Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Org Level Roles / Authorization Object Roles

Go to solution
Former Member

‎07-07-2008 3:27 PM

0 Kudos

Hi board,

I have heard of the concept to use roles with "Organizational Values" only and no other authorization values contained. Similar the idea to exclude special authorization objects from common roles and combine them in dedicated special ones to prevent accidential "double usage".

The first may help to control the overall number of roles coming up after deriving single/composite roles for many levels.

My questions are:

- Is it technically feasible (for a large-scale company)?

- What is your experience?

- Drawbacks?

Kind regards and many thanks for your help,

Richard

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎07-07-2008 3:51 PM

0 Kudos

Hi there,

that was fast, amazing. Thanks a lot and my appologies for not finding the other thread from the beginning. I can see drawbacks, nevertheless it is still temptating due to the fact that derivation for over 30 countries will produce a huge number of roles. Not from the system performance point of view, just to handle this amount will be painful.

Given the assumtion that it is not a good idea to use "Org Value Roles", are you deriving on on composite or on single level?

Kind regards,

Richard

9 REPLIES 9

Go to solution
Former Member

‎07-07-2008 3:39 PM

0 Kudos

Hi Richard,

There is a related discussion currently going on [in this thread.|;

So far using org-levels in the same single (derived) role seems to be in the lead.

Cheers,

Julius

Go to solution
Former Member
In response to Former Member

‎07-07-2008 3:42 PM

0 Kudos

Julius, Snap

Go to solution
Former Member
In response to Former Member

‎07-07-2008 3:51 PM

0 Kudos

My formatting is nicer than yours 😜

Go to solution
Former Member

‎07-07-2008 3:41 PM

0 Kudos

Hi Richard,

There are a few pointers on the drawbacks in the following post:

That should answer your questions. I think it's fair enough to say that in my experience, the majority of companies which have implemented this have increased complexity and reduced security over a standard build. Some have made it work well as they have put appropriate controls in place.

Go to solution
Former Member

‎07-07-2008 3:51 PM

0 Kudos

Hi there,

that was fast, amazing. Thanks a lot and my appologies for not finding the other thread from the beginning. I can see drawbacks, nevertheless it is still temptating due to the fact that derivation for over 30 countries will produce a huge number of roles. Not from the system performance point of view, just to handle this amount will be painful.

Given the assumtion that it is not a good idea to use "Org Value Roles", are you deriving on on composite or on single level?

Kind regards,

Richard

Go to solution
Former Member
In response to Former Member

‎07-07-2008 3:57 PM

0 Kudos

I was not even aware that it is possible to derive at composite role level.

We make limited us of derived roles, and only in cases where there is certainty that the process is the same accross the orgs and will remain so. Even with that, it still does not work exactly for all fields and all scenarios over time.

Cheers,

Julius

Go to solution
Former Member
In response to Former Member

‎07-07-2008 4:15 PM

0 Kudos 
> Hi there, 
> 
> that was fast, amazing. Thanks a lot and my appologies for not finding the other thread from the beginning. I can see drawbacks, nevertheless it is still temptating due to the fact that derivation for over 30 countries will produce a huge number of roles. Not from the system performance point of view, just to handle this amount will be painful.  
> 
> Given the assumtion that it is not a good idea to use "Org Value Roles", are you deriving on on composite or on single level?
> 
> Kind regards, 
> 
> Richard

Hi Richard,

It is a very tempting approach, but completely wrecks the standard auth concept and unless you are 100% tight on controlling it, can get very messy.

A good way of looking at it is that you have 2 roles - one contains transactions & the other one a big bucket of authorisations which support those transactions. That bucket invariably contains more authorisations than the transactions require. Given that it is at the authorisation object level that the important security is provided, this method has it's drawbacks........

If you have organisational complexity then you should look elsewhere to simplify.

By consolidating your roles (e.g. if we take a risk based design approach, typically around 80% of an accountants role will be the same anywhere in the business) and building at a higher level, you need to create fewer variants (which you might be able to use derived roles for).

Put the effort in the design stage and it will pay dividends later on down the line.

Building at a higher level than task also forces the business to look at roles and responsibilities and to standardise as much as possible.

Cheers

Alex

Go to solution
Former Member
In response to Former Member

‎07-07-2008 9:41 PM

0 Kudos

At the top of this forum page, there is a "sticky" thread with a collection of memorable discussions and threads which contain usefull information. A number of them are authorization design related, and the one with the subject "Security Design" will also be interesting for you if you have not read it yet.

It certainly was for me

Cheers,

Julius

Go to solution
Former Member

‎07-07-2008 9:59 PM

0 Kudos

Julius, Alex,

you are gorgeous. Many thanks for your efforts!

Kind regards,

Richard