Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.

Only allow users to hold one technical role where the underlying permissions are for a single app.

Idea ID 2855497

Only allow users to hold one technical role where the underlying permissions are for a single app.

For applications such as Salesforce, users can be allocated a single Salesforce role, a single Salesforce profile, and multiple optional permissions. The business are using technical roles to build a single requestable item that the users will recognise. 

Where technical roles are limited to permissions within a single application,  it is critical that users are only able to have a single technical role at any one time. If they change jobs, they should be made to remove a technical role before they add one.

 

 

3 Comments
Micro Focus Contributor
Micro Focus Contributor

Just to be clear, SOME of our applications (e.g. Salesforce, OpenAir) require that user-roles be mutually exclusive, meaning a user can only have a single role at any given time.

If a user needs a different role (e.g. Role-B) from the one they currently have (e.g. Role-A), they should be able to submit a fresh request in IG for Role-B. Once the request is approved & fulfilled, the older access request for Role-A should then be invalidated/removed in IG.

In the above case, the user should not be forced to REMOVE/REVOKE their Role-A access before submitting a new request for Role-B access - as that would result in disruption of access to business applications which would not be ideal.

Micro Focus Expert
Micro Focus Expert

Being able to group Technical Roles together to only allow one to be assigned from the group might be a way to approach this.  The approval of the newly requested Technical Role would trigger fulfillment of the permissions on that Technical Role that are not already assigned.  It would also trigger the removal of the originally assigned Technical Role permissions that do not exist on the newly approved Technical Role and the assignment of the original Technical Role as well.  An important thing with this that would be highly beneficial is that the removal of the original Technical Role should not have to go through an approval process.

I think the same concept could be applied to permissions, when an application can only have one permission or one permission within a permission type grouping, assigned at a time.

Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

While it is true applications such as Salesforce only allow users to have one role, the technical role includes many other optional permissions that the user would be left with if a technical role is not actively removed.

We would like the access to be removed and the new access applied at the same time. For us, that is the least risk option as we are using semi-automated fulfilment and are looking to automate fulfilment. 

Users should be forced to remove access where that is the requirement, surely that is a business decision? The business should be free to accept the risk of users having no access if the risk of users having too much access is perceived as the greater risk.

 

 

Leaving users with 2 technical roles risks causing segregation of duties issues.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.