How Roles are Assigned
Business roles can be assigned in a couple of ways. Roles can be assigned automatically based on attribute matching, using assignment rules in the business role. This is typically used for birthright provisioning – that is, simply because someone is an employee, they automatically get some set of business roles; furthermore, if they are in the Accounting department (as indicated by an attribute defining their department), they get another business role; and if they are also a manager, they may get yet another business role. This can all be done automatically when an identity is created, or when it is updated with, for example, a change of department or a change of manager status. Birthright roles are frequently marked as not requestable; they also could be excluded from the certification process, since we expect users to be granted these roles simply by virtue of who they are.
Roles can also be requestable – that is, a role can be assigned to a user based on a request for the role from, for example, the user's manager, an application manager, or from the user himself. Part of designing your role model includes determining who may request roles, and who will approve the role requests. When you define your roles, you can specify role attributes that determine what the approval process is.
Using Assignment Rules to Assign Business Roles to Identities
Automatic role assignment is done based on the Assignment Rule for the role. When roles are created through Role Mining, the Assignment Rule is automatically generated to match the selection criteria that created the role.
When the Assignment Rule is executed, the appropriate Identities are automatically assigned that business role. To execute the roles' assignment rules, run an Identity Refresh task with the Refresh assigned, detected roles and promote additional entitlements option selected.
Manually created roles must have an Assignment Rule written for them to allow them to be assigned to Identities automatically. The assignment rule for each role can be defined through any of these constructs:
-
Match List – checks for a match in one or more identity or application attribute values
-
Filter – specifies matching criteria in a <CompoundFilter> XML representation.
-
Script / Rule – BeanShell code that sets the criteria for assigning the role; usually used when the conditions for the assignment rule are too complex for the simpler constructs
-
Population – saved set of search criteria identifying a population of identities; Populations are created from Advanced Analytics searches.
If role-mining-generated roles are manually modified, the assignment rules generated for them may no longer apply. In that case, the assignment rules must be edited as well to prevent them from being incorrectly assigned to Identities.
For an overview of developing and using rules in IdentityIQ, see Rules and Scripts in IdentityIQ.