Role Configuration
Use the Edit Role Configuration page to define custom extended role attributes and role types. The extended attributes are displayed with the rest of the role information throughout the product. An example of a extended role attribute might be role status. Role type is used to configure roles to perform different functions within your business model. For example, type might be used to control inheritance or automatic assignment of roles.
The Edit Role Configuration page contains the following information:
Role Attributes
Name
The display name of the role attribute assigned when it was added.
Category
The category defined when the attribute was created.
If no category was defined this column is blank.
Description
A short description of the role attribute.
Role Types
Name
The display name of the role type.
Description
A short description of the role type.
Click New Attribute to add additional role attributes. See Edit Extended Role Attributes (link).
Click New Type to add or edit a role type. See Edit Role Types (link).
To edit or delete an existing attribute or type from the list, right-click the item and select the corresponding option from the menu. If you are deleting, you must confirm the deletion in the pop-up dialog.
Edit Extended Role Attributes
Use the Edit Extended Attribute page to create and edit additional role attributes including the display name, attribute type and description.
Important
Extended attributes must use unique attribute names that will not be duplicated in other parts of your IdentityIQ environment. For example, an extended attribute name must not duplicate any attribute names in any of your application schema(s). A best practice is to use a standard prefix or naming convention that ensures that your extended attribute names are unique.
The Edit Extended Attribute page contains the following information:
Attribute Name
The name of the attribute as it appears in the application.
Caution
Changing an attribute name might cause attributes that were previously aggregated to no longer be recognized.
Display Name
The name for use throughout the product.
Type
The attribute type to be linked, for example string, Boolean, date, rule, or identity.
Description
A brief description of the role attribute.
Category Name
An optional category used to separate the attributes into categories on the Application Configuration page. Enter a category name or select an existing one from the dropdown list.
Searchable
Enable this role attribute for use in queries.
Editable
Enable editing of this attribute from other pages in the product.
Required
For String type attributes only.
Required attributes must have a value before you can save a role.
Allowed Values
For String type attributes only.
Enter the values that are allowed for this attribute. The values entered in this list are used to populate the dropdown value list on the Roles page.
Default Value
Enter a default value for the attribute or select a value from the dropdown list, depending on the attribute type you are working with.
How to Add or Edit Extended Attributes
-
Click New Attribute or click an existing attribute to display the Edit Extended Attribute page.
-
Enter or change the attribute name and an intuitive display name.
Important
Extended attributes must use unique attribute names that will not be duplicated in other parts of your IdentityIQ environment. For example, an extended attribute name must not duplicate any attribute names in any of your application schema(s). A best practice is to use a standard prefix or naming convention that ensures that your extended attribute names are unique.
-
Select the attribute type from the dropdown list, String, Integer, Boolean, Date, Rule, or Identity.
-
Optional: add more information for the extended attribute, as needed.
-
Enter a description of the additional attribute.
-
Select a category for the attribute.
-
Activate the Searchable option to enable this attribute for searching throughout the product.
-
Activate the Editable option to enable this attribute for editing from other pages within the product.
-
Mark the attribute as required. For string type attributes only.
-
Enter allowed values for the attribute. For string type attributes only.
-
Specify a default value.
-
-
Click Save to save your changes and return to the Edit Role Configuration page.
Edit Role Types
Use the Edit Role Type Definition page to create and edit types to use with roles. Role type is used to configure roles to perform different functions within your business model. For example, type might be used to control inheritance or automatic assignment of roles.
Role modeling also uses the concept of permission to enable you to grant users permission to specific roles without assigning them the role or incorporating it in their role hierarchy. For example, while a non-IT user with a business-type role might need access to the entitlements contained within an IT-type role, they probably do not need to have that role assigned to them or included as part of their hierarchal role structure.
The Edit Role Type Definition page contains the following information:
Type Name
The name of the role type.
Display Name
The display name of the role type used throughout the product.
Description
A brief description of the role type.
Icon Path
The path to the iconic representation of this role type.
See How to Add or Edit Role Types (link).
Disallow inheritance of other roles
Do not allow roles of this type to inherit other defined roles.
Disallow other roles from inheriting this role
Do no allow roles of this type to be inherited.
No automatic detection with profiles
Do not automatically detect and assign this role to identities during aggregation and correlation.
No automatic detection with profiles unless assigned
Do not automatically detect and assign a role during aggregation and correlation unless it is required or permitted by an identity's assigned roles.
No entitlement profiles
Do not enable the direct assignment of profiles to this role type.
For example, a roles used to create hierarchy in your business model might only gain access to entitlement profiles through permitted IT roles.
No automatic assignment with rule
Do not allow a rule to automatically assign roles of this type to identities.
No assignment rule
Do not display the Assignment Rule panel in the Role Modeler for rules of this type.
No manual assignment
Do not allow roles of this type to be assigned manually from the Identities User Rights tab.
No permitted roles list
Do not display the Permitted Roles panel in the Role Modeler for rules of this type.
Disallow this role from being on a permitted roles list
Do not display roles of this type on the select list of the Permitted Roles panel of any other role.
No required roles list
Do not display the Required Roles panel in the Role Modeler for rules of this type.
Disallow this role from being on a required roles list
Do not display roles of this type on the select list of the Required Roles panel of any other role.
Disallow Granting of IdentityIQ User Rights
Do not allow the granting of IdentityIQ capabilities or scopes based on role assignment. If this option is selected, the Granted IdentityIQ User Rights table is not displayed on the Role Editor page.
How to Add or Edit Role Types
-
Click New Type or click an existing type to display the Edit Role Type Definition page.
-
Enter or change the name and display name.
-
Enter an icon path to link to the iconic image associated with roles of this type in the Role Modeler.
To assign an icon to a role type, do the following:
- Add two icon images to iiq_home/images/icons folder of your IdentityIQ installation, