The
action on the tab of the Identity Manager user interface allows you to view roles that have been previously defined in the catalog. It also lets you create new roles and modify, delete, and assign existing roles.Click
in the list of actions.The User Application displays a list of roles currently defined in the catalog.
Click the
button in the upper right corner of the display.Specify a filter string for the role name or description, or select one or more role levels or categories in the
dialog.Click
to apply your selection criteria.To remove the current filter, click
.Click on the
dropdown list and select the number of rows you want to be displayed on each page:To scroll to another page in the role list, click on the Next, Previous, First or Last button at the bottom of the list:
To sort the role list:
Click the header for the column you want to sort on.
The pyramid-shaped sort indicator shows you which column is the new sort column. When the sort is ascending, the sort indicator is shown in its normal, upright position.
When the sort is descending, the sort indicator is upside down.
The initial sort column is determined by the administrator.
If you override the initial sort column, your sort column is added to the list of required columns. Required columns are indicated with an asterisk (*).
When you modify the sort order for the task list, your preference is saved in the Identity Vault along with your other user preferences.
Click the
button at the top of the display:The User Application displays the New Role dialog:
Provide details for the role definition, as described below:
Table 16-1 Role Details
Field |
Description |
---|---|
|
The text used when the role name displays in the User Application. You cannot include the following characters in the when you create a role:< > , ; \ " + # = / | & * You can translate this name in any of the User Application’s supported languages. For more information, see Table 1-1, Common Buttons. |
|
The text used when the role description displays in the User Application. Like the Display Name, you can translate it to any of the User Application’s supported languages. For more information, see Table 1-1, Common Buttons. |
|
(Read-only when modifying a role.) Choose a role level from the drop-down list. Role levels are defined using the Designer for Identity Manager Role Configuration editor. |
|
(Read-only when modifying a role.) The location for the role objects in the driver. Role containers reside under role levels. The User Application shows only the role containers that reside under the role level that you choose. You can create a role either directly in a role level, or in a container within the role level. Specifying the role container is optional. |
|
Allow you to categorize roles for role organization. Categories are used for filtering lists of roles. Categories are multi-select. |
|
Users who are designated as the owners of the role definition. When you generate reports against the Role Catalog, you can filter the report based on the role owner. The role owner does not automatically have the authorization to administer changes to a role definition. |
Click
to save the role definition.The User Application displays several additional tabs at the bottom of the window to allow to complete the role definition.
The
tab allows you to define how roles are related in a higher and lower role containment hierarchy. This hierarchy enables you to group permissions or resources contained by lower-level roles into a higher-level role that makes assignment of permissions easier. The allowed relationships are:Top-level roles (business roles) can contain lower-level roles. They cannot be contained by other roles. If you select a top-level role, the Role Relationships page allows you to add a lower-level (child) role relationship only.
Mid-level roles (IT roles) can contain lower-level roles, and they can be contained by higher-level roles. The Role Relationship page allows you to add either lower-level (child) role or higher-level (parent) role.
Bottom-level roles (permission roles) can be contained by higher-level roles, but they cannot contain other bottom-level roles. The Role Relationship page allows you to add only a higher- level role.
To define a role relationship:
Click the
tab.Click
.The
dialog is displayed.Provide text describing the relationship in the
field.Specify the type of relationship you want to define by selecting the type in the
dropdown.If the new role is an IT role, the
dropdown lets you define a or relationship. If the new role is a business role, the dropdown displays read-only text indicating that this is a relationship, since only lower-level roles can be related to a business role. If the new role is a permission role, the dropdown displays read-only text indicating that this is a relationship, since only higher-level roles can be related to a permission role.The list of roles available for selection is filtered according to the type you selected.
Use the Object Selector to the right of the
field to select the role(s) you want to associate with the new role.Click
.To associate a resource with a role:
Click the
tab.Click
.The User Application displays the
dialog.Use the Object Selector to select the resource you want and provide text that explains the reason for the association.
The wizard displays a page that provides information about the selected resource, such as the name of the resource categories, owner, entitlement, and entitlement values.
For entitlements that take static parameter values, which provide additional attributes or detailed information for the entitlement, the wizard displays the static values next to the
label. For entitlements that take dynamic parameters, the wizard displays the resource request form, which includes fields for the dynamic parameters, as well as any decision support fields defined for the form.In the
field, type text that explains why the resource is associated with the role.Click
to associate the resource with the role.The
list shows the resource you added to the role definition:What happens to existing role assignments When you add a new resource association to a role that already has identities assigned to it, the system initiates a new request to grant the resource to each of the identities.
