Roles are groups of permissions and can contain system permissions as well as customer permissions. The same permission can be contained in multiple roles. Roles are defined globally,i.e. the same roles are used in the whole HsM instance.
Roles can be viewed by any authenticated users and can be managed by users with the EDIT_ROLES system permission. I.e. new roles can be created, attributes of roles can be modified, permissions can be added or removed from a role etc. Table 15 shows the attributes managed for roles.
Roles are assigned to security principals for a specific securable. E.g., a role can be assigned to a specific user on a specific customer. If a role is assigned to a user for a specific customer, all customer permissions that are contained within that role will apply for the customer (and may apply to descendant customers via role assignment inheritance). System permissions contained within that assigned role will not have any effect.
If a role is assigned to the system securable, all customer permissions that are contained within that role will apply to all customers in the system. System permissions will apply to the system securable. The effective role assignments a user has on a customer are determined by evaluating role assignments on the system securable and role assignments on customer securables together with the defined role assignment inheritance.
Roles in HsM can be protected. Protected roles cannot be modified by any user of the system. These roles are provided by HsM to have a minimal set of roles needed for operation of the system. Out of the box HsM provides two protected roles: INSTANCE_ADMINISTRATOR and SYSTEM_ADMINISTRTOR .
Attribute |
Description |
|---|---|
Code |
Mandatory. The role code uniquely identifies the role. Role codes must match the regex is ^[A-Z0-9_]{1,50}$ |
Name |
Phrase, mandatory. The name of the role. |
Description |
Phrase, optional. A textual description of the role's usage |
Propagate via reseller relationship |
Boolean. Mandatory. Default is true. If true role assignment with this role will be propagated down the reseller relationship relation ship (as long as the inheritance is not broken by the descendant customer). |
Propagate via hierarchy relationship |
Boolean. Mandatory. Default is true. If true role assignment with this role will be propagated down the hierarchy relationship (as long as the inheritance is not broken by the descendant customer). |
Propagate via invoicing relationship |
Boolean. Mandatory. Default = false. If true role assignment with this role will be propagated down the invoicing relationship (as long as the inheritance is not broken by the descendant customer). |
Propagate via condition relationship |
Boolean. Mandatory. Default is false. If true role assignment with this role will be propagated down the condition relationship (as long as the inheritance is not broken by the descendant customer). |
Propagate via facility manager relationship |
Boolean. Mandatory. Default = false. If true role assignment with this role will be propagated down the facility management relationship (as long as the inheritance is not broken by the descendant customer). |
Assigned permission |
A list of permissions that are assigned to this role |
Table 15: Attributes of a role
Role assignment inheritance
Role assignments of a user on a customer securable can be propagated to other customers via customer relations.
Whether a role assignment is actually propagated to other customers via a specific type of customer relation, depends on two settings:
•The role must be defined as a role that is propagated via that specific type of customer relation (see table 14).
•All customers down the relationship path of that specific customer relation type to the specific customer for which the permissions are evaluated must allow role inheritance for that specific type of customer relations.
I.e., roles define if they are propagated down the customer relationship tree for each relationship type. Customers define if they actually want to inherit via each of these relationship types.
Role assignments applicable only on related customers
When assigning a role to a customer it can be defined that this role assignment does not apply to the customer itself but is only applicable to related customers, i.e. only applicable to descendant customers that inherit this role assignment via role assignment inheritance. E.g. a role named Customer Administrator assigned to a user on a reseller-customer that is configured to be applicable only on related customers, will not make the user a Customer Administrator on that reseller but only on all of the customers related to this reseller that allow role inheritance.
