Skip to content

Role Editor Page

Use the Role Editor to define the roles for your enterprise. A role is a collection of entitlements or profiles that enable an identity to perform certain operations. For example, one role might enable an identity to request a purchase order and another might enable an identity to approve purchase requests. Use roles to monitor identity entitlements, identify policy violations, and compile identity risk scores to enable you to maintain compliance.

See Working with the Role Manager for information on how to work with roles the Role Editor.

Note

When adding new roles, the list of attributes changes to reflect the currently selected role type. When editing a role, if the role type changes, any attributes from the original role are preserved and the user is prompted with the warning message "This attribute does not apply to the current roletype."

Roles that are awaiting approval are displayed with a red square around the role icon. You can edit roles with approval or analysis pending, but a notice displays at the top of the page alerting you that "An approval or impact analysis work item is pending on this role." If you change and submit a role with changes pending, the original work item is deleted and replaced with a work item containing the latest changes. A role with changes pending approval displays the original, unchanged, role information on the Role Information panel, but the latest, changed, information on the Role Editor page. This enables you to view the role as it currently exists in the Role Information panel, but ensures that you do not duplicate changes on the Role Edit page.

The Role Editor panel contains all of the information associated with the selected role. Some of the sections listed in the table might not be available for all role types. If there is information associated with a role that is not supported by the assigned role type, the information is displayed with a warning message.

Role Editor Fields

Name - The name of the role.

Display Name - The name to be used throughout IdentityIQ.

Type - The type of role. For example, organizational, business, or IT. Role type definitions are customizable and created as part of the configuration process.

Owner - Enter a valid user or workgroup. Typing the first few letters of a name displays a list of all of the user and workgroup names in the system containing that letter combination. You can select from the displayed list.

Scope - Select a scope from the dropdown list. Only scopes that you control are displayed in the list. Scope is used to determine the objects to which a user has access. If scoping is active, identities can only see objects that they created or that are within the scopes they control.

Description - A brief description of the role. This description is displayed with the role throughout IdentityIQ and should be as intuitive as possible.

Use the language selector to enter description in multiple languages. The dropdown list displays any languages supported by your instance of IdentityIQ. The description displayed throughout the product is dependent on the language associated with the user's browser. If only one description is entered, that is the description used by default.

You must Save the description before changing languages to enter another description.

Classifications - Classifications are used to categorize and flag a role, to identify it as potentially allowing access to sensitive, privileged, or otherwise significant data.

Enable Activity Monitoring - Activate this feature to track activity for any user who is assigned this role. If activity monitoring is not available on the selected application, the Activity Monitoring Enabled checkbox is replaced by the following note: This application does not currently have activity monitoring configured.

Provision both profiles and policies - Provision any changes to either profiles or policies associated with this role.

Allow multiple application accounts - Enables a role to specify its own target account, or create a new account, during a role request, even if it is required by another role and included in that roles required roles list.
If this option is not enabled, required roles are assigned to the same account as the top-level role.

Enable multiple assignments - Enables a role to be assigned to the same identity multiple times. This option is not available if either multiple assignments are not enabled, or if they are universally enabled. This option is only available on assignable role types.

Disable - Disable the role so that it is no longer available in your application. Disabled roles names appear gray in the Role Navigation panel.

Custom or Extended Role Attributes - Any extended role attributes configured for your enterprise are displayed with the role information. You can enter data in any of these attribute fields, to be used in rules and workflows written for your installation.

Scheduled Events - The activation events scheduled for the role. Activation events use business processes to automatically activate or deactivate roles based on the dates specified in the Add New Event dialog.

Assignment Rule - A rule used to automatically assign roles to identities during a correlation process. Assignment rules can be created using:

  • Match List – only identities whose criteria match that specified in the list. The criteria is configured using the tools provided. Add identity attributes, application attributes and application permissions. Customize further by creating attribute groups to which this assignment rule applies.

Note

If Is Null is selected, the associated value text box is disabled. When the is null match is processed, the term matches users on the chosen application who have a null value for that attribute / permission.

  • Filter – a custom database query for role creation.
  • Script – a custom script for role creation.
  • Rule – select an existing rule from the dropdown list.

Note

Click the [...] icon to launch the Rule Editor to make changes to your rules if needed.

  • Population – select an existing population and assign this role to identities in that population.

Permitted Roles - Roles to which users have access if they are assigned this role.

Required Roles - The roles to which an identity must have access before this role can operate properly.

Inherited Roles - The roles in which this role is a member.

Entitlements - Detailed information about the entitlements that are contained in the role. Use this panel to create new entitlements or edit or delete existing entitlements. Mouse over the information icon to display the description of an entitlement.

Provisioning Policy - A list of provisioning policies associated with this role. Use this panel to add, edit, or delete provisioning policies.

Granted IdentityIQ User Rights - Use this panel to specify the IdentityIQ capabilities and scopes associated with role. These rights are granted to the identities to whom this role is assigned. These capabilities and scopes are not assigned until an Identity Refresh task is run with the Provision assigned roles option selected.

Role Editor – Archived Role Panel

Click an archived role to display the Archived Role panel and view the details of the archived role and determine the proper version for this rollback.

Click Roll Back to Archive Role to return to the Role Editor page. Use the action buttons on the bottom of the page to complete the procedure. If approval is required on role changes it is required when a role is rolled back to a previous version.

Role Editor – Edit Entitlement Panel

Use the Edit Entitlement panel to define the profiles that are included in the role. A profile is a set of entitlements on an application. An entitlement is either a specific value for an account attribute, most commonly group membership, or a permission. Profiles are not shared between roles.

