16.1 Browsing the Role Catalog

The Role Catalog action on the Roles and Resources tab of the Identity Manager user interface allows you to view roles that have been previously defined in the catalog. It also lets you create new roles and modify, delete, and assign existing roles.

16.1.1 Viewing Roles

  1. Click Role Catalog in the list of Roles and Resources actions.

    The User Application displays a list of roles currently defined in the catalog.

Filtering the Role List

  1. Click the Display Filter button in the upper right corner of the Role Catalog display.

  2. Specify a filter string for the role name or description, or select one or more role levels or categories in the Filter dialog.

  3. Click Filter to apply your selection criteria.

  4. To remove the current filter, click Reset.

Setting the Maximum Number of Roles on a Page

  1. Click on the Rows dropdown list and select the number of rows you want to be displayed on each page:

Scrolling within the Role List

  1. To scroll to another page in the role list, click on the Next, Previous, First or Last button at the bottom of the list:

Sorting the Role List

To sort the role list:

  1. Click the header for the column you want to sort on.

    The pyramid-shaped sort indicator shows you which column is the new sort column. When the sort is ascending, the sort indicator is shown in its normal, upright position.

    When the sort is descending, the sort indicator is upside down.

    The initial sort column is determined by the administrator.

If you override the initial sort column, your sort column is added to the list of required columns. Required columns are indicated with an asterisk (*).

When you modify the sort order for the task list, your preference is saved in the Identity Vault along with your other user preferences.

16.1.2 Creating New Roles

  1. Click the New button at the top of the Role Catalog display:

    The User Application displays the New Role dialog:

  2. Provide details for the role definition, as described below:

    Table 16-1 Role Details

    Field

    Description

    Display Name

    The text used when the role name displays in the User Application. You cannot include the following characters in the Display Name when you create a role:

    < > , ; \ " +  # = / | & *
    

    You can translate this name in any of the User Application’s supported languages. For more information, see Table 1-1, Common Buttons.

    Description

    The text used when the role description displays in the User Application. Like the Display Name, you can translate it to any of the User Application’s supported languages. For more information, see Table 1-1, Common Buttons.

    Role Level

    (Read-only when modifying a role.) Choose a role level from the drop-down list.

    Role levels are defined using the Designer for Identity Manager Role Configuration editor.

    Role Sub Container

    (Read-only when modifying a role.) The location for the role objects in the driver. Role containers reside under role levels. The User Application shows only the role containers that reside under the role level that you choose. You can create a role either directly in a role level, or in a container within the role level. Specifying the role container is optional.

    Categories

    Allow you to categorize roles for role organization. Categories are used for filtering lists of roles. Categories are multi-select.

    Owners

    Users who are designated as the owners of the role definition. When you generate reports against the Role Catalog, you can filter the report based on the role owner. The role owner does not automatically have the authorization to administer changes to a role definition.

  3. Click Save to save the role definition.

    The User Application displays several additional tabs at the bottom of the window to allow to complete the role definition.

Defining the Role Relationships

The Role Relationships tab allows you to define how roles are related in a higher and lower role containment hierarchy. This hierarchy enables you to group permissions or resources contained by lower-level roles into a higher-level role that makes assignment of permissions easier. The allowed relationships are:

  • Top-level roles (business roles) can contain lower-level roles. They cannot be contained by other roles. If you select a top-level role, the Role Relationships page allows you to add a lower-level (child) role relationship only.

  • Mid-level roles (IT roles) can contain lower-level roles, and they can be contained by higher-level roles. The Role Relationship page allows you to add either lower-level (child) role or higher-level (parent) role.

  • Bottom-level roles (permission roles) can be contained by higher-level roles, but they cannot contain other bottom-level roles. The Role Relationship page allows you to add only a higher- level role.

To define a role relationship:

  1. Click the Role Relationships tab.

  2. Click Add.

    The Add Role Relationship dialog is displayed.

  3. Provide text describing the relationship in the Initial Request Description field.

  4. Specify the type of relationship you want to define by selecting the type in the Role Relationship dropdown.

    If the new role is an IT role, the Role Relationship dropdown lets you define a Child or Parent relationship. If the new role is a business role, the Role Relationship dropdown displays read-only text indicating that this is a Child relationship, since only lower-level roles can be related to a business role. If the new role is a permission role, the Role Relationship dropdown displays read-only text indicating that this is a Parent relationship, since only higher-level roles can be related to a permission role.

