Subuser concept
The subuser concept copes with use cases where a profile has to be inherited from one user (main user) and assigned to another user (subuser/deputy). The inherited profile allows the subuser to use, for instance, all applications the main user is authorized for. Every user can appoint its own subusers.
Once a subuser has been appointed, the subuser will have the choice to work with his own user profiles or with the profile inherited from the main user. This choice is made during the login process.
To enable the subuser feature, see the chapter Client policy, configuration parameter "gui.deputy.enabled". By default, the feature is disabled. From a more technical point of view, the inherited profile and the subuser entity are mapped via a so-called appointed (deputy) profile on the subuser entity. It acts as intermediary and has limited functionality compared to a common profile.
The subuser concept has the following characteristics:
- Only the name, remarks, state and default flag of an appointed profile can be changed. An appointed profile is assigned to the same unit as the original profile of the main user. Therefore, an appointed profile can remain active even if the original profile of the main user is deactivated (due to inactivity). However, if the original profile is archived or deleted, the appointed profile is deleted.
- Application roles and enterprise roles are inherited from the original profile of the main user. nevisIDM roles are not inherited.
- The main user can revoke the subuser/deputy at any time.
- Multiple subusers can be nominated for the same profile.
Subusers/deputies can be appointed in the selfadmin GUI or by using the Self-adminService (since v1.14) with SelfAdmin rights only.
Subusers/deputies can also be appointed in the admin GUI by going to the User Administration view and selecting the profile. The 'Appoint deputy' button can be found on the bottom of the Profile Administration view.