Versions Compared

Old Version 10

changes.mady.by.user Anssi Kivinen (Deactivated)

Saved on

compared with

New Version Current

changes.mady.by.user Anssi Kivinen (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleRole classes and special roles (may be outdated)

Role classes

By default roles are divided into two main classes: Admin and Auditor. In addition there are two special roles: Multi-namespace and Developer.

System Roles

Predefined System Roles are designed to cover 99 % of use cases. This is why getting to know the System Roles is important. The full list of these roles is below in section 6.3. Next we will discuss the most important System Roles, and the difference between the two classes.

  • Admin class roles have the right to view, create, modify and remove objects.

  • Auditor class roles have the right only to view objects.

In general, Admin class has full read-write access to its objects, and Auditor class has only read-only access.

For roles Namespace Admin and Namespace Auditor the object in question is the namespace and its settings.

For roles Account Admin and Account Auditor the object in question is a user account and user account policies.

For roles Role Admin and Role Auditor the objects in question are the role definitions in a namespace and on each user account in the namespace.

For roles Group Admin and Group Auditors the object is a group, which may have different kind of members (user accounts, other groups, or contacts, which are covered in a later chapter). Group Admin is able to manage groups, and Group Auditor is able to review the current state and settings.

Custom Roles

If the selection of built-in system roles does not serve the technical and business requirements of your organisation, it is possible to create custom roles which may have virtually any set of permission.

Warning

Before creating a custom role you should think extremely carefully what the custom role is supposed to do. Custom Roles should always be well-designed and also documented because using Custom Roles alter the built-in security design. It is also possible to create a dysfunctional custom role. The Professional Services division of Trivore offers checking and validation service for custom roles.


Special Roles

Multi-namespace is a special role. It allows for the role holder to switch from a namespace (usually same as a tenant) to another for convenient management of multiple namespaces and the user accounts, groups, and roles in those namespaces. The Multi-namespace role itself does only allow for switching namespace. Other roles are required for actual management. On the user interface, the switching is done by selecting the namespace name on Namespace Menu on the Top Bar. Multi-namespace role also allows creating Management API Clients with access to multiple namespaces. This is a very powerful role, and the holders of this role are always considered trusted persons.

Developer is another special role. It is reserved for external application developers. Developers may create and manage their own Management API clients and OpenID Connect clients. Those are clients for external applications utilising TIS platform. The API Developer Guide explains the use of external applications in more detail.

...