NOTE:In RBPM releases prior to the Public Patch 401C, you would see different results if a resource with parameters were granted to a user through a role association rather than through direct assignment to the user. This was the case in the following situations:
A resource that has an entitlement parameter, as well as a field parameter defined on the Request Form tab, is associated with a role. If a user were assigned to the role directly, by group membership, or by being in a container, this user would be assigned the resource as well. However, the resource assignment would only have the entitlement parameter value.
This issue has been resolved in Public Patch 401c and in release 4.0.2. However, if your assignments were created in a prior release (370, 400, or before Public 401C), and you want all of the resource parameters to appear, you need to revoke the user from the role and then reassign the user.
A resource that has two or more fields defined on the Request Form tab only is associated with a role. If a user were assigned the role directly, by group membership, or by being in a container, this user would be assigned the resource the same number of times as the number of field parameters. In other words, the user would have one resource assignment for each field parameter. If the resource were assigned directly, the user would only have one assignment with all of the parameters listed.
This issue has been resolved in Public Patch 401C and in release 4.0.2. However, if your resource associations were created in a prior release (370, 400, or before Public Patch 401C), you will still see this behavior. To take advantage of the fix, you must delete the resource association and recreate it.
To delete a resource association for a role:
Select the resource association in the
list.Click
.What happens to existing role assignments When you remove a resource association from a role that already has identities assigned to it, the system initiates a new request to revoke the resource from each of the identities.
To define the approval process for a role:
Click the
tab.Provide details for the approval process, as described below:
Table 16-2 Approval Details
Field |
Description |
---|---|
|
Select this checkbox if the role requires approval when requested, and you want the approval process to execute the standard role assignment approval definition. Deselect this checkbox if the role does not require approval when requested. NOTE:Role approvals are triggered for explicit role-to-user assignments only. |
|
Select this radio button if you want to use a custom approval definition (provisioning request definition). Use the to select the approval definition. |
|
Select this radio button if this role uses the standard role assignment approval definition specified in the Role and Resource Subsystem configuration. The name of the approval definition displays as read-only in the below.You must select the type of approval ( or ) and the valid approvers. |
|
Select if you want the role to be approved by all of the users in the list. The approvers are processed sequentially in the order they appear in the list.Select if you want the role to be approved by a percentage of the users in the list. The approval is complete when the percentage of users specified is reached.For example, if you want one of four users in the list to approve the condition, you would specify Quorum and a percentage of 25. Alternatively, you can specify 100% if all four approvers must approve in parallel. The value must be an integer between 1 and 100. HINT:The Serial and Quorum fields have hover text that explains their behavior. |
|
Select if the role approval task should be assigned to one or more users. Select if the role approval task should be assigned to a group. Select if the role approval task should be assigned to a container. Select if the role approval task should be assigned to a role.To locate a specific user, group, container, or role, use the Section 1.4.4, Common User Actions. .To change the order of the approvers in the list, or to remove an approver, see |
|
Select this checkbox if the role requires approval when revoked. The approval process used for role revocation requests, as well as the list of approvers, is the same as for role grant requests. If you have indicated that you want the approval process to execute the standard role assignment approval definition, this process will be used. Alternatively, you can specify a custom approval process for both role grant requests and role revocation requests. Within a custom provisioning request definition, you can identify whether the action is a grant or revoke and customize the approval process accordingly. Deselect this checkbox if the role does not require approval when revoked. |
For details on making role assignments, see Section 16.1.5, Assigning Roles.
The
action allows you to see the status of your role assignment requests, including requests you’ve made directly as well as role assignment requests for groups or containers to which you belong. It lets you see the current state of each request. In addition, it gives you the option to retract a request that has not been completed or terminated if you have changed your mind and do not need to have the request fulfilled.The
action shows all role assignment requests, including those that are running, pending approval, approved, completed, denied, or terminated.To view the status of role assignment requests:
Click the
tab.The
shows whether the action was a grant or revoke. If an approval was required, and the approval process has not completed, the status shows .To see the detailed status information for a request, click the status.
The Assignment Details window is displayed:
For details on what the status values mean, see Section 10.4, Viewing Your Request Status.
To retract a request, select the request and click
.You need to have permission to retract a request.
If the request has been completed or terminated, you will see an error message if you try to retract the request.
Select a previously defined role and click
.Make your changes to the role settings and click
.Entitlements associated with existing roles Roles defined in earlier releases of the Roles Based Provisioning Module may have associated entitlements. If a role has an entitlement associated with it, the user interface displays the
tab, which allows you to see the entitlement mapping, and optionally remove it. Entitlement mappings for roles will continue to work in this release, but Novell now recommends that you associate entitlements with resources, rather than with roles.Select a previously defined role and click
.When you instruct the User Application to delete a role, it first sets the role status to
. The Role and Resource Service driver then notes the change of status and performs these steps:Removes the resource assignments for the role
Deletes the role itself
The Role and Resource Service driver optimizes this process. However, the process may take some time, depending on the number of users assigned to the role, because the Role and Resource driver must ensure that it does not remove a resource from a user if they have this resource by other means. If the role remains in the
state for an inordinate amount of time, double check your driver to ensure that it is current and running.When a role has the status of
, you are unable to edit, delete, or assign the role.NOTE:For version 4.0.2, a new attribute called nrfStatus has been added to the nrfRole object to manage the role status. This attribute has two states, Created and Pending Delete.
