Powered by Algolia

    Conflict Groups

    As an extension of OpenIAM 'Separation of duties' concept the Toxic access detection feature is implemented since OpenIAM version 4.2.2.

    The 'Conflict Group' entity was introduced to union the set of OpenIAM objects like Roles, Groups, Resource and Organizations to the single group where each group item is toxic in the conjunction with any others from the same group. This is not mandatory that objects defined in the "Conflict group" directly linked to the User.

    To explain how it works please review the example below. Imagine that there are two Conflict groups defined in the system:

    • Conflict Group A, which contains ResourceA21 and ResourceB11
    • Conflict Group B, which contains GroupA1 and ResourceB1

    conflict-groups-example

    In case User has access to the Role A and Role B the toxic access will be detected because Role A and Role B inherits objects from at least one Conflict Group.

    After 'Conflict Group' creation it will not be possible to add new entitlements to user if new link will be a cause of toxic access.

    To Configure Conflict groups please log in as a Super Security Admin user to the webconsole and navigate to 'Access Control' -> 'Conflict Group' menu item.

    Screen contains two tabs: "Conflict Groups Configuration", "Violating conflict groups users".

    Conflict Groups Configuration

    This tab shows a list of already existed Conflict Groups. There are name, description and related objects columns in the list. To create new Conflict Group Please click 'Plus' button on the right top corner. To edit or delete conflict group click corresponding icon in the corresponding row.

    conflict-groups-list

    Violating conflict groups users

    This tab shows a list of users who has toxic access. It may happen in the following cases:

    • Conflict Group was created after entitlements was added to user
    • User was saved in 'Skip Conflict Group validation' mode

    violated-users

    'Skip Conflict Group validation' mode could be enabled on the classic edit user page at webconsole application by checking 'Do you want to continue with toxic access?' checkbox at the bottom of the screen.

    skip_validation

    It is possible to enable 'Skip Conflict Group validation' mode from the synchronization script. The following code should be added:

    pUser.setSkipConflictGroupCheck(true);
    Previous
    Importing roles
    Next
    Managing groups