Modify Role

Initiates a request to the Roles Based Provisioning Module (RBPM) for modifying a Role specified in the Role Name field. The credentials provided in the ID and first <arg-password> are used for placing the request to the Identity Applications server. It uses the Identity Manager REST APIs which internally uses the OAuth2 protocol for authentication. The OSP client ID (osp-clientid) should be specified for authentication. The client password should be specified by the second <arg-password>. You can specify the additional optional arguments to the Resource creation request through the named <arg-string>'s.

Fields

Role Name

Description of the role name.

User Application URL

Specify the URL of the User Application server hosting the Roles Based Provisioning module. Supports variable expansion. For more information, see Variable Selector.

Authorized User DN

Specify the name of the user authorized to request the resource assignment in LDAP format. Supports variable expansion. For more information, see Variable Selector.

Password

Specify the authorized user password. You can enter a clear text password (not recommended) or use the Argument Builder to specify a Named Password.

OSP Client ID

Specify the client ID to authenticate to OSP. Supports variable expansion.

Timeout Value

Specify the number of milliseconds you want Identity Manager to try to establish a connection to the User Application server before timing out. The default value is 0.

Strings

(Optional) Specify additional argument strings for the Resource creation request. You can enter the strings manually or select the Edit the Strings icon to open the Named String Builder and specify the strings. For more information about the Named String Builder, see Named String Builder.

Example

The Modify Role action supports the following string arguments:

String Name

Description

Category Key

The category in which the resource should be created. For example, system, default, or both.

Owner

The owner of the resource in LDAP format.

Multiple owners are allowed for a resource. Specify multiple owners in a semi colon(;) separated list.

Grant Approver

The approver of the role assignment in LDAP format.

Multiple approvers are allowed. Specify multiple approvers in a semi colon(;) separated list to form a serial approval process.

Grant Quorum

Minimum percentage of approvals required for modifying a role.

Resource Association

Resource association for this role. The syntax must have a resource name, resource association description, and the entitlement value separated by semi colons(;). The format is Resource Name in LDAP format;Resource association description;Entitlement Value. For example, cn=Group,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=User Application Driver,cn=driverset1,o=system;Test Description;{​​​​​​​​"ID":"25713f856ecfb24986ebc35bcd581906","ID2":"CN=Administrators,CN=Builtin,DC=idmseup2,DC=org"}​​​​​​​​. For a static resource, the entitlement value is not required. Multiple resource-association elements can be added to associate multiple resources with this role.

Revoke Approver

Role assignment for this role. The syntax must have a role name, role assignment description, and the Role relationship separated by semi colons(;). For example,Role Name in LDAP format;Role assignment description;Relationship.Relationship can be one of child or parent. Multiple role-association elements can be added to assign multiple roles to this role.

Revoke Quorum

Minimum percentage of approval required for revoking a role.