What happens to existing role assignments If you delete a role that has an associated resource as well as one or more identities assigned to it, the system removes the resource assignment from each identity that has the associated resource.
NOTE:If you delete a role that has a resource assigned to it (or remove a user from the role), the system removes resource assignments for users in that role, even if those resources were first assigned directly. The reason for this is that the system assumes that the last authoritative source for a resource assignment is the controller of that resource, as illustrated by the following scenario:
A resource is created and mapped to an entitlement.
A user is assigned to the resource created above.
A role is created that is bound to the resource created in the first step above.
The same user is then assigned to the role created above.
The user is removed from the role.
In this situation, the user gets removed from the resource even though they had the resource assigned directly. Initially, the resource assignment is considered the authoritative source. However, when the user is assigned to a role that is associated with the same resource, the role becomes the authoritative source.
Deleting Roles in SoD Constraints When a conflicting role of an SoD constraint is deleted, the SoD constraint will appear with the word
in brackets after the name, such as , in the SoD Catalog list.WARNING:A Role Manager who has been given the Delete Role permission for the system roles (or the container that contains these roles) can delete system roles. The system roles should not be deleted. If any of the system roles is deleted, the User Application will malfunction.
You can assign a role in either of two ways:
From the
From the
dialogBoth of these methods are described below.
Select a previously defined role in the
and click .The User Application displays the
dialog box:Fill in the fields on the
dialog:Provide text describing the reason for the request in the
field.In the Type of Assignment field, select
, , or to indicate what type of identities the role will be assigned to.In the Object Selector, enter a search string and click Search.Select the users, groups, or containers you want to assign.
Assigning a role to multiple identities You can select one or more users (or groups or containers) for the role assignment. If you select multiple identities, all of the selected identities receive the same role assignment values.
Specify the start date for the role assignment in the
field.You can type in a date using the format mm/dd/yyyy hh:mm:ss a (where a specifies AM or PM). Alternatively, you can click the Calendar icon and select the date from the Calendar pop-up window:
Specify the expiration date for the role assignment in the
field.NOTE:The expiration date only applies to user assignments. For groups and containers, the
field is not available.To specify an expiration, click mm/dd/yyyy hh:mm:ss a (where specifies AM or PM). Alternatively, you can click the Calendar icon and select the date from the Calendar pop-up window.
. You can type in a date using the formatBy default, the expiration date is set to
, which indicates that this role assignment will remain in effect indefinitely.Click
.In the
, select a role and click to open the dialog.Click the
tab.The
tab displays a list of assignments that have been granted for the selected role.To add a new assignment, click
.The User Application displays the
dialog box:For details on working with the role assignment request form, see Assigning a Role From the Catalog.
If a separation of duties conflict will occur if a role is assigned to one or more users, the user interface displays the Separation of Duties Conflicts box at the bottom of the page. In this case, you need to provide a business justification for the role assignment. For more information about Separation of Duties constraints, see Browsing the SoD Catalog.
NOTE:You do not need to provide a justification in cases where the new role assignment conflicts with an existing assignment that the user acquired indirectly, either through a role relationship, or by membership in a group or container.
If a user is added to a role indirectly, and a potential separation of duties conflict is detected, the User Application allows the new assignment to be added and records the violation for reporting and audit purposes. If necessary, role administrators can correct the violation by redefining roles.
To refresh the roles list, click
.NOTE:If you create a role assignment, and then remove it, you see a message indicating that the assignment has been removed, but the assignment may still be listed. If you refresh the page, you should see that the assignment has been removed.
The
allows you to select and deselect columns, and also reorder columns within the task list display. This behavior is controlled by a setting within the dialog. When you modify the column list or reorder the columns, your customizations are saved in the Identity Vault along with your other user preferences.To customize the display of columns:
Click
in the :The User Application displays the list of columns currently selected for the display, and a list of additional columns that are available for selection.
To include an additional column in the display, select the column in the
list box, and drag it to the list box.To select multiple columns in the list, hold down the Ctrl key and select the columns. To select a range of columns that appear together in the list, hold down the Shift key and select the columns.
You can reorder the columns in the display by moving them up or down in the
list box.To remove a column from the display, select the column in the
list box, and drag it to the list box.The
column is a mandatory column and cannot be removed from the role list display.To save your changes, click
.