    The list of roles available for selection is filtered according to the type you selected.

  5. Use the Object Selector to the right of the Selected Roles field to select the role(s) you want to associate with the new role.

  6. Click Add.

Associating Resources with the Role

To associate a resource with a role:

  1. Click the Resources tab.

  2. Click Add.

    The User Application displays the Add Resource Association dialog.

  3. Use the Object Selector to select the resource you want and provide text that explains the reason for the association.

    The wizard displays a page that provides information about the selected resource, such as the name of the resource categories, owner, entitlement, and entitlement values.

    For entitlements that take static parameter values, which provide additional attributes or detailed information for the entitlement, the wizard displays the static values next to the Entitlement Value label. For entitlements that take dynamic parameters, the wizard displays the resource request form, which includes fields for the dynamic parameters, as well as any decision support fields defined for the form.

  4. In the Association Description field, type text that explains why the resource is associated with the role.

  5. Click Add to associate the resource with the role.

    The Resource Associations list shows the resource you added to the role definition:

    What happens to existing role assignments When you add a new resource association to a role that already has identities assigned to it, the system initiates a new request to grant the resource to each of the identities.

    NOTE:In RBPM releases prior to the Public Patch 401C, you would see different results if a resource with parameters were granted to a user through a role association rather than through direct assignment to the user. This was the case in the following situations:

    • A resource that has an entitlement parameter, as well as a field parameter defined on the Request Form tab, is associated with a role. If a user were assigned to the role directly, by group membership, or by being in a container, this user would be assigned the resource as well. However, the resource assignment would only have the entitlement parameter value.

      This issue has been resolved in Public Patch 401c and in release 4.0.2. However, if your assignments were created in a prior release (370, 400, or before Public 401C), and you want all of the resource parameters to appear, you need to revoke the user from the role and then reassign the user.

    • A resource that has two or more fields defined on the Request Form tab only is associated with a role. If a user were assigned the role directly, by group membership, or by being in a container, this user would be assigned the resource the same number of times as the number of field parameters. In other words, the user would have one resource assignment for each field parameter. If the resource were assigned directly, the user would only have one assignment with all of the parameters listed.

      This issue has been resolved in Public Patch 401C and in release 4.0.2. However, if your resource associations were created in a prior release (370, 400, or before Public Patch 401C), you will still see this behavior. To take advantage of the fix, you must delete the resource association and recreate it.

To delete a resource association for a role:

  1. Select the resource association in the Resource Associations list.

  2. Click Remove.

    What happens to existing role assignments When you remove a resource association from a role that already has identities assigned to it, the system initiates a new request to revoke the resource from each of the identities.

Defining the Approval Process for a Role

To define the approval process for a role:

  1. Click the Approval tab.

  2. Provide details for the approval process, as described below:

    Table 16-2 Approval Details

    Field

    Description

    Approval Required

    Select this checkbox if the role requires approval when requested, and you want the approval process to execute the standard role assignment approval definition.

    Deselect this checkbox if the role does not require approval when requested.

    NOTE:Role approvals are triggered for explicit role-to-user assignments only.

    Custom Approval

    Select this radio button if you want to use a custom approval definition (provisioning request definition). Use the Object Selector to select the approval definition.

    Standard Approval

    Select this radio button if this role uses the standard role assignment approval definition specified in the Role and Resource Subsystem configuration. The name of the approval definition displays as read-only in the Role Assignment Approval Definition below.

    You must select the type of approval (Serial or Quorum) and the valid approvers.

    Approval Type

    Select Serial if you want the role to be approved by all of the users in the Approvers list. The approvers are processed sequentially in the order they appear in the list.

    Select Quorum if you want the role to be approved by a percentage of the users in the Approvers list. The approval is complete when the percentage of users specified is reached.

    For example, if you want one of four users in the list to approve the condition, you would specify Quorum and a percentage of 25. Alternatively, you can specify 100% if all four approvers must approve in parallel. The value must be an integer between 1 and 100.

    HINT:The Serial and Quorum fields have hover text that explains their behavior.

