7.4 Team Configuration

The Team Configuration page allows you to create teams and define permissions for these teams. A team definition specifies a domain type (Provisioning, Role, or Resource), as well as a set of team members and managers. The Team Configuration page is accessible to the following users:

Table 7-2 User Access to the Team Configuration Page

User	Capabilities
Security Administrator	Can perform all operations on the Team Configuration page.
Other Domain Administrators	Can define a team for the domain over which the administrator has authority.
Team Manager	Can view a team definition for which he/she is configured to be the manager. When a team manager edits a team, the team definition itself is read-only, because the team manager cannot modify the team configuration.

The members of a team can be specified individually as a set of users, groups, or containers, or can be defined based on a business relationship, such as the Manager-Employee relationship. Alternatively, the team member list can include all users within the container.

When a team definition includes a container or group in its membership list, the User Application expands the list within the container or group to show the users within the container or group. Therefore, the User Application only allows the team manager to specify a particular user within the container or group as the recipient for a team request; the team manager is not permitted to specify a container or group as the recipient for a team request.

The managers for a team can be a one or more users or groups. When you define a team, you can specify whether you want the team managers to also be members of the team.

The permissions for a team define the actions that team members can take on a particular scope of object instances within the domain type selected for a team. For example, if you select the Role domain as the domain type for a team, the team permissions determine what actions the members can take on the set of role instances selected as the scope for the team. These permission might specify, for the selected scope of roles, that members can perform actions such as assigning roles to users, viewing role assignments, and reporting on role assignments.

7.4.1 Viewing Team Configurations

To view existing team configurations:

Select Team Configuration on the RBPM Provisioning and Security tab.

The Team Configuration page displays a list of team configurations currently defined.

Filtering the Team List

Click the Display Filter button in the upper right corner of the Resource Catalog display.
Specify a filter string for the team name or description in the Filter dialog, or select a particular domain, and click Filter:
To remove the current filter, click Reset.

Setting the Maximum Number of Rows on a Page

Click on the Rows dropdown list and select the number of rows you want to be displayed on each page:.

Scrolling within the Team List

To scroll to another page in the resource list, click on the Next, Previous, First or Last button at the bottom of the list.

Sorting the Team List

To sort the team list:

Click the header for the column you want to sort on.

The pyramid-shaped sort indicator shows you which column is the new sort column. When the sort is ascending, the sort indicator is shown in its normal, upright position.

When the sort is descending, the sort indicator is upside down.

The default sort column is the Resource Name column.

If you override the default sort column, your sort column is added to the list of required columns. Required columns are indicated with an asterisk (*).

When you modify the sort order for the task list, your preference is saved in the Identity Vault along with your other user preferences.

7.4.2 Creating New Teams

To define a new team:

Click the New button at the top of the Team Configuration display.

The New Team dialog displays.
Select one of the following domains:
- Provisioning Domain
- Role Domain
- Resource Domain
The domain determines what types of objects the team members can act on. A team can only be associated with a single domain.

NOTE:If a particular user has been designated as a domain administrator, NetIQ recommends that this user should not also be designated as a manager of a team for the same domain for which the user is a domain administrator.
Provide a name and description for the team.
In the Managers control, select the users and groups that will be managers of the team.

In the Members control:

Indicate whether the managers will also be members of the team by selecting or deselecting the Also include selected managers in members list checkbox.

Define the members of the team by selecting one of the following radio buttons:

Option	Description
All Users	Includes all users in the container.
Relationship	Includes all users that have a relationship with the users in the Managers list. For example, if you select the Manager-Employee relationship, the members report directly to the users in the Managers list.
Select Members	Includes the users, groups, and containers you select.

Click Save to preserve your team configuration settings.

Once you’ve saved a team, the Permissions section is added to the page, and the Team Permissions Configuration interface is displayed.

The Team Permissions Configuration interface includes buttons for adding new permissions, deleting permissions and refreshing the display. The Permissions section of the page does not include an Edit button because the details associated with each permission are shown in the Permissions list. If a particular team permission is not properly defined, you can simply delete the permission and add a new one in its place.
To define the permissions for the team, click New.

This interface shows controls that apply to the domain selected for the team. These controls allow you to specify which objects are within the scope of the team and which permissions team members have with respect to these objects.
Follow these steps to define permissions for a team that uses the Provisioning domain:
1. To include all provisioning request definitions, click the All Provisioning Request Definition button.
2. To select provisioning request definitions individually, choose the Select Provisioning Request Definition radio button, and use the Object Selector to pick one or more provisioning request definitions:.
3. Once you’ve defined the scope for the team, choose the permissions you want to allow for each object by selecting the object and picking the desired permissions in the Permissions control.
  
  The provisioning permissions are the same for team configurations as for RBPM administrator assignments. See Step 10.c for details on the provisioning permissions.
4. To define permissions that apply to the User Application driver as a whole, open the Add User Application Driver Permisions section of the page and select the permissions you want to allow with this assignment.
5. Click Save to save the permissions for the selected objects or containers.
  
  To delete a permission, select the permission and click Delete.
  
  To refresh the list of permissions for the team, click Refresh.
Follow these steps to define permissions for a team that uses the Role domain:
1. To include all roles in all levels in the roles hierarchy, choose All Role Levels in the Role Level control.
  
  To include all roles at a particular level in the role hierarchy, choose one of the following levels:
  - Business Role
  - IT Role
  - Permission Role
  To include all roles in a particular sub container under the selected role level, use the Object Selector to select the sub container.
2. To select roles individually, choose Select Roles radio button, and use the Object Selector to pick one or more roles.
3. Once you’ve defined the role scope for the team, choose the permissions you want to allow for each object by selecting the object and picking the desired permissions in the Permissions control.
  
  The following role permissions are supported in team configurations:
  - View Role
  - Assign Role
  - Revoke Role
  - Assign Role to Group and Container
  - Revoke Role from Group and Container
  These role permissions have the same behavior as for RBPM administrator assignments. See Step 11.c for details on these role permissions.
4. Click Save to save the permissions for the selected objects or containers.
  
  To delete a permission, select the permission and click Delete.
  
  To refresh the list of permissions for the team, click Refresh.
Follow these steps to define permissions for a team that uses the Resource domain:
1. To include all resources, click the All Resources button.
2. To select resources individually, choose the Select Resources radio button, and use the Object Selector to pick one or more resources.
3. Once you’ve defined the resource scope for the team, choose the permissions you want to allow for each object by selecting the object and picking the desired permissions in the Permissions control.
  
  The following resource permissions are supported in team configurations:
  - View Resource
  - Assign Resource
  - Revoke Resource
  These resource permissions have the same behavior as for RBPM administrator assignments. See Step 12.c for details on these resource permissions.
4. Click Save to save the permissions for the team.
  
  To delete a permission, select the permission and click Delete.
  
  To refresh the list of permissions for the team, click Refresh.
Click Save to save the team configuration and team permissions.

7.4.3 Editing an Existing Team

To edit an existing team:

Select a previously defined team and click Edit.

When a team manager edits a team, the team definition itself is read-only, because the team manager cannot modify the team configuration.
Make your changes to the team settings and click Save.

7.4.4 Deleting Teams

To delete an existing team:

Select a previously defined team and click Delete.

7.4.5 Refreshing the Team List

To refresh the list of teams:

Click Refresh.