The mutual exclusivity feature lets you ensure that a login with a given role either cannot be assigned to another role or cannot use another role at the same time. Defining roles as mutually exclusive lets you enforce a policy of separation of duties. Mutual exclusivity is often used to prevent collaboration between job-related capabilities. For example, your business model might specify that separate transactions should be required to initiate a payment and to authorize a payment, and that no single individual should be capable of executing both transactions.
The system security officer can define mutual exclusivity at the membership level or at the activation level. When two roles are defined as being mutually exclusive at the membership level, the system security officer cannot grant the same login to both roles. When two roles are defined as being mutually exclusive at the activation level, the system security officer can grant a user both roles, but the user cannot activate both roles at the same time.
Specifying mutual exclusivity for a role
Select the role icon, then choose File | Properties.
Select the Exclusivity tab.
Click Add Role. The Add Mutually Exclusive Roles dialog box opens.
In the list, select the role you want to make mutually exclusive with the role you are editing.
For Exclusion Type, select Membership or Activation. Membership means that no login can be assigned both of the roles. Activation means that no user can activate both roles at the same time.
Click OK. The new exclusivity mapping is added to the list on the Exclusivity tab.
Click Apply.
| Copyright © 2009. Sybase Inc. All rights reserved. |
|
|