Create Role

Initiates a request to Roles Based Provisioning Module (RBPM) for creating a role specified in the Role Name field. When the action is successfully performed, Identity Manager generates a success message in the success.do-create-role local variable. If a policy containing this action encounters an error, Identity Manger generates an error message in the error.do-create-role local variable. For more information about local variables, see Local Variable Selector. This action is available only with the Identity Manager server version 4.6.

Fields

Role Name

Specify the name of the role to create. Supports variable expansion. For more information, see Variable Selector.

User Application URL

Specify the URL of the User Application server hosting the Roles Based Provisioning module. Supports variable expansion. For more information, see Variable Selector.

Authorized User DN

Specify the name of the user authorized to request the resource assignment in LDAP format. Supports variable expansion. For more information, see Variable Selector.

Password

Specify the authorized user password. You can enter a clear text password (not recommended) or use the Argument Builder to specify a Named Password.

Timeout Value

Specify the number of milliseconds you want Identity Manager to try to establish a connection to the User Application server before timing out. The default value is 0.

Strings

(Optional) Specify additional argument strings for the Resource assignment request. You can enter the strings manually, or select the Edit the Strings icon to open the Named String Builder and specify the strings. For more information about the Named String Builder, see Named String Builder.

Example

The Create Role action supports the following string arguments:

String Name

Description

Role Level

The level of the role. For example, 10, 20 or 30.

Default: 10

Display Name

Display name of the role be created.

Default: Role name.

Description

A description of the reason for the request used for auditing and approval purposes if necessary.

Default: Request generated by policy.

Category Key

The category in which the role should be created. For example, system, default, or both.

Owner

The owner of the role in LDAP format.

Multiple owners are allowed for a resource. Specify multiple owners in a semi colon(;) separated list.

Grant Approver

The approver of the role assignment in LDAP format.

Multiple approvers are allowed. Specify multiple approvers in a semi colon(;) separated list to form a serial approval process.

Grant Quorum

Minimum percentage of approvals required for creating a role.

Subcontainer

Directory container under the role level for storing the role.

Resource Association

Resource association for the role. This element should have a resource name, resource association description, and the entitlement value separated by a semi colon(;).

Resource Name in LDAP format;Resource association description;Entitlement Value.

You can add multiple resource-association elements to associate multiple resources with a role.

For creating a static resource, entitlement value is not needed.

Role Association

Role association for the role. This element should have a role name, role assignment description, and the role relationship separated by semi colon(;).

Role Name in LDAP format;Role assignment description;Relationship.

The role relationship can be a child or a parent.

You can add multiple role-association elements to assign multiple roles with a role.

Revoke Approver

Approver who has the rights for revoking a resource in LDAP format.

Leave this field blank if this is the same approver who granted the resource.

Multiple approvers are allowed to revoke a resource. Specify multiple approvers in a semi colon(;) separated list, which forms a serial approval process.