11.3 About the Role Editor

The Role editor allows you to create and configure the roles you want to assign and manipulate in the Roles tab of the User Application. You use the editor to define the role details.

11.3.1 Understanding Role Hierarchy

The Roles Based Provisioning module uses a role hierarchy to simplify the model for assigning users to roles (and thus permissions to users). The role hierarchy allows you to assign roles in a more efficient way. For example, rather than assigning a user to twenty roles, you can do it by assigning role levels.

About Role Levels

Role levels define role hierarchy. Roles defined at the highest level (called Business Roles) define operations that have business meaning within the organization. Mid-level roles (called IT Roles) supports technology functions. Roles defined at the lowest level of the hierarchy (called Permission Roles) define lower-level privileges.

A higher-level role automatically includes privileges from the lower-level roles that it contains. For example, a Business Role automatically includes privileges from the IT Roles that it contains. Similarly, an IT Role automatically includes privileges from the Permission Roles that it contains.

Role relationships are not permitted between peer roles within the hierarchy. In addition, lower-level roles cannot contain higher-level roles.

You can modify the label used for each role level in the User Application by defining localized strings for the level’s Name and Description in the role configuration editor.

About Role Containers

A role container is an organizational unit within the User Application driver. The User Application allows you to assign a role to a container. When you to assign a role to a container, the users in the container are assigned to the role. This type of role assignment is called an indirect assignment. Roles explicitly assigned to a user from within the User Application are called direct assignments.

Role containers reside under role levels. The User Application shows only the role containers that reside under the role level that you choose. You can create a role either directly in a role level, or in a container within the role level. Specifying the role container is optional.

NOTE:Designer does not allow you to create roles with the same name under different containers, although the role container that you specify while creating roles might be different for different roles.

You can use the Role editor to create role containers (see Creating a Role Container).

11.3.2 Using the Role Editor

Creating New Roles

  1. Open the Create a Role Wizard in one of these ways:

    • From the Provisioning view, open Role Catalog, right-click Roles, then select New.

    • Right-click a role container, then select New.

    • Select File > New > Provisioning > Role.

    The Create a Role Wizard displays:

  2. Fill in the fields as follows (* indicates a required field):

    Field

    Description

    Identity Manager Project and Provisioning Application*

    The name of the Identity Manager project and the provisioning application where you want to create the role.

    NOTE:These two fields display when you launch the wizard from the File menu.

    Identifier (CN)*

    The unique identifier for the role.

    Display Name*

    The text displayed as the Role Name field in the User Application. You can translate this text into any of the languages supported by the User Application. For more information, see Section 2.10, Localizing Provisioning Objects.

    Description

    The text displayed as the Role Description field in the User Application. You can translate this text into any of the languages supported by the User Applications. For more information, see Section 2.10, Localizing Provisioning Objects.

    Role Container

    The root location of the roles objects within the User Application driver. It defaults to Business Role.

    To specify a Role Container:

    1. Click Search to open the container selection dialog box.

    2. Select a container or subcontainer from the list.

    3. Click OK.

    Category*

    Allows you to categorize roles. Categories are used for filtering role lists in the User Application. The category names are defined in the directory abstraction layer Role Category list.

    Trustee Rights

    Specifies the users, groups, or containers that can read, compare, and browse the roles. (Read, compare, and browse are the default privileges.)

  3. Click Finish. Designer creates the role locally and opens the Role Editor.

  4. Fill in the remaining fields in the Overview tab as described in Table 11-4, Role Overview Properties.

  5. Click Approval.

    For more information on completing the Contained Roles section, see Specifying a Role Hierarchy. For more information on how to use the Entitlements section, see Specifying Entitlements.

  6. In the Approval section, choose Approval Details.

    You are prompted for different values, depending your selection. See Table 11-3, Role Approval Properties for information about each type.

  7. Save the role.

    For information on deploying a role, see Section 2.7, Deploying Provisioning Objects.

Specifying a Role Hierarchy

You specify a role hierarchy by defining the roles that contain other roles (called Role Relationships in the User Application).

To define a role hierarchy for a new or existing role:

  1. Navigate to the Associations tab of the Role editor.

  2. In the Contained Roles section, click + to add a lower-level role to the current role.

    The current role must be a mid-level (IT Role) or top-level role (Business Role), because the lowest level role (Permission Role) cannot contain other roles. The Role Search dialog box displays:

  3. To use the Role Search dialog box:

    1. Specify the CN, Display Name, Description, Category, and Role Level on which you want to search.

      For CN, Display Name, and Description, you can enter a wildcard (such as S*, *S), or regular expressions (such as [A-Z][a-z]*).

