角色层次结构更改实施在ITIM 5.1中如何工作？

Question

"The people affected by the role hierarchy change operation are evaluated against all applicable policies in the system, including policies that are not related to any of the parent roles. As a result, you might find accounts not related to the role hierarchy change that are being enforced."

Can someone explain in layman's term what exactly the above lines are trying to convey, like :

when does a role hierarchy change operation occur ?

what are the applicable policies here and how will change be evaluated ?

Answer 1

You have just the above part from a longer chapter and it sounds a little bit out of context, but it is not that complicated.

Role hierarchies have to do with relationships between roles. In ITIM/ISIM you can define that roles are parents/children of other roles and thus create hierarchies. It also supports that notion of inheritance, so that for example Provisioning policies that apply to the Parent role, apply to the children roles as well.

A role hierarchy change happens when you add a parent or a child in a given role. If for example you had Role1 and you a provisioning policy that applies to this role, when you add Role2 as a child of the Role1 role, then the provisioning policy will now apply to Role2 too.

As for the other matter in discussion, lets start with two facts :

1. You might have a number of provisioning policies in your system. Depending on how the policy membership is set up, each one of those can apply to specific roles, groups, or all the persons in your system.
2. In the default ITIM configuration, each time you modify a person, the modifyPerson workflow is executed. This can contain a number of nodes, but by default it contains a modifyPerson node and an enforcePolicy node. The modifyPerson performs, as the name implies, the modifications on the person object in ITIM. The enforcePolicy node, again as the name implies, evaluates ALL applicable provisioning policies for the person and performs the necessary actions on the persons accounts according to the provisioning policies.

What the sentence you quoted says is that when you add a role (RoleA) as a child of another role (RoleB), the provisioning policy (lets call it Policy1 ) that applies to RoleA, now applies to RoleB also. And if you had a person that was member of the RoleB, now that you perform the role hierarchy change, the policies for this person will be evaluated because ITIM needs to enforce Policy1 for him. However this does not mean that at this time, the only policy that applies to this person, is Policy1. A number of different policies can apply to him and ALL of them will be evaluated at this time. This can lead to changes in other accounts or more changes in the same account of this person.

By the way, this has been modified a little bit with ISIM 6 , FixPack 3, Intermittent FixPack 11. Now the enforce policy node in the workflow can be configured to only take into consideration the provisioning policies that need to be reevaluated for the specific change that happens and not blindly go through and evaluate everything again.