Role Search Criteria
The search fields are "AND" type searches. Only actions matching values specified in all fields are included in the search results.
To limit the search results, use search criteria. If you do not enter any values in a search criteria field, all possible choices are included. For example, if you do not provide a type in the Type field, roles of any type are included.
Specify the search criteria and columns to display and click Run Search to display the search results. From the search results page, you can review the results of your search and save the search. See Search Results.
Role Attributes
Name
Enter a role name to include in the search.
You can use full or partial strings in the text fields. Simple text searches use "starts with" logic. Entering a string of characters returns all roles with that string at the beginning of their name that your controlled scopes enable you to view. For example, if you enter "sys," the search results include information for the roles System Administrator, SysAdmin.
To search for results that contain the text string anywhere in the field, use the Advanced Search option and choose is like as the Search Type.
Display Name
Enter a display name to include in the search.
Entering a string of characters returns all roles with that string in their display name that your controlled scopes enable you to view. For example, if you enter "System Administrator," the search results include information for the display name System Administrator.
Owner
Enter the role owner to include in the search.
Click the arrow to the right of the suggestion field to display a list of all role owners, or enter a few letters in the field to display a list of role owners that start with that letter string.
Type
Select the role type to include in your search. For example, IT, Organizational, or Business.
Role types are defined for your enterprise during the role modeling process.
Status
Select the Enabled / Disabled status of the roles to include in the search.
Classification
Classifications can identify roles as potentially allowing access to sensitive, protected, or otherwise significant data. Choose any classifications to include in the search.
Elevated Access
When searching for a role or entitlement using Advanced Analytics, you can set the Elevated Access filter to True or False.
Detected Total
Specify an upper or lower limit for the number of identities that have this role detected that should be included in the search results.
Detected roles are roles that are automatically assigned to identities based on the entitlements to which they have access.
For example, to search for roles that were not detected by any identity during correlation, select Less Than from the dropdown list and type 1 in the empty field. The search results include all roles that were not automatically assigned to at least one identity.
Assigned Total
Specify an upper or lower limit for the number of identities that have this role assigned that should be included in the search results.
Assigned roles are roles that were manually assigned to an identity by a user with role assignment authority or through a role assignment rule.
For example, to search for roles that were not assigned to any identity, select Less Than from the dropdown list and type 1 in the empty field. The search results include all roles that were not manually assigned to at least one identity.
Entitlement Total
Specify an upper or lower limit for the number of entitlement a role can have.
For example, if you select Less Than and type 3, the search results include roles that contain two (2), one (1), or zero (0) entitlements.
Risk Score Weight
Specify an upper or lower limit for risk score weight assigned to a role for it to be included in the search results.
For example, you can specify a Greater Than value to search for high-risk roles, or you can specify a Less Than value to search for roles that were created with a risk score weight that is too low for their type. In the second example, if your enterprise has a policy that requires that all IT-type roles have a risk score weight of 100, you can select IT from the Type dropdown list, select Less Than from the Risk Score Weight dropdown list, and type 100 in the empty field to return all IT-type roles with a risk score weight less than 100.
Associated To Another Role
Include roles that are associated with at least one other role or roles that are NOT associated with any other role.
True – include roles that are associated with at least one other role.
False – include roles that are NOT associated with any other roles.
Effective Access
Limit the search to the specific effective access list.
Effective Access is any indirect access that was granted through another object, for example, a nested group, an unstructured target, or another role.
Filter by: Profile
A profile is a set of entitlements on a specific application. Options in this section let you search for roles based on profiles and on their relationship to other roles.
Profile State
Search for roles based on how entitlements and permissions are defined relative to the role(s). For example, you can use this criteria to search for all roles on an invalid application, or for roles with entitlements that are not defined (in other words, are missing) in IdentityIQ.
Options are:
-
No Invalid/Missing Relationships
-
Invalid Applications or Missing Entitlements/Permissions
-
Missing Entitlements/Permissions Only
-
Invalid Applications Only
Relationship to Role
Search for roles based on how entitlements or permissions are defined, relative to the role(s). This filter can be used in conjunction with an application, or independently. For example, to search for roles that provide direct access to permissions on the Oasis_DB application, you would select the Oasis_DB application, select Permissions in the Filter Type field, and choose Any direct relationships here. To search for every role that allows indirect access to entitlements, regardless of the application, you would select Any indirect relationships here and choose Entitlements in the Filter Type field.
Options are:
-
Any direct or indirect relationships: Show roles with any entitlement or permission relationships
-
Any direct relationships: Only show roles that have the entitlements or permissions directly on them
-
Any direct and selected indirection relationships: Show roles that have the entitlements / permissions directly on them, or a specific indirect relationship (such as inherited, permitted, or required). When you choose this option, you can enter additional criteria to filter on Inheritance and Required/Permitted relationships.
-
Any indirect relationships: Only show roles that have entitlements or permissions through a specific relationship, not on the role directly
-
Selected indirect relationships: Only show roles that have the entitlement or permission through a specific relationship, not on the role itself. When you choose this option, you can enter additional criteria to filter on Inheritance and Required / Permitted relationships.
Note that some roles can grant both direct and indirect access to entitlements and permissions, so a role can potentially be returned by both the direct relationship and indirect relationship options.
Application
To filter roles by application, choose the application(s) here.
Click the arrow to the right of the suggestion field to display a list of all applications, or enter a few letters in the field to display a list of applications that start with that letter string.
Filter Type
Choose whether to search for permissions or entitlements. Leave this field blank to search for both.
Filter by: Extended Attributes
The extended attributes for roles are specific to your instance of IdentityIQ; they are defined under the gear icon > Global Settings > Role Configuration option. Any extended attributes defined for roles that are marked searchable appear here as search criteria.
Filter By: Date
Date Type
Select a state to associate with the specified dates:
Last Membership Certification – the date when the last role membership certification was performed.
Last Composition Certification – the date when the last role composition certification was performed.
Last Assigned – the date when the role was last assigned to an identity.
Start Date
Specify a beginning date for this search. The search results include information pertaining to any action performed on or after the specified date.
End Date
Specify an end date for this search. The search results include information pertaining to any action performed on or before the specified date.
Fields to Display
Choose the information to display on the Role Search Results page associated with this search. Each field defines a column on the results table.
You must select at least one field to display on the results page.
Saving Searches
Once you have run your search, you can save the results as a saved search or as a report.
-
In the Search Results page, click the Result Options dropdown and choose Save Search or Save Search as Report.
-
Enter a Name and Description for the saved search or report.
-
Click Save.
Searches saved as reports are saved in the Intelligence > Reports > My Reports area of IdentityIQ. Searches saved as searches are listed in the Saved Searches section of the Role Search page.
When you have saved searches, you can:
-
Click on the saved search in the Search Name area to see the saved search's description and to load the criteria for the search.
-
Clear any saved search criteria you have loaded by clicking the Clear Search button at the bottom of the page.
-
Delete the currently-selected saved search by clicking Delete Search.