.png){kind=logo}
Roles Example
This example scenario provides a conceptual view of Roles, Users, and Priorities.
The following table lists users and their group assignments:
User | Group Membership |
|---|---|
User A | None |
User B | Group-1 |
User C | Group-1 |
User D | Group-1 & Group-2 |
User E | Group-2 |
Some users are not members of any groups, some are members of a single group, and others are members of multiple groups. In this example, these users are coming from a SAML Domain that was configured. When SAML Domain members connect to Signum, Signum makes those users and any potential group memberships passed in the SAML assertion available for assignment to Roles.
Users only require a role for accessing the Admin Web Console. End users are able to login to the Agents and use certificates defined in policies without needing to have a role assignment.
In this example, Signum is configured with the following Roles:
Administrator
Event Viewer
Certificate Manager
Development Manager
Example Matrix
With the users available and Roles created, users can be assigned to the roles and given priorities. This example has purposefully been made complex to illustrate the interactions between a Users/Groups Role assignment and priority level. In real world usage, role assignments are straightforward in many applications.
The following scenario shows the priorities and user/group assignments for the roles:
Role | Priority | User / Group Assignment |
|---|---|---|
Administrator | 1 | User A, User B |
Event Viewer | 0 | Group-1 |
Certificate Manager | 1 | Group-2 |
Development Manager | 1 | Group-2 |
0 is the highest potential priority assignment.
Explanation
The following table explains what roles were assigned from the example and the purpose:
User | Assigned Role | Purpose |
|---|---|---|
User A | Administrator | User A had no other assignments. User A was assigned directly to the Administrator role so that is the valid role assignment. |
User B | Administrator | While User B was a member of Group-1, since they were directly assigned to the Administrator role, that is the valid role assignment. Even though the Event Viewer Role had a higher priority (0), the Administrator role supersedes this. |
User C | Event Viewer | Since User C was a member of Group-1 and had no other potential assignments, the role assignment is Event Viewer. |
User D | Event Viewer | Since User D was a member of both Group-1 and Group-2, but the Event Viewer role has a higher priority, User D was assigned to Event Viewer. To assign User D to the Certificate Manager role, change the priority of the Event Viewer role to 2 or higher. |
User E | N/A | Since the Certificate Manager role and Development Manager role have the same priorities, this role assignment will not be applied consistently. To assign User E to the Development Manager role, assign the role directly to the user instead of the group. |