How to provide access based on privilege.
In many real life scenarios we should provide access to a person based on his access in a certain system.
But how we should do that? Is there a simple way to accomplish this goal?
The answer is “Yes, there is.” And here is how I’ve done it.
First let’s assume we have following systems: SYSA and SYSB.
We also have one privilege part of SYSA: PRIV:SYSA:TEST_PRIV
We have one business role of SYSB: ROLE:SYSB:TEST_ROLE
And we finally have a person: TEST_PERSON
Create a new task: Attach BR in SYSB.
Add ToIdentityStore pass.
In Source Tab clear “Retrieve attributes from pending value” flag.
Set the destination tab as it is shown on following screenshot.
Now go to privilege list in your idstore.
Select the privilege PRIV:SYSA:TEST_PRIV and open its properties.
Select the Task tab and in the field provisioning task link already prepared task: Attach BR in SYSB
And what we will have as a result is, when the privilege PRIV:SYSA:TEST_PRIV is successfully attached to the person TEST_PERSON this will trigger attachment of ROLE:SYSB:TEST_ROLE to the same person. If by any reason attachment of the privilege fails, than the business role won’t be attached to the person.
So we’ve achieved our goal, but there is one thing you should be aware of. The role ROLE:SYSB:TEST_ROLE should not contain the PRIV:SYSA:TEST_PRIV itself, otherwise you might end in an endless loop.
Of course you can use the same approach when you are removing the privilege from person and this way, if you removed the privilege the business
role will be also removed.