Skip to Content
author's profile photo Former Member
Former Member

Org Level Roles / Authorization Object Roles

Hi board,

I have heard of the concept to use roles with "Organizational Values" only and no other authorization values contained. Similar the idea to exclude special authorization objects from common roles and combine them in dedicated special ones to prevent accidential "double usage".

The first may help to control the overall number of roles coming up after deriving single/composite roles for many levels.

My questions are:

- Is it technically feasible (for a large-scale company)?

- What is your experience?

- Drawbacks?

Kind regards and many thanks for your help,

Richard

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

4 Answers

  • Best Answer
    author's profile photo Former Member
    Former Member
    Posted on Jul 07, 2008 at 02:51 PM

    Hi there,

    that was fast, amazing. Thanks a lot and my appologies for not finding the other thread from the beginning. I can see drawbacks, nevertheless it is still temptating due to the fact that derivation for over 30 countries will produce a huge number of roles. Not from the system performance point of view, just to handle this amount will be painful.

    Given the assumtion that it is not a good idea to use "Org Value Roles", are you deriving on on composite or on single level?

    Kind regards,

    Richard

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member

      At the top of this forum page, there is a "sticky" thread with a collection of memorable discussions and threads which contain usefull information. A number of them are authorization design related, and the one with the subject "Security Design" will also be interesting for you if you have not read it yet.

      It certainly was for me 😊

      Cheers,

      Julius

  • author's profile photo Former Member
    Former Member
    Posted on Jul 07, 2008 at 02:39 PM

    Hi Richard,

    There is a related discussion currently going on [in this thread.|Minimize the number of roles using the Bolt-onu2019s;

    So far using org-levels in the same single (derived) role seems to be in the lead.

    Cheers,

    Julius

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jul 07, 2008 at 02:41 PM

    Hi Richard,

    There are a few pointers on the drawbacks in the following post: Minimize the number of roles using the Bolt-onu2019s

    That should answer your questions. I think it's fair enough to say that in my experience, the majority of companies which have implemented this have increased complexity and reduced security over a standard build. Some have made it work well as they have put appropriate controls in place.

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Jul 07, 2008 at 08:59 PM

    Julius, Alex,

    you are gorgeous. Many thanks for your efforts!

    Kind regards,

    Richard

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.