. role |
Description of BR1 role |
31/03/2023 |
|
APP_C |
BR1 |
Bus. role |
Description of BR1 role |
31/03/2023 |
|
APP_E |
APP_E |
Application |
Editor |
Information provided
The view provides answers to all questions as previous one, just it is better suited to show applications and search the access of them.
Limitations of this view
-
This view is not so clear as the previous one. It should be used as additional view for displaying of all assigned applications.
-
E.g., multiple view of assignment of the role (BR1) may be scattered based on the ordering of the application names.
-
-
this view does not display all assignments. If there is assignment that does not provide access anywhere, then the assignment is not displayed.
4. Option 3: Technical view - all direct and indirect assignments
| Assignment | Type | Description | Type of assignment | Source (parent) | Relation/ Access level | Expiration date | Assignment path |
|---|---|---|---|---|---|---|---|
[role or service] |
[archetype name] |
[business details of the role - description of the role as an example] |
[direct/indirect] |
[parent of the indirect assignment] |
[business details of the assignment] |
[full path of the assignment] |
|
AR1 |
App. role |
Description of role AR1 |
direct |
||||
APP_A |
Application |
indirect from: |
AR1 |
AR1 → APP_A |
|||
BR1 |
Bus. role |
Description of BR1 role |
direct |
31.3.2023 |
|||
AR1 |
App. role |
Description of role AR1 |
indirect from: |
BR1 |
BR1 → AR1 |
||
APP_A |
Application |
indirect from: |
AR1 |
BR1 → AR1 → APP_A |
|||
AR4 |
App. role |
Description of role AR4 |
indirect from: |
BR1 |
BR1 → AR4 |
||
APP_B |
Application |
indirect from: |
AR4 |
BR1 → AR4 → APP_B |
|||
AR6 |
App. role |
Description of role AR6 |
indirect from: |
BR1 |
BR1 → AR6 |
||
APP_C |
Application |
indirect from: |
AR6 |
BR1 → AR6 → APP_C |
|||
APP_E |
Application |
direct |
Editor |
||||
AR9 |
App. role |
Description of role AR9 |
direct |
||||
AR1 |
App.role |
direct |
Approver |
Information provided
- Why the user has access to APP_A?
-
Just list assignments of APP_A and look to Assignment path.
- Are there any duplicity assignments?
-
Just search for duplicity in set (assignment, type of assignment and parent). In this example it is assignment of APP_A indirectly assigned from AR1 role.
Limitations of this view
-
This view can go to deep details for analysis, but is not easy to read and get good overview of the access.
-
Too many lines provides too large amount of information - decreasing overall visibility.
Was this page helpful?
YES
NO
Thanks for your feedback