Skip to main content

How-Tos

These guides will help you set up the role model with practical step-by-step procedures.

Additional How-Tos

Role Model

The role model, with its computation and enforcement, is at the heart of Usercube's engine. It is composed mainly of roles, representing entitlements, and rules, enforcing the company assignment policies.

Make sure to read the introduction on entitlement management first.

See more information about role assignments.

Roles

Roles represent entitlements from the managed systems, but expressed in a language understandable by non-technical people.

A single role is meant to represent one entitlement from a managed system, by acting as a label, thus allowing better organization and readability.

A composite role is meant to group several single roles into a meaningful, business-themed entitlement package.

In this way, the role model can be seen as a Role-Based Access Control (RBAC).

Assignment Rules

An assignment rule gives an entitlement to a user, usually based on (at least) one criterion from the user's data. Assignment rules are:

  • single role rules which assign single roles;
  • composite role rules which assign composite roles;
  • resource type rules which assign resources, usually accounts, of specific types.

The identity criteria that trigger the rules are named dimensions.

In this way, the role model can also be seen as an Attribute-Based Access Control (ABAC) model.

Usercube gives users access to given resources in the managed systems, based on roles and rules, but it does not override the managed systems' authorization mechanisms.

Enforcement of the Assignment Policy

The company's policy for entitlement assignment is enforced by Usercube with the the computation of the role model, through the ComputeRoleModelTask. It applies all the configured rules, thus:

  • helping build a catalog of all available entitlements in the managed systems, see role naming conventions;
  • helping build the rules that define the assignment policy, i.e. the expected entitlement assignments for all users, see the role mining;
  • automating entitlement assignment, see assignment rules;
  • generating the provisioning orders that enable writing to the managed systems, see provisioning rules;
  • detecting assignments in the managed systems that do not comply with the policy, see the review of non-conforming assignments.