Responsibility of the head of the organisation unit

The head of the organisation unit is always responsible for the assignment of rights via the IdM role administration. They can manage the rights by themselves by using the role “Role administration” or they can delegate the management of rights to the employees of the organisation unit by assigning the role “Role administration” to them.

The owners of the role “Role administration” can manage their rights by themselves through assigning the role “Role administration” to themselves or to other persons or through extending it. The head of the organisation unit is to guarantee that authorised persons only own and use this role. Therefore, it is advisable that the head of the organisation also owns the role “Role administration”.  

The role “Role administration” does not have any conditions but it has an expiry date. The role is configured with a quorum of one. The quorum defines how many persons must own the role within an organisation unit. The quorum prevents that the role is revoked automatically from the last role administrator in the organisation unit even if the expiry date of the role is reached. In such a way, the operation of the organisation unit is guaranteed.

Generally, the head of the organisation is responsible for providing a necessary number of persons with the role “Role administration” to guarantee the operation of the organisation unit. It is advisable to have at least two persons who owns the role “Role administration”.

Responsibility of the owners of the role “Role administration”

A role is considered in different systems as a substitute for a signature. Therefore, the assigning of a role is the same as authorisation for signing.

Persons with the role “Role administration” in an organisation unit assign and revoke all available roles in this organisation unit according to legitimate requirements.

On behalf of the head of the organisation unit, they assign the roles by generating required coupons in the IdM role administration and forwarding them directly and safely to authorised persons (role owners) or they revoke the roles.

Such mechanisms as controlling the connection between the data in Identity Management and RWT Person Directory or controlling the employee status are meant to support role administrators in their tasks. Despite these mechanisms, role administrators are obliged to revoke roles if the conditions for the roles are lost. They are particulary obliged to check the assigned roles regularly. It is advisable to check the role assignment once a semester.