11.5 About the Role Configuration Editor

The role configuration editor is a graphical tool for defining administrative settings for the Roles Configuration object. The Roles Configuration object resides in the Role Catalog (nrfConfigurationobject), and it contains basic settings for an instance of the Role subsystem. There is only one configuration object per Role Catalog, and it resides at the root of the RoleConfig folder. The Roles Configuration object is a protected object, so the menu items Cut and Delete are disabled. You can copy and paste this object from another project; a paste operation overwrites the existing object. To start the role configuration editor:

  1. Expand the Provisioning view, then navigate to and open the Role Catalog.

  2. Double-click the Role Configuration node.

    Designer displays the role configuration editor.

  3. Fill in the fields as described in Table 11-8.

11.5.1 Role Configuration Editor Properties

The properties you set in the role configuration editor are described in Table 11-8.

Table 11-8 Roles Configuration Properties

Category

Field

Description

General

Grace Period for Role Assignment Removal (seconds)

Specifies the amount of time, in seconds, before a role assignment is removed from the Role Catalog.

The value is 0 by default. A grace period of zero means that when someone is removed from a role assignment, the removal happens immediately and the subsequent revocation of entitlements is initiated immediately.

You might use the grace period to delay the removal from a role of an account that would subsequently be re-added (for example if a person was being moved between containers). An entitlement can disable an account (this is the default) rather than removing it.

Role Levels

Role Levels

Read-only level that defines the role hierarchy. The hierarchy rules are:

  • Level 30 roles are higher-level roles in the hierarchy.

  • Level 20 and Level 10 roles are lower-level roles.

  • Level 30 roles include permissions from lower-level roles.

  • Lower-level roles have permissions that are included in higher-level roles.

Display Name

Specifies the text to display in the User Application Roles tab for each role level. By default, they are Permission Role (Level 10), IT Role (Level 20), and Business Role (Level 30). You can translate this text into any of the languages supported by the User Application. For more information, see Section 2.10, Localizing Provisioning Objects.

The User Application caches this value in the RoleSystem cache holder. For your changes to Role Level Display Name to be visible in the User Application, you must flush the RoleSystem cache after you deploy the Role Configuration object.

Description

Specifies the text to display in the User Application Roles tab for each Role Level Description. You can translate this text into any of the languages supported by the User Application. For more information, see Section 2.10, Localizing Provisioning Objects.

The User Application caches this value in the RoleSystem cache holder. For your changes to Role Level Description to be visible in the User Application, you must flush the RoleSystem cache after you deploy the Role Configuration object.

Separation of Duties (SoD) Settings

Approval Type

Select Serial if you want the SoD to be approved sequentially by the approvers in the order they appear in the approvers list.

Select Quorum if you want the SoD to be approved in parallel and to be complete when the percentage of users specified is reached.

For example, if you wanted to require that 25 percent of approvers in the list approve the condition, you would specify Quorum and specify a number; the value is assumed to be a percentage.

Approvers

The actual list of individuals, users, groups, or roles that can approve or deny an SoD exception/override. This list can be overridden in the definition of an SoD constraint in the SoD editor. You can use the following buttons to manage the Approvers list:

  • Click to add an approver. Adds the name to the bottom of the list.

  • Click to delete the selected approver.

  • Click to access the Identity Vault to search for an approver to add.

  • Click to move an approver lower on the list.

  • Click to move an approver higher on the list.

Standard Approvals

Role Approval Definition

Read-only name of the provisioning request definition that runs for a role approval request for this driver.

SoD Approval Definition

Read-only name of the provisioning request definition that runs for a SoD exception approval for this driver.

 

Resource Grant Approval Definition

Read-only name of the provisioning request definition that runs for a resource grant approval request for this driver.

 

Resource Revoke Approval Definition

Read-only name of the provisioning request definition that runs for a resource revoke approval request for this driver.

Entitlement Query Settings

Default Query Timeout (minutes)

The Roles Based Provisioning Module periodically queries the external entitlement system to refresh the details of the entitlements that are displayed in the Resource Catalog.

You can limit the time that the system waits for the query result by using the Default Query Timeout option.

 

Default Refresh Rate (minutes)

For the entitlement queries, you can set the time that the system waits for the query result by using the Default Refresh Rate option.