Versioning Roles
IdentityIQ supports saving and restoring of old versions of roles so changes can be rolled back when needed. Logic to support this functionality is present in both of the role modeler business processes provided out of the box: Role Modeler – Owner Approval and Role Modeler – Impact Analysis. By default, this functionality is turned off, but it can easily be activated.
When role changes occur, a business process is launched to process the changes; this may perform approval processes, impact analyses, and more. The business process that is launched is configured as part of the IdentityIQ configuration. The configuration setting is under the gear menu > Global Settings > IdentityIQ Configuration > Roles page as the Role create, update, and delete business process.
To enable versioning of roles, this business process must have the doArchive variable set to true. This is done through the Business Process Editor (Setup > Business Process > select business process) or through the business process XML.
Any time a role is changed (after any approval processes have finished and the change has been fully activated), an archive version of its previous state is saved. To view the set of previous states for a role, click the role name in the Role Viewer Navigation list (Setup > Roles > Role Viewer tab). In the Role Information pane to the right, locate the Archived Roles header and click the down arrows to view the list.
Click any version in the list to see its details and click Roll Back to Archived Role to open the archived version in the Role Editor. Then scroll down and click Submit to restore the archived version as the active version of the role. The version being replaced is then also created as another archived version.
The same rollback option is also available from the Role Editor page (visible by clicking Edit Role from the Role Viewer page). Find the Archived Roles section, expand it to view the archived versions, and click one to see its details. To restore that version, click Roll Back to Archived Role, and Submit.
Identities which are connected to a role, through assignment or detection, prior to the archive rollback retain their association to that role until a new Identity Refresh task is run with the Refresh assigned, detected roles and promote additional entitlements option selected. This will update those associations unless the role change business process itself is configured to do a refresh. If the role profile or assignment rule changed as part of the rollback, the role's new state may cause the role to be removed from some Identities and added to others as a result of the refresh process.