7.11 Role Request Activity

The Role Request activity allows you to automate the granting or revoking of roles to users, groups, or containers. For example, you might write a provisioning request definition that provisions all of the resources and roles a new employee needs on their first day. Using the role request activity, you can automate the approval of that employee for specified roles.

You can also configure the activity to respond to Separation of Duty (SoD) constraint overrides by always approving, or allowing specific cases. You can use the activity to configure the effective and expiration dates for the role, or use it to extend the expiration date of a role.

The Role Request activity runs within the system service security context.

There is no limit on the number of Role Request activities allowed within a workflow.

The Role Request activity fails if the requested role DN or the target DN is invalid, or does not exist.

The result of the role request is written as a system comment to the comment history.

7.11.1 Properties

The Role Request activity has the following properties:

Table 7-21 Role Request Properties

Property Name



Required. Provides a localizable name for the activity.


Required. Text that describes the reason for the assignment request. This corresponds to the Initial Request Description field of the Request Roles Assignment tab.


Required. An expression that resolves to a list of requested roles. For information on building this expression, see Specifying the Roles and Targets Properties.

This is an example of the script to request a specific role:

'CN=Administer Drugs,CN=Level10,CN=RoleDefs,CN=RoleConfig,CN=AppConfig,' + PROVISIONING_DRIVER

In this script example, the value is retrieved from flowdata:



Specifies the action the activity should perform. Select a value from the drop-down list. The values are:

  • grant (default): Use this value if the role should be granted.

  • revoke: Use this value if the role should be revoked.

  • extend: Use this value to extend the expiration date of the specified role. The role must already be granted, and the value that you specify in Expiration Date must be later than the one currently specified.

Target Type

Required. Specifies the type of object that the requested role will be assigned. Choose one of the values from the list. The values are:

  • user (default)

  • group

  • container

  • container with subtree


Required. An expression that resolves to the DN of the object for whom the role is requested. The target can be users, groups, or containers depending on Target Type value. The targets that you specify must resolve to the Target Type specified.

For information on building this expression, see Specifying the Roles and Targets Properties.

The following examples show a script for targets:


To retrieve the value from flowdata:


Effective Date

The date when the role assignment goes into effect. If no date is specified, the assignment is effective immediately after it is requested. You can use the expression builder convenience methods to specify this value.

Expiration Date

The date when the role assignment expires. If not specified, the assignment remains in effect indefinitely. You can use the expression builder’s convenience methods to specify this value.

Correlation ID

An optional string field. If not supplied, it defaults to the process instance ID. This string must be less than or equal to 64 characters.

SoD Override Request

Optional field. Defines how the Role Request activity should handle a request that causes an SoD constraint violation. Values are:

  • true: SoD override is requested for all encountered conflicts.

  • false (default): An SoD override is not requested for all encountered conflicts. Role Request activity uses the list of SoDs in the SoD Overrides property to determine which SoD constraints to override.

SoD Overrides

Available when the SoD Override Request is false. It is a list of one or more SoD constraints to override. When an SoD constraint is encountered and the constraint is in this list, the role request activity will request the role. It the SoD is not in this list, the role request activity will stop executing and follow the error link.

You can use the Expression Builder’s convenience methods to build the expression. The list contains the local list of SoDs defined for this project. For example:

Selecting the Doctor-Nurse SoD generates an expression like this:


Override Justification

Optional field. Available when SoD Override Request is false. Describes why an exception to the SoD constraint is necessary. If no value is specified, the Description is used. This example shows how to retrieve the value from flowdata.


Specifying the Roles and Targets Properties

Designer provides a convenient way to build the Roles and Targets expressions using the expression builder.

  1. Click the button in the property’s Value column.

    Designer launches this dialog box for adding or removing expressions.

  2. Click + to add a new Roles or Targets expression by using the Expression Builder.

    The dialog box displayed by Designer varies depending on whether you are specifying Roles or Targets. This dialog shows an example of the dialog box displayed to specify Roles because it includes the Search Roles button.

    You can choose one of the ECMAScript Objects to build the Roles or Targets expression, or use the Identity Vault button to select a specific object. Click Search Roles to locate a role.

    1. To choose specify a Role, click Search Roles.

    2. In the dialog box, specify the CN, Display Name, Description, Role Category, and Role Level on which you want to search.

      For CN, Display Name, and Description, you can enter a wildcard (such as S*, *S) or regular expressions (such as [A-Z][a-z]*).

      You can enter a value for all of the fields or none of the fields. If you do not supply a value in a particular field, the search returns all of the possible values for that field. If you enter a value in one or more of the fields, the values are ANDed together to create the search filter. The search occurs on the roles defined locally. Roles matching the search criteria are displayed in the Matching Roles selection list.

    3. Select a role from the Roles selection list, then click OK. The role is added to the expression area.

  3. Click OK after you are satisfied with expression. Repeat Step 2 to continue to add more expressions.

7.11.2 Data Item Mapping

Not supported with this activity.

7.11.3 E-Mail Notification

Not supported with this activity.