      You can enter a value for all of the fields or none of the fields. If you do not supply a value in a particular field, the search returns all of the possible values for that field. If you enter values in one or more of the fields, the values are ANDed together to create the search filter. The search occurs on the roles defined locally, not the roles deployed to the driver.

      Role Level values are All Lower Levels, Level 10, and Level 20 depending on the level of the currently selected role.

    2. Click Search. Roles matching the search criteria are displayed in the Matching Roles section within the Available roles list.

    3. Double-click the role or select the role and click .

    4. Click OK when you are done adding roles.

      Designer closes the search dialog box and displays the roles you selected in the Contained Roles section.

      NOTE:The ability to add entitlements to a role will be deprecated in future. It is recommended to add entitlements to a resource by using the User Application Web client.

Specifying Entitlements

  1. In the Entitlements section, click + to add an entitlement for this role. The Entitlement Search dialog box displays:

  2. To complete the Entitlement search:

    1. Choose the driver that contains the entitlement you want.

    2. Specify the CN, Display Name, and Description on which you want to search.

      You can enter a wildcard (such as S*, *S) or a regular expression (such as [A-Z][a-z]*), then click Search.

      You can enter a value for all of the fields or none of the fields. If you do not supply a value in a particular field, the search returns all of the possible values for that field. If you enter values in one or more of the fields, the values are ANDed together to create the search filter. The search occurs locally. Entitlements contained by the selected driver that match the search criteria are displayed in the Entitlements Selection section.

    3. The search is complete when the Entitlement field displays <Select an Entitlement>.

  3. To complete the Entitlement selection:

    1. Choose the entitlement from the Entitlement drop-down list.

      The Description, Type, and Multi-Value fields are read-only. These values are obtained from the Entitlement definition.

    2. Choose the parameter value.

      Type

      Parameter Value Options

      None

      No parameter value needed.

      User-defined

      Specify your own value.

      Admin-defined

      Select from the available parameter values provided in the drop-down list. These values are retrieved from the local Entitlement definition.

      Query

      Select from the available parameter values provided in the drop-down list. Designer connects to your Identity Vault to retrieve a cached list of available parameter values. These values were obtained by a prior run of the query defined in the Entitlement section.

      If Designer is unsuccessful in retrieving these values, it displays a dialog box reporting the problem. You can either resolve these issues before attempting to create this entitlement reference again or simply enter your own value in the Parameter Value field.There are two buttons to help you retrieve your query parameter values:

      : Refresh cached query result. Click this button if you want to Designer to attempt to connect to the Identity Vault and retrieve the query parameter values. This is most useful if Designer was not able to connect to the Identity Vault on the first attempt.

      : Run query in Identity Vault. Click this button if you want Designer to run the query in the Identity Vault and return the refreshed results.

    3. Click OK to save the definition. Designer displays the definition in the Entitlements table. Query parameter values are translated to the query’s full CN when displayed in the table.

The entitlements defined for the role are triggered when the role is granted. However, if the entitlement is invalid, the role assignment still succeeds, but a message about the entitlement failure is written to the role service Audit log.

Specifying Resource Associations

The Resource Associations table is read-only. It is populated through the User Application Web client.

Table 11-2 Specifying Resource Associations

Field

Description

Resource Name

Name of the resource associated with the role.

Association Description

Description of the reason for associating the resource with the role.

Association Values

Values applied to the resource when the role is assigned.

The information present in the Role Editor is updated for all the roles when the Role Catalog is imported from eDirectory. You can only detect new resource associations but not the resource associations that have been removed in the User Application.

Ensure that the deleted resource associations are removed from the Resources List.

  1. Before performing a Live Import from the Role Catalog, go to the Navigator View and navigate to the \MyProject\Model\Provisioning\AppConfig\RoleConfig\ResourceAssociations folder.

  2. Remove all the files in the folder except the ResourceAssociations.digest file.

  3. From the Provisioning View, select the Role Catalog object and run the Live Import to import all the resource associations again and to provide you the updated correct information.

