Novell Doc: Identity Manager Roles Based Provisioning Module 3.6 User Application: User Guide

17.5 Configuring the Role Subsystem

The Configuring Role Subsystem action on the Roles tab of the Identity Manager user interface allows you to specify administrative settings for the Role Subsystem.

To define Role subsystem administrative settings:

Click Configure Role Subsystem in the Role Management group of actions.
Specify (in seconds) a Grace Period for Role Assignment Removal.

This value specifies the amount of time, in seconds, before a role assignment is removed from the Role Catalog (0 by default). A grace period of zero means that when someone is removed from a role assignment, the removal happens immediately and the subsequent revocation of entitlements is initiated immediately. You might use the grace period to delay the removal of an account that would subsequently be re-added (for example if a person was being moved between containers). An entitlement can disable an account (this is the default) rather than removing it.
Choose the provisioning request definition to run when an SoD exception request is made. You can specify one definition per User Application driver.
1. To find a provisioning request definition use the Object Selector or History buttons as described in Section 1.4.4, Common User Actions.

Choose a Default SoD Approval Type of Serial or Quorum.

Field	Description
Serial	Select Serial if you want the role to be approved by all of the users in the Approvers list. The approvers are processed sequentially in the order they appear in the list.
Quorum	Select Quorum if you want the role to be approved by a percentage of the users in the Approvers list. The approval is complete when the percentage of users specified is reached. For example, if you want one of four users in the list to approve the condition, you would specify Quorum and a percentage of 25. Alternatively, you can specify 100% if all four approvers must approve in parallel. The value must be an integer between 1 and 100.

Field

Description

Serial

Select Serial if you want the role to be approved by all of the users in the Approvers list. The approvers are processed sequentially in the order they appear in the list.

Quorum

Select Quorum if you want the role to be approved by a percentage of the users in the Approvers list. The approval is complete when the percentage of users specified is reached.

For example, if you want one of four users in the list to approve the condition, you would specify Quorum and a percentage of 25. Alternatively, you can specify 100% if all four approvers must approve in parallel. The value must be an integer between 1 and 100.

Click + to modify the Default SoD Approvers.

Field	Description
Approvers	Select User if the role approval task should be assigned to one or more users.Select Group if the role approval task should be assigned to a group. Only one member of the group needs to approve. To locate a specific user or group, use the Object Selector or History buttons. To change the order of the approvers in the list or to remove an approver, see Section 1.4.4, Common User Actions

Field

Description

Approvers

Select User if the role approval task should be assigned to one or more users.Select Group if the role approval task should be assigned to a group. Only one member of the group needs to approve.

To locate a specific user or group, use the Object Selector or History buttons. To change the order of the approvers in the list or to remove an approver, see Section 1.4.4, Common User Actions

Click Save to make your choices permanent.