It is possible to assign a set of roles to each administrator. In the configuration of the Adminapp you can define the sets of possible roles combinations.
Example:
- administrators with roles useradmin and helpdesk are allowed
- administrators with roles useradmin and tokenadmin are not allowed
By whitelisting possible role combinations, segregation of duties can be implemented by assigning roles to actions accordingly.
Example:
The following configuration excerpt states the following:
- An administrator is required to be in role useradmin in order to be allowed to generate or order a password for a user.
- An administrator is required to be in role tokenadmin in order to activate or order a token list for a user.
- An administrator can only have role useradmin or tokenadmin but not both. This guarantees that no administrator can create or order all credentials for a user.
![63972151.png](../media/03_Media/Screenshots/IAM/Config_Editor/63972151.png.theme/1.4/en-us.63972151.png_html.png)
![63972152.png](../media/03_Media/Screenshots/IAM/Config_Editor/63972152.png.theme/1.4/en-us.63972152.png_html.png)
![63972153.png](../media/03_Media/Screenshots/IAM/Config_Editor/63972153.png.theme/1.4/en-us.63972153.png_html.png)