Creating a Role Container

  1. From the Provisioning view, open the Role Catalog, navigate to a Role-level container, right-click it, then select New Role Sub-Container. The New Role Container dialog box displays:

  2. Type the name of the container, then click OK.

    The container name the object’s CN. It is not a display label so it is not localizable. Because the name is a CN and is not localizable, it displays as <name-string> (CN).

    Designer creates the subcontainer locally. On deploy, the container is created in the role-level container of the RoleDefs.RoleConfig.AppConfig node of the User Application driver specified by this project.

Specifying Role Approvals

Navigate to the Approval tab from the Role Editor.

Select the type of approval required when assigning a role.

Table 11-3 Role Approval Properties

Field

Description

No Approval

Select this option if the role does not require approval when requested.

Standard Approval

Select this option if the role requires approval when requested, and you want the approval to execute the standard provisioning request definition that ships with the Roles Based Provisioning module. You must select the type of approval (serial or quorum) and the valid approvers.

Serial: Select this option if you want the role to be approved by the approvers the Approvers list. The approvers are processed sequentially in the order they appear in the list.

Quorum: Select this option if you want the role to be approved in parallel and to be complete when the percentage of approvers specified is reached.

For example, if you wanted to require that 25 percent of approvers in the list approve the condition, you would specify Quorum and specify a number; the value is assumed to be a percentage.

Approvers

An approver can be a user, group, or role. To add approvers:

  1. Click +.

    If you are connected to the Identity Vault, the Browse Identity Vault dialog box automatically displays.

  2. Navigate the Identity Vault to locate your approvers.

    To locate roles, navigate to the User Application driver’s AppConfig.RoleConfig.RoleDefs container.

  3. Select the approver, then click OK.

If Designer is not able to connect to the Identity Vault, you can add the approver manually by clicking in the row and typing the approver’s distinguished name, for example, admin.novell. Only deployed roles can be specified.

Custom Approval

Approval process definition: Select a provisioning request definition to execute when the role is requested. The approvals displayed in this list have Process type of Role Approval.

11.3.3 Role Properties Reference

Table 11-4 Role Overview Properties

Section

Field

Description

Role

Identifier

The unique identifier for the role.

Display Name

The text displayed in the Roles tab of the User Application as the Role Name. You can translate this text into any of the languages supported by the User Application. For more information, see Section 2.10, Localizing Provisioning Objects.

Description

The text displayed in the Roles tab of the User Application as the Role Description. You can translate this text into any of the languages supported by the User Application. For more information, see Section 2.10, Localizing Provisioning Objects.

Role Level

Defines the role’s level in the role hierarchy. Level 30 roles are top-level roles. Level 20 roles are mid-level roles. Level 10 roles are the lowest-level roles. Higher-level roles include privileges from lower-level roles.

Categories

Available Categories

Lists the categories that are available for the new role to be associated with. The items in this list are populated from the Role Category list in the directory abstraction layer.

Selected Categories

Lists the categories that the new role is associated with. Use the Add Category and Remove Category buttons to associate the current role with one or more categories.

Role Trustees

Trustees

Specifies the users, groups, or containers that can read, compare, and browse the roles. (Read, compare, and browse are the default privileges.)

Role Owners

Owners

A user who is designated as the owner of the role definition. When you generate reports against the Role Catalog, you can filter these reports based on the role owner. The role owner does not automatically have the authorization to administer changes to a role definition. In some cases, the owner must ask a role administrator to perform any administration actions on the role.

Table 11-5 Role Approval Properties

Section

Field

Description

Contained Roles

Contained Roles

One or more roles of a lower level than the one being defined.

Entitlements

Entitlements

One or more Identity Vault objects that represent a resource in a connected system.

Approval Options

No Approval

Select this option if the role does not require approval when requested.

Standard Approval

Select this option if the role requires approval when requested, and you want the approval to execute the standard provisioning request definition that ships with the Roles Based Provisioning module. You must select the type of approval (serial or quorum) and the valid approvers.

Approvers

An approver can be a user, group, or role.

Custom Approval

Approval process definition: Select a provisioning request definition to execute when the role is requested. The approvals displayed in this list have Process type of Role Approval.

Table 11-6 Role Association Properties

Section

Field

Description

Resources

Resource Name

Name of the resource associated with the role.

 

Association Description

Description of the reason for associating the resource with the role.

 

Association Values

Values applied to the resource when the role is assigned.