4.2 Role inheritance

MyID allows you to specify whether the available roles for a group are inherited by their child groups.

With role inheritance, if you change the roles available to the parent group, these roles are filtered down to the child groups.

4.2.1 Role restriction option

The Restrict Roles on Child Groups configuration option determines whether groups inherit the restrictions on roles from their parent groups.

To set the role restriction option:

1. From the Configuration category, select Security Settings.
2. Click the Process tab.

3. Set the following option:

   • Restrict Roles on Child Groups – set to one of the following options:

     • Yes – the roles available to the group are restricted to the roles available to the group's parent. The Inherit Roles option appears on the Select Roles dialog.
     • No – the group may select from any roles in the system. The Inherit Roles option does not appear on the Select Roles dialog.
4. Click Save changes.

4.2.2 Setting a group to inherit roles

To specify whether a group inherits roles:

1. Start the Add Group or Amend Group workflow.
2. For the Add Group workflow, you must select the Parent Group before you can set the roles.

3. Click the Roles box.

   

   Note: The Inherit Roles box appears only if you have selected the Restrict Roles on Child Groups option. See section 4.2.1, Role restriction option for details.

4. To inherit the available roles from the parent group, either:

   • Select the Inherit Roles option, or
   • Deselect all of the roles in the list.

   To specify a list of roles explicitly, select one or more roles from the list.

5. Click OK and complete the workflow.

4.2.3 Inherited roles example

• Initial setup.

  Assume your system has the roles Help Desk, System, Manager, and Cardholder.

  Set the Restrict roles on child groups configuration option to Yes.

  Create a group called Administrators with a parent group of Root. Add System, Manager and Cardholder as the available roles for the group.

  Create a new subgroup called Admin North beneath the Administrators group. Set the Inherit Roles option for the group. The new subgroup inherits System, Manager and Cardholder as the available roles for the group.

  Create a new subgroup called Admin North System beneath the Admin North group. Do not set the Inherit Roles option for the group; instead, explicitly select System and Cardholder as the available roles.

  (Note: You cannot select the Help Desk role, as that is not available to its parent.)

• Remove a role available to Administrators.

  Edit Administrators to remove the Cardholder role.

  Administrators now has the System and Manager roles.

  Admin North now has the System and Manager roles.

  Admin North System now has the System role.

• Add a role to Administrators.

  Edit Administrators to add the Help Desk role.

  Administrators now has the Help Desk, System, and Manager roles.

  Admin North now has the Help Desk, System, and Manager roles.

  Admin North System now has the System role. If a group has explicit roles set, it can only inherit the removal of roles from its parent; it cannot inherit the addition of roles. However, you can now edit the Admin North System group to add the Help Desk role manually.