11.2 About the Role Catalog

The Role Catalog uses the Identity Vault to store role definitions that the User Application uses to determine:

The User Application ships with:

You use the Roles Based Provisioning Tools to create new Role Catalog objects and customize existing ones for your own business needs. The Role Catalog node of the Provisioning view provides access to the Identity Manager Roles Based Provisioning Module design and configuration tools.

You can use the Role Catalog node to import, export, deploy, validate, compare, and localize the roles definitions, separation of duties constraints, and the Roles Configuration object as a group or individually. It also provides access to each of the Roles Based Provisioning Module tools.

When you use any of the editors available through the Role Catalog, you modify a set of local XML files. The local files are created when you add a Role Service driver to the Identity Manager project. The files are created in the workspace in the project’s Provisioning\AppConfig\RoleConfig folder.

Table 11-1 Local Roles Directories

Directory name



Contains a folder for each role level. These folders can contain additional hierarchy levels, depending on how you set up your roles. If you add categories or additional levels, they are reflected in the folder structure. The folders contain the definitions for the roles within that level, and the file extensions correspond to the level. For example, the files in the level10 folder have .level10 as the extension.


Contains the files that define the separation of duties constraints. Files have the .sod extension.

The Roles Configuration object definition file resides at the root of the RoleConfig folder. There can be only one such file, and its name is configuration.roleconfig.

The Role Catalog is deployed in the User Application driver’s AppConfig.RoleConfig file.