11.2 About the Role Catalog

The Role Catalog uses the Identity Vault to store role definitions that the User Application uses to determine:

  • The set of roles that it can display or modify.

  • The separation of duties (SoD) constraints between roles.

  • The provisioning request definition to execute for role membership requests.

  • The provisioning request definition to execute for SoD constraint exceptions.

The User Application ships with:

  • Two roles based provisioning request definitions.

  • A Roles Category list.

  • Default role levels.

  • Default mid-level system roles.

You use the Roles Based Provisioning tools to create new Role Catalog objects and customize existing ones for your own business needs. The Role Catalog node of the Provisioning view provides access to the Identity Manager Roles Based design and configuration tools.

You can use the Role Catalog node to import, export, deploy, validate, compare, and localize the roles definitions, separation of duties constraints, and the Roles Configuration object as a group or individually. It also provides access to each of the Roles Based tools.

When you use any of the editors available through the Role Catalog, you modify a set of local XML files. The local files are created when you add a Role Service driver to the Identity Manager project. The files are created in the workspace in the project’s Provisioning\AppConfig\RoleConfig folder.

Table 11-1 Local Roles Directories

Directory Name

Description

RoleDefs

Contains a folder for each role level. These folders can contain additional hierarchy levels, depending on how you set up your roles. If you add categories or additional levels, they are reflected in the folder structure. The folders contain the definitions for the roles within that level, and the file extensions correspond to the level. For example, the files in the level10 folder have .level10 as the extension.

SoDDefs

Contains the files that define the separation of duties constraints. Files have the .sod extension.

The Roles Configuration object definition file resides at the root of the RoleConfig folder. There can be only one such file, and its name is configuration.roleconfig.

The Role Catalog is deployed in the User Application driver’s AppConfig.RoleConfig file.