Roles can be assigned to a user in several ways:
- directly.
- to a group, the user belongs to. In this case, all the other users of this group also get this role.
- to a parent group (the group including the group the user belongs to). In this case, all the users of the parent group and the child groups will also get this role.
- via a parent role.
The information about roles, groups, and their interconnections is stored in the appropriate tables:
| Table | Description |
|---|---|
| Roles (sys_role) | List of the roles created in the system. |
| User Roles (sys_user_has_role) | A list of the users and their roles. |
| Groups (sys_group) | List of the groups created in the system. |
| User Groups (sys_user_group) | A list of the users and their groups. |
| Role Contains (sys_role_contains) | A "many-to-many" table, interconnecting parent and child roles. |
| Group Contains (sys_group_contains) | A "many-to-many" table, interconnecting parent and child groups. |
| Group Roles (sys_role_group) | A "many-to-many" table, associating roles with groups. |
The above tables are interrelated. When you change a record in one of them, the changes can occur in other tables. For example, when a user is added to a group, a record is created in the User Groups table. All group roles will be assigned to the user by creating new records in the User Roles table. The relationships of these tables are shown in the following diagram:
User Roles
The User Roles (sys_user_has_role) table stores information about the user roles that were:
- assigned directly
- gained through groups
- gained through parent roles or groups.
To get the list of the available records in this table, please navigate to User Administration → User Roles.
Example
John Doe has several roles, and among them:
- He is a change manager. This role was assigned to him directly by his manager.
- He is an incident manager. He got this role through the Incident Managers group because he is a group member.
- And finally, he is an impersonator. He got this role through the impersonators group (which is included in the security admins group).
If you exclude John Doe from the Impersonators group, he will lose the "impersonator" role, and the relevant record will be deleted from the User Roles (sys_user_has_role) table.
You can see an example of the multiple roles for one user on the screenshot below:
There can be two identical roles: one is set to the user manually, and the other is inherited (Inherited = true). If a user is a member of several groups that give them the same role, the value of the Inheritance count field increases.
Groups
As mentioned above, group records are stored in the Groups (sys_group) table. A group may have a connection with a role. Such records are stored in the Group Roles (sys_role_group) table.
When adding a user to a group, the relevant connection is inserted in the User Groups (sys_user_group) table. Then, the user will obtain the group role, and the corresponding entry will appear in the User Roles (sys_user_has_role) table.
When deleting a record from the User Groups (sys_user_group) table, the group role will be taken away from the user.
Role Inheritance
The role can be inherited in various ways.
- It can be inherited from a parent group. For this, add a record to the Group Contains (sys_group_contains) table, adding a parent group. All the child group members will get the roles of the parent group.
- It can be inherited from a parent role. For this, create a record to the Role Contains (sys_role_contains) table with a child role. All the users who have the parent role will also inherit the child role.
- It can be inherited from the group role. If the role is defined for the group within the Group Roles (sys_role_group) table, the user will inherit all the roles of the group they belong to. To add him to the group, create a record in the User Groups (sys_user_group) table.
All the contraries are also true: when we unlink the role of the group (i.e., deleting the record from the Group Roles (sys_role_group) table), all the group members will lose this role. When adding a child role for a parent role, users with a parent role will get a new child role, and so on.
The level of inheritance does not matter. For example, the specified parent group has parents, and its child group has, in turn, their descendants. In this case, all parents will get all the roles of their descendants.
