20.1 Configuring Roles and Resources Settings

The Roles and Resources page allows you to modify the basic configurations of Roles and Resources Subsytem.

NOTE:You should have both Role Administrator and Resource Administrator permissions to modify the role and resource configurations on this page.

A Role Manager or Resource Manager can also access this page. Additionally, they should have Configuration Role Settings and Configuration Resource Settings permissions to modify the settings. For more information, see Assigning Permissions to a Delegated Administrator.

20.1.1 Configuring Default Roles Settings

The Role Container, Role Request Container, and Default Role Approval Definition show the LDAP settings that are saved in the Identity Vault during installation.

Role Container

The container where all the roles are stored.

Role Request Container

The container where all the role provisioning requests are stored.

Default Role Approval Definition

This determines the default workflow used for role assignment or revocation process.

Role Assignment Grace Period

Set the grace period which determines the time difference between removing the role assignment and dissociating entitlements from the role.

Enable Role Approval

Enable the respective options in this setting to trigger an approval process before a role is assigned to groups, containers, or mapped to another role. The approval process will be triggered only if the approval is configured for that role. When this setting is disabled, the role will be assigned to the recipients directly, without seeking approval. The approver(s) will not receive an email notification, although the email approval setting is set to enabled.

By default, the Enable Role Approval is disabled for Role to Role, whereas it is enabled for Role to Container and Role to Group options.

Role Level Display Names

You can change the display names of role levels for all supported languages. To change the language, see Understanding Roles.

NOTE:In identity applications, you can set a role to any of these levels:

  • Level 10

  • Level 20, or

  • Level 30

These levels appear on the roles with their specified display names.

Click Apply to save your changes.

20.1.2 Configuring Default Resource Settings

You can view the resource settings that are stored in Identity Vault.

Resource Container

The container where all the resources are stored.

Resource Request Container

The container where all the resource provisioning requests are stored.

Default Resource Approval Definition

The container where all the workflows related to resource approval process is stored. When you select Custom approval process for any resource, it populates the workflow options from this container.

20.1.3 Configuring Entitlement Query Settings

The identity applications periodically make queries to an entitlement from connected systems that are displayed in the Administration > Resources list. Entitlement Query Settings allow you to specify the interval to refresh the code map tables and also allow you to refresh manually.

Default Query Timeout

Specifies the interval in minutes that system should wait for the query result.

Default Refresh Rate

Specifies the interval in minutes to refresh entitlement queries in the system.

Refresh Status

Indicates whether the entitlement values have been refreshed.

You can refresh All Drivers at a time or select specific driver or entitlements that you want to refresh. To refresh the entitlement values manually, click .

Click Apply to save your changes.

20.1.4 Configuring Separation of Duties Settings

You can control the behavior of the separation of duties used in identity applications.

SoD Container

The container where all the SoD constraints are stored.

SoD Approval Definition

To allow permissions for users despite SoD constraints require an approval. This determines the workflow that is used for custom approvals. You can set the approval definition for custom approval process.

This list displays the SoD approval definitions created using Designer. For more information, see NetIQ Identity Manager - Administrator’s Guide to Designing the Identity Applications.

Default Approval Type

This determines the default approval type for SoD constraints when the approval process is enabled for those SoD constraints.

Default SoD Approvers

This determines the default users, groups, roles, or containers who review SoD constraints and approve those requests as required.

Click Apply to save your changes.