Skip to main content

Implementing role enforcement

Before implementing role enforcement, set up your provisioning environment; that is, add target systems and import users, configure email notification and authentication.

Your implementation of role enforcement may be based on a number of scenarios; for example, you could:

  • Enable enforcement for roles, then incrementally add users to the enforcement jurisdiction. You can also configure exceptions for individual resources.

  • Add all users to the enforcement jurisdiction, then incrementally apply enforcement rules to roles.

  • Add all users to the enforcement jurisdiction, then incrementally apply enforcement rules to individual resources. You can configure roles to inherit enforcement rules from member resources.

To implement role enforcement, you must:

  • Enable the role enforcement engine and set global role enforcement options.

    This includes default actions, the workflow requester, and event triggers.

  • Add roles.

  • Configure roles you want to enforce.

    When a role is enforced, the rbacenforce program lists users who belong to the role, and who do not have all required resources, including those within sub-roles. Optional resources are not enforced.

    For users who are in the enforcement jurisdiction, rbacenforce rectifies a deficit violation, either by adding the missing privilege, or requesting an exception. You can configure roles to inherit the deficit action from entitlements, in which case you must also enable and configure enforcement for each entitlement that you want to have enforced.

  • Configure target systems and groups you want to enforce.

    When a target system or managed group is enforced, the rbacenforce program lists users who do, and do not, have an account or direct membership.

    For users who are in the enforcement jurisdiction, and belong to a role that includes the resource, rbacenforce rectifies a deficit violation, either by adding the missing privilege, or requesting an exception. This action can be adopted from the resource’s parent role, or you can set it explicitly. You can also configure resources to inherit the deficit action from the parent role, in which case you must also enable and configure enforcement for those roles.

    For users who are in the enforcement jurisdiction, and do not belong to a role that includes the resource, rbacenforce rectifies a surplus violation, either by removing the privilege, or requesting an exception.

  • Determine which users should be in the enforcement jurisdiction.

    This is determined by the RBAC enforcement (rbacenforce) profile and request attribute. When users are first loaded by auto discovery , the attribute is not set. When a new user is created or a access change request is issued for an existing user, the attribute is set to true by default.

    By default, users can request a change to this attribute, to take a recipient out of enforcement jurisdiction. Ensure that this change must be authorized, or validated using the attribute validation plugin, or use the attribute’s access controls to restrict changes.

In this section: