Role Viewer Tab

Note

The RoleNavigation panel can display roles that are outside of your assigned scope. You cannot edit those roles.

The Role Viewer tab of the Role Manager lists your existing roles, displays detailed information about each role, and lets you add, edit, and delete roles. The Role Viewer tab lets you work with these IdentityIQ components:

• Roles – see Role Editor Page

• Archived Roles – see Role Editor – Archived Role Panel

• Profiles – see Role Editor – Edit Entitlement Panel

Viewing Role Information

The Role Navigation panel of the Role Viewer tab displays your existing roles. The list of roles can be organized in a top down, bottom up, or grid format. The grid shows a simple list of roles in alphabetic order. If you expand a role in the Top Down view you see the roles that are members of the expanded role. If you expand a role in the Bottom Up view you see the roles in which the expanded role is a member. Use filtering to locate specific roles in the Top Down and Bottom Up views.

Click the arrow icon on the top, right side to contract or expand the Role Navigation panel. Contracting the panel provides more screen space to view role details in the Role Information panel.

Click a role to display detailed information in the Role Information panel of the Role Viewer.

If approval and impact analysis are active, roles and profiles that have changes pending approval or are undergoing impact analysis are displayed with a red square surrounding their icon. Role analysis and role approval are an important part of the overall role life-cycle management. Role analytics and approval for new, modified, or rolled-back roles are controlled thought business processes configured for your implementation of IdentityIQ.

Inactive roles that are not pending approval or analysis are displayed with a gray icon.

The Role Information panel contains all of the information associated with the selected role. Some of the sections listed in the table below may not be available for all role types. If there is information associated with a role that is not supported by the assigned role type, the information is displayed with a warning message.

Roles in which activation rules are enabled display a notice in the upper right-hand corner of the information panel containing activation or deactivation information.

Role Information Panel

Name - The name of the role.

Display Name - The name to be used throughout IdentityIQ.

Owner - The owner assigned to the role.

Scope - The scope of this role. Scope is used to determine the objects to which a user has access. If scoping is active, identities can only see objects that they created or that are within the scopes they control. The scope option is only displayed if the scope feature is enabled.

Type - The type of role being displayed. Role type definitions are customizable and created as part of the configuration process.

Description - A short description of the role.

Classification - Classifications categorize and flag a role, to identify it as potentially allowing access to sensitive, privileged, or otherwise significant data.

Elevated Access - This will be set to true or false depending on if the role has elevated access.

Extended Attributes - Any extended role attributes configured for your enterprise and marked as searchable are displayed with the role information. For example, Identity Attribute, Date Attribute, Rule Attribute.

Role Statistics - The Role Statistics panel displays detailed statistical information on the users and entitlements a given role. Click each applicable category to view a window containing item-specific statistical information. Available IdentityIQ categories include the following:

• Members – number of Identities assigned the role. Click to view a grid displaying those identities.

• Members with Additional Entitlements – number of Identities that have entitlements which are not permitted or required by this role or any other role they have been assigned. This applies to Business Roles provided by IdentityIQ, not to custom roles.

• Members with Missing Required Roles – number of Identities that are missing roles which are required by this one. This applies to Business Roles provided by IdentityIQ, not to custom roles.

• Identities Detected – number of Identities whose entitlements indicate that they have this role. Click to view a grid displaying those identities. This applies to IT and Entitlement Roles provided by IdentityIQ, not to custom roles.

• Identities Detected to be Exceptions – number of Identities whose entitlements indicate that they have this role, even though they have not been assigned any roles that permit or require this one. Click to view a grid displaying those identities. This applies to IT and Entitlement Roles provided by IdentityIQ, not to custom roles.

• Provisioned Entitlements – number of Entitlements that would be provisioned if this role were to be assigned to and / or required by a new Identity. This applies to Business, IT, and Entitlement Roles provided by IdentityIQ, not to custom roles.

• Permitted Entitlements – number of Entitlements that would be provisioned in order for an Identity to match all roles permitted by this one. This applies to Business Roles provided by IdentityIQ, not to custom roles.

• Click the Refresh button at the bottom of the panel of each role you wish to view the statistics.

—OR—

• Run the Refresh Role Scorecard task to populate and display the statistical data by default on all roles.

Note

The Refresh role metadata option must be selected in the Refresh Identity Cubes task in order for Role Statistics panel to display any information.

Scheduled Events - The events scheduled for this role.

• Activate – the date on which the role becomes active.
• Deactivate – the date on which the date is to be deactivated.

Archived roles - Previous, or different, versions of this role. If archiving is active, each time a change is made to a role definition a version of the role is stored. This enables you to rollback to previous versions if required.

Assignment Rule - The rule used to automatically assign roles to identities during a correlation process. Roles assigned either manually on the identities pages or through an assignment rule are considered Assigned Roles.

Inherited Roles - The roles in which this role is a member.

Permitted Roles - Roles to which users have access if they are assigned this role.

Required Roles - The roles to which the user must have access if they are to be assigned this role.

Entitlements - The rules and permissions (targets and rights) that define the profiles contained within the role. The entitlements are grouped by application.

Inherited Entitlements - The entitlement details for the entitlements that define the roles to which this role is a member. The included entitlements are grouped by application.

Granted IdentityIQ User Rights - The IdentityIQ capabilities and scopes associated with role. These rights are granted to the identities to whom this role is assigned. These capabilities and scopes are not assigned until a Identity Cube Refresh task is run with the Provision assigned roles option selected.

Adding Roles from the Role Viewer
To add a new role, click Add or New Role > Role to open the Role Editor page. Right-click an existing role and select Clone to create a new role based on the existing one. For more information on adding roles, see Working with the Role Manager.

Deleting Roles in the Role Viewer
To delete a role, right-click the role and select Delete, then confirm the deletion request.