Click Submit to save changes or add the profile to the role.

Note

The simple view may not be available for all roles.

There are two options for adding entitlements to a role, the Simple View or the Advanced View. The simple view eliminates the need to create attribute rules to locate entitlements and provides a dropdown list of the entitlement configured for selection for each application. See Working with the Role Manager for information on how to work with profiles.

Simple View Fields on the Entitlement Editor panel

Application - The application associated with the account attributes or permissions for this profile.

Account Attribute- The value of the account attribute, most commonly group membership.

Select Entitlement- Specify as many entitlements as required for this role.

Advanced View Fields on the Entitlement Editor panel

Description - A brief description of the profile.
This description is displayed with the role throughout the product and should be as intuitive as possible.

Application - The application associated with the account attributes or permissions for this profile.

Attribute Rules - Attribute rules are made up of filters that can be grouped and controlled using AND / OR operations. The attribute rules associated with a profile can be as simple or complex as needed. The Add a Filter box is used to create the individual filters, the Filter(s) box is used to view and manipulate the existing filters. See Working with the Role Manager.

Field - The attribute associated with the attribute filter. The dropdown list contains all attributes configured for the selected application.
Applications are configured on the Configure Application page.

Search Type - The qualifier associated with the attribute value.

  • Multi Valued attributes – contains all, is null, is not null
  • Long, Int, Date – all except contains all and is like – equals, is less than, is greater than, is greater than or equal to, is less than or equal to, is in, is null, is not null, is not equal
  • Boolean – equal, is not equal to, is null, is not null
  • Permission – equals, is not equal, is in, is null, is not null
  • Everything else – all operations except contains all – is like, equals, is less than, is greater than, is greater than or equal to, is less than or equal to, is in, is null, is not null, is not equal

Value - The value of the attribute. When available, select an entitlement from the dropdown list. This field is not available for unary operations.

Ignore Case - Specifies if case should be a factor when comparing entitlements defined for profiles with those assigned to users. During identity correlation, the entitlements defined in profiles are compared with entitlements assigned to users to determine roles and additional entitlements for certifications.
This field is not available for unary operations.

Operation - The operation used to control the interaction between the filters.

Permissions

Rights – the rights associated with this profile on the target attribute. For example, create, read, update, delete, execute.
Use the Shift and Ctrl keys to select multiple rights from the list.

Target - The target attribute for this permission.

Role Editor – Provisioning Policy Editor Panel

Provisioning policies define the fields required for a role to be provisioned, often including a default value or script / rule for calculating a value. With a provisioning policy in place, when a role is requested and a field cannot be calculated by the system, the user must input specified criteria into a generated form before the request can be completed.

See How to Create or Edit a Provisioning Policy for information on how to work with provisioning policies.

The Provisioning Policy Editor panel contains the following information:

Edit Provisioning Policy Fields

Use the Edit Provisioning Policy Fields panel to customize the look and function of the form fields generated from the provisioning policy.

Name - The name of the field.

Display Name - The name displayed for the field in the form generated by the provisioning policy.

Help Text - The text you wish to appear when hovering the mouse over the help icon.

Type - Select the type of field from the dropdown list. Choose from the following:

  • Boolean – true or false values field
  • Date – calendar date field
  • Integer – only numerical values field
  • Long – similar to integer but is used for large numerical values
  • Identity – specific identity in IdentityIQ field
  • Secret – hidden text field
  • String – text field

Multi Valued - Choose this to have more than one selectable value in this field of the generated form. Click the plus sign to add another value.

Read Only - Determine how the read only value is derived:

  • Value – value based on the selection from the dropdown list
  • Rule – value is based on a specified rule
  • Script – value is determined by the execution of a script

Hidden - Determine how the hidden value is derived:

  • Value – value based on the selection from the dropdown list
  • Rule – value is based on a specified rule
  • Script – value is determined by the execution of a script

Owner - The owner of the provisioning policy. This is determined by selecting from the following:

None – no owner is assigned to this provisioning policy.

  • Application Owner – identity assigned as owner of the application in which the provisioning policy resides.
  • Role Owner – identity assigned as owner of the role in which the provisioning policy resides.
  • Rule – use a rule to determine the owner of this provisioning policy.
  • Script – use a script to determine the owner of this provisioning policy.

Required - Choose whether or not to have the completion of this field a requirement for submitting the form.

Review Required - Choose whether or not to require the person who is approving the workflow item to approve this field.

Refresh Form on Change - Select this option to have the form associated with this policy refresh to reflex changes to this policy.

Display Only - Set this field as display only.

Authoritative - Boolean that specifies whether the field value should completely replace the current value rather than be merged with it; applicable only for multi-valued attributes

Value - Determine how the value is derived. Select from the following:

  • Literal – value is based on the information you provide
  • Rule – value is based on a specified rule
  • Script – value is determined by the execution of a script

Value - The value displayed in the field of the generated form before editing. Choose from the following:

  • None – the field is blank -
  • Literal – value is based on the information you provide
  • Rule – value is based on a specified rule
  • Script – value is determined by the execution of a script

Validation - Gives the ability to specify a script or rule for validating the user's value. For example, a script that validates that a password is 8 characters or longer.

How to Create or Edit a Provisioning Policy

To Create or Edit a Provisioning Policy:

  1. Access the Provisioning Policy panel from the Role Editor page.

  2. Click an existing provisioning policy to edit or click Add Provisioning Policy to create a new one.

  3. Edit the provisioning policy information.

  4. Optional: Add or delete provisioning policy fields.
    See Role Editor Page for descriptions of the fields in each section.

  5. Select fields to include in the form.

  6. Click Save to return to the Role Editor.