    Approvers

    Select User if the role approval task should be assigned to one or more users. Select Group if the role approval task should be assigned to a group. Select Container if the role approval task should be assigned to a container. Select Role if the role approval task should be assigned to a role.

    To locate a specific user, group, container, or role, use the Object Selector.To change the order of the approvers in the list, or to remove an approver, see Section 1.4.4, Common User Actions.

    Revoke Approval Required (Same as Grant Configuration)

    Select this checkbox if the role requires approval when revoked.

    The approval process used for role revocation requests, as well as the list of approvers, is the same as for role grant requests. If you have indicated that you want the approval process to execute the standard role assignment approval definition, this process will be used. Alternatively, you can specify a custom approval process for both role grant requests and role revocation requests. Within a custom provisioning request definition, you can identify whether the action is a grant or revoke and customize the approval process accordingly.

    Deselect this checkbox if the role does not require approval when revoked.

Making Role Assignments

For details on making role assignments, see Section 16.1.5, Assigning Roles.

Checking the Status of Requests

The Request Status action allows you to see the status of your role assignment requests, including requests you’ve made directly as well as role assignment requests for groups or containers to which you belong. It lets you see the current state of each request. In addition, it gives you the option to retract a request that has not been completed or terminated if you have changed your mind and do not need to have the request fulfilled.

The Request Status action shows all role assignment requests, including those that are running, pending approval, approved, completed, denied, or terminated.

To view the status of role assignment requests:

  1. Click the Request Status tab.

    The Request Action shows whether the action was a grant or revoke. If an approval was required, and the approval process has not completed, the status shows Pending Approval.

  2. To see the detailed status information for a request, click the status.

    The Assignment Details window is displayed:

    For details on what the status values mean, see Section 10.4, Viewing Your Request Status.

  3. To retract a request, select the request and click Retract.

    You need to have permission to retract a request.

    If the request has been completed or terminated, you will see an error message if you try to retract the request.

16.1.3 Editing an Existing Role

  1. Select a previously defined role and click Edit.

  2. Make your changes to the role settings and click Save.

Entitlements associated with existing roles Roles defined in earlier releases of the Roles Based Provisioning Module may have associated entitlements. If a role has an entitlement associated with it, the user interface displays the Entitlements tab, which allows you to see the entitlement mapping, and optionally remove it. Entitlement mappings for roles will continue to work in this release, but Novell now recommends that you associate entitlements with resources, rather than with roles.

16.1.4 Deleting Roles

  1. Select a previously defined role and click Delete.

    When you instruct the User Application to delete a role, it first sets the role status to Pending Delete. The Role and Resource Service driver then notes the change of status and performs these steps:

    • Removes the resource assignments for the role

    • Deletes the role itself

    The Role and Resource Service driver optimizes this process. However, the process may take some time, depending on the number of users assigned to the role, because the Role and Resource driver must ensure that it does not remove a resource from a user if they have this resource by other means. If the role remains in the Pending Delete state for an inordinate amount of time, double check your driver to ensure that it is current and running.

    When a role has the status of Pending Delete, you are unable to edit, delete, or assign the role.

    NOTE:For version 4.0.2, a new attribute called nrfStatus has been added to the nrfRole object to manage the role status. This attribute has two states, Created and Pending Delete.

    What happens to existing role assignments If you delete a role that has an associated resource as well as one or more identities assigned to it, the system removes the resource assignment from each identity that has the associated resource.

    NOTE:If you delete a role that has a resource assigned to it (or remove a user from the role), the system removes resource assignments for users in that role, even if those resources were first assigned directly. The reason for this is that the system assumes that the last authoritative source for a resource assignment is the controller of that resource, as illustrated by the following scenario:

    1. A resource is created and mapped to an entitlement.

    2. A user is assigned to the resource created above.

    3. A role is created that is bound to the resource created in the first step above.

    4. The same user is then assigned to the role created above.

    5. The user is removed from the role.

    In this situation, the user gets removed from the resource even though they had the resource assigned directly. Initially, the resource assignment is considered the authoritative source. However, when the user is assigned to a role that is associated with the same resource, the role becomes the authoritative source.

