It is possible to assign a set of roles to each administrator. In the configuration of the Adminapp you can define the sets of possible roles combinations.
Example:
- administrators with roles useradmin and helpdesk are allowed
- administrators with roles useradmin and tokenadmin are not allowed
By whitelisting possible role combinations, segregation of duties can be implemented by assigning roles to actions accordingly.
Example:
The following configuration excerpt states the following:
- An administrator is required to be in role useradmin in order to be allowed to generate or order a password for a user.
- An administrator is required to be in role tokenadmin in order to activate or order a token list for a user.
- An administrator can only have role useradmin or tokenadmin but not both. This guarantees that no administrator can create or order all credentials for a user.
