Role Configuration

Use the Edit Role Configuration page to define custom extended role attributes and role types. The extended attributes are displayed with the rest of the role information throughout the product. An example of a extended role attribute might be role status. Role type is used to configure roles to perform different functions within your business model. For example, type might be used to control inheritance or automatic assignment of roles.

The Edit Role Configuration page contains the following information:

Role Attributes

Name - The display name of the role attribute assigned when it was added.

Category - The category defined when the attribute was created.
If no category was defined this column is blank.

Description - A short description of the role attribute.

Role Types

Name - The display name of the role type.

Description - A short description of the role type.

Click New Attribute to add additional role attributes. See Edit Extended Role Attributes.

Click New Type to add or edit a role type. See Edit Role Types.

To edit or delete an existing attribute or type from the list, right-click the item and select the corresponding option from the menu. If you are deleting, you must confirm the deletion in the pop-up dialog.

Edit Extended Role Attributes

Use the Edit Extended Attribute page to create and edit additional role attributes including the display name, attribute type and description.

Important

Extended attributes must use unique attribute names that will not be duplicated in other parts of your IdentityIQ environment. For example, an extended attribute name must not duplicate any attribute names in any of your application schema(s). A best practice is to use a standard prefix or naming convention that ensures that your extended attribute names are unique.

The Edit Extended Attribute page contains the following information

Attribute Name - The name of the attribute as it appears in the application.

Caution

Changing an attribute name might cause attributes that were previously aggregated to no longer be recognized.

Display Name - The name for use throughout the product.

Type - The attribute type to be linked, for example string, Boolean, date, rule, or identity.

Description - A brief description of the role attribute.

Category Name - An optional category used to separate the attributes into categories on the Application Configuration page. Enter a category name or select an existing one from the dropdown list.

Searchable - Enable this role attribute for use in queries.

Editable - Enable editing of this attribute from other pages in the product.

Required - For String type attributes only.
Required attributes must have a value before you can save a role.

Allowed Values - For String type attributes only.
Enter the values that are allowed for this attribute. The values entered in this list are used to populate the dropdown value list on the Roles page.

Default Value - Enter a default value for the attribute or select a value from the dropdown list, depending on the attribute type you are working with.

How to Add or Edit Extended Attributes

1. Click New Attribute or click an existing attribute to display the Edit Extended Attribute page.

2. Enter or change the attribute name and an intuitive display name.

   Important

   Extended attributes must use unique attribute names that will not be duplicated in other parts of your IdentityIQ environment. For example, an extended attribute name must not duplicate any attribute names in any of your application schema(s). A best practice is to use a standard prefix or naming convention that ensures that your extended attribute names are unique.

3. Select the attribute type from the dropdown list, String, Integer, Boolean, Date, Rule, or Identity.

4. Optional: add more information for the extended attribute, as needed.

   • Enter a description of the additional attribute.

   • Select a category for the attribute.

   • Activate the Searchable option to enable this attribute for searching throughout the product.

   • Activate the Editable option to enable this attribute for editing from other pages within the product.

   • Mark the attribute as required. For string type attributes only.

   • Enter allowed values for the attribute. For string type attributes only.

   • Specify a default value.

5. Click Save to save your changes and return to the Edit Role Configuration page.

Edit Role Types

Use the Edit Role Type Definition page to create and edit types to use with roles. Role type is used to configure roles to perform different functions within your business model. For example, type might be used to control inheritance or automatic assignment of roles.

Role modeling also uses the concept of permission to enable you to grant users permission to specific roles without assigning them the role or incorporating it in their role hierarchy. For example, while a non-IT user with a business-type role might need access to the entitlements contained within an IT-type role, they probably do not need to have that role assigned to them or included as part of their hierarchal role structure.

The Edit Role Type Definition page contains the following information

Type Name - The name of the role type.

Display Name - The display name of the role type used throughout the product.

Description - A brief description of the role type.

Icon Path - The path to the iconic representation of this role type.
See How to Add or Edit Role Types.

Disallow inheritance of other roles - Do not allow roles of this type to inherit other defined roles.

Disallow other roles from inheriting this role - Do no allow roles of this type to be inherited.

No automatic detection with profiles - Do not automatically detect and assign this role to identities during aggregation and correlation.

No automatic detection with profiles unless assigned - Do not automatically detect and assign a role during aggregation and correlation unless it is required or permitted by an identity's assigned roles.

No entitlement profiles - Do not enable the direct assignment of profiles to this role type.
For example, a roles used to create hierarchy in your business model might only gain access to entitlement profiles through permitted IT roles.

No automatic assignment with rule - Do not allow a rule to automatically assign roles of this type to identities.

No assignment rule - Do not display the Assignment Rule panel in the Role Modeler for rules of this type.

No manual assignment - Do not allow roles of this type to be assigned manually from the Identities User Rights tab.

No permitted roles list - Do not display the Permitted Roles panel in the Role Modeler for rules of this type.

Disallow this role from being on a permitted roles list - Do not display roles of this type on the select list of the Permitted Roles panel of any other role.

No required roles list - Do not display the Required Roles panel in the Role Modeler for rules of this type.

Disallow this role from being on a required roles list - Do not display roles of this type on the select list of the Required Roles panel of any other role.

Disallow Granting of IdentityIQ User Rights - Do not allow the granting of IdentityIQ capabilities or scopes based on role assignment. If this option is selected, the Granted IdentityIQ User Rights table is not displayed on the Role Editor page.

How to Add or Edit Role Types

1. Click New Type or click an existing type to display the Edit Role Type Definition page.

2. Enter or change the name and display name.

3. Enter an icon path to link to the iconic image associated with roles of this type in the Role Modeler.

   To assign an icon to a role type, do the following:

   1. Add two icon images to iiq_home/images/icons folder of your IdentityIQ installation, one for the role and one for the role as it is undergoing analysis or approval. For example:

          .itIcon {
          background-image: url("../images/icons/modeler_application_16.png")
          !important;
          background-repeat: no-repeat;
          }
          .itIconPendingbusiness process {
          background-image: url("../images/icons/modeler_application_approval_16.png") !important;
          background-repeat: no-repeat;
          }
      

   2. Reference the images from the iiq-custom.css file in the iiq_home/css directory.

4. Optional: Select configuration options for the role type.

5. Click Save to save your changes and return to the Edit Role Configuration page.