    Deleting Roles in SoD Constraints When a conflicting role of an SoD constraint is deleted, the SoD constraint will appear with the word Invalid in brackets after the name, such as Doctor Pharmacists SoD [Invalid], in the SoD Catalog list.

WARNING:A Role Manager who has been given the Delete Role permission for the system roles (or the container that contains these roles) can delete system roles. The system roles should not be deleted. If any of the system roles is deleted, the User Application will malfunction.

16.1.5 Assigning Roles

You can assign a role in either of two ways:

  • From the Role Catalog

  • From the Edit Role dialog

Both of these methods are described below.

Assigning a Role From the Catalog

  1. Select a previously defined role in the Role Catalog and click Assign.

    The User Application displays the Assign Role dialog box:

  2. Fill in the fields on the Add Role Assignment dialog:

    1. Provide text describing the reason for the request in the Initial Request Description field.

    2. In the Type of Assignment field, select User, Group, or Container to indicate what type of identities the role will be assigned to.

    3. In the Object Selector, enter a search string and click Search.Select the users, groups, or containers you want to assign.

      Assigning a role to multiple identities You can select one or more users (or groups or containers) for the role assignment. If you select multiple identities, all of the selected identities receive the same role assignment values.

    4. Specify the start date for the role assignment in the Effective Date field.

      You can type in a date using the format mm/dd/yyyy hh:mm:ss a (where a specifies AM or PM). Alternatively, you can click the Calendar icon and select the date from the Calendar pop-up window:

    5. Specify the expiration date for the role assignment in the Expiration Date field.

      NOTE:The expiration date only applies to user assignments. For groups and containers, the Expiration Date field is not available.

      To specify an expiration, click Specify Expiration. You can type in a date using the format mm/dd/yyyy hh:mm:ss a (where a specifies AM or PM). Alternatively, you can click the Calendar icon and select the date from the Calendar pop-up window.

      By default, the expiration date is set to No Expiration, which indicates that this role assignment will remain in effect indefinitely.

  3. Click Submit.

Assigning a Role From the Edit Role Dialog

  1. In the Role Catalog, select a role and click Edit to open the Edit Role dialog.

  2. Click the Assignments tab.

    The Assignments tab displays a list of assignments that have been granted for the selected role.

  3. To add a new assignment, click Assign.

    The User Application displays the Assign Role dialog box:

    For details on working with the role assignment request form, see Assigning a Role From the Catalog.

Resolving Separation of Duties Conflicts

If a separation of duties conflict will occur if a role is assigned to one or more users, the user interface displays the Separation of Duties Conflicts box at the bottom of the page. In this case, you need to provide a business justification for the role assignment. For more information about Separation of Duties constraints, see Browsing the SoD Catalog.

NOTE:You do not need to provide a justification in cases where the new role assignment conflicts with an existing assignment that the user acquired indirectly, either through a role relationship, or by membership in a group or container.

If a user is added to a role indirectly, and a potential separation of duties conflict is detected, the User Application allows the new assignment to be added and records the violation for reporting and audit purposes. If necessary, role administrators can correct the violation by redefining roles.

16.1.6 Refreshing the Role List

To refresh the roles list, click Refresh.

NOTE:If you create a role assignment, and then remove it, you see a message indicating that the assignment has been removed, but the assignment may still be listed. If you refresh the page, you should see that the assignment has been removed.

16.1.7 Customizing the Role List Display

The Role Catalog allows you to select and deselect columns, and also reorder columns within the task list display. This behavior is controlled by a setting within the Customize Role Catalog Display dialog. When you modify the column list or reorder the columns, your customizations are saved in the Identity Vault along with your other user preferences.

To customize the display of columns:

  1. Click Customize in the Role Catalog:

    The User Application displays the list of columns currently selected for the display, and a list of additional columns that are available for selection.

  2. To include an additional column in the display, select the column in the Available Columns list box, and drag it to the Selected Columns list box.

    To select multiple columns in the list, hold down the Ctrl key and select the columns. To select a range of columns that appear together in the list, hold down the Shift key and select the columns.

    You can reorder the columns in the display by moving them up or down in the Selected Columns list box.

  3. To remove a column from the display, select the column in the Selected Columns list box, and drag it to the Available Columns list box.

    The Role Name column is a mandatory column and cannot be removed from the role list display.

  4. To save your changes, click Save.