17.2 Managing Roles

The Manage Roles action on the Roles tab of the Identity Manager user interface allows you to create a new role or modify or delete an existing role.

NOTE:You cannot use this action to create new or delete existing system roles. You can use it to modify system roles.

What you can see and do on this page depends on your security role, as described in Table 17-1.

Table 17-1 Security Role Capabilities

Security Role

Capabilities

Roles Module Administrator

A Roles Module Administrator can:

  • Create new roles in all containers.

  • Modify all existing roles.

  • Delete all existing roles (except system roles).

Roles Manager

A Roles Manager can:

  • Create new roles in all containers. All required rights are granted for the user upon role creation.

  • Modify only the roles for which they have browse rights.

  • Delete only the roles for which they have browse rights.

The user interface shows only those levels and containers for which a Roles Manager has browse rights. If the manager does not have browse rights for a particular level, but does have rights to the child container, the interface shows the level. If the manager has browse rights to a child container, but not to the parent container, the parent container is visible, but cannot be selected.

When a Roles Manager attempts to create a new role, the user interface verifies whether the manager has rights to the chosen level and container. If the user does not have the necessary rights, the interface disables the New button and displays an error message.

17.2.1 Creating New Roles

  1. Click Manage Roles in the list of Role Management actions.

  2. Click New.

    The User Application prompts you to provide a Role Name in the New Role Details section of the Manage Roles page. For more information on each of the fields in this section, see Table 17-2, Role Details.

  3. Navigate to Approval Details, and complete the fields as described in Table 17-3, Approval Details.

  4. Click Save to make your changes permanent.

17.2.2 Modifying or Deleting Existing Roles

  1. Click Manage Roles in the list of Role Management actions.

  2. To find the role whose details you want to modify, use the Object Selector or the Show History tool to select the constraint. For details on using the Object Selector and Show History tools, see Common User Actions.

  3. When you select the role you want from the list, the lookup page closes and displays the Role Details and Approval Details for the selected role.

    The Manage Roles page displays the name of the role that is currently selected in the Role Details section.

    HINT:The Manage Role Relationships link provides quick way access to the Manage Role Relationships page. If you have selected a role, it displays the contents of the selected role for editing.

  4. To delete the currently selected role, click Remove.

    For more information on the role details you can modify, see Table 17-2, Role Details.

    For more information on the Approval Details you can modify, see Table 17-3, Approval Details.

  5. After you complete the changes, click Save.

17.2.3 Role Properties

Role Details Properties

Table 17-2 Role Details

Field

Description

Role Name

The text used when the role name displays in the User Application. You cannot include the following characters in the Role Name when you create a role:

< > , ; \ " +  # = / | & *

You can translate this name in any of the User Application’s supported languages. For more information, see Table 1-1, Common Buttons.

Role Description

The text used when the role description displays in the User Application. Like the Role Name, you can translate it to any of the User Application’s supported languages. For more information, see Table 1-1, Common Buttons.

Role Level

(Read-only when modifying a role.) Choose a role level from the drop-down list.

Role levels are defined using the Designer for Identity Manager Role Configuration editor. For more information about Role levels, see Section 14.1, About the Roles Tab.

Role Container

(Read-only when modifying a role.) The location for the role objects in the driver. Role containers reside under role levels. The User Application shows only the role containers that reside under the role level that you choose. You can create a role either directly in a role level, or in a container within the role level. Specifying the role container is optional.

Role Owners

A user who is designated as the owner of the role definition. When you generate reports against the Role Catalog, you can filter the report based on the role owner. The role owner does not automatically have the authorization to administer changes to a role definition.

Role Categories

Allow you to categorize roles for role organization. Categories are used for filtering lists of roles. Categories are multi-select.

Approval Details Properties

Table 17-3 Approval Details

Field

Description

Approval Required

Select Yes if the role requires approval when requested, and you want the approval process to execute the standard role assignment approval definition.

Select No if the role does not require approval when requested.

Use Standard Approval

Select Yes if this role uses the standard role assignment approval definition specified in the Role Subsystem. The name of the approval definition displays as read-only in the Role Assignment Approval Definition below.

You must select the type of approval (Serial or Quorum) and the valid approvers.

When you select No, you are prompted for the name of a custom Role Assignment Approval Definition.

Role Assignment Approval Definition

The name of the provisioning request definition executed when the role is requested. If the value of Use Standard Approval is Yes, the value is derived from the Role Subsystem configuration settings. If the value is No, then you must select the name of the custom provisioning request definition to use.

Approval Type

Select Serial if you want the role to be approved by all of the users in the Approvers list. The approvers are processed sequentially in the order they appear in the list.

Select Quorum if you want the role to be approved by a percentage of the users in the Approvers list. The approval is complete when the percentage of users specified is reached.

For example, if you want one of four users in the list to approve the condition, you would specify Quorum and a percentage of 25. Alternatively, you can specify 100% if all four approvers must approve in parallel. The value must be an integer between 1 and 100.

HINT:The Serial and Quorum fields have hover text that explains their behavior.

Approvers

Select User if the role approval task should be assigned to one or more users. Select Group if the role approval task should be assigned to a group. Select Role if the role approval task should be assigned to a role.

To locate a specific user, group, or role, use the Object Selector or History buttons.To change the order of the approvers in the list, or to remove an approver, see Section 1.4.4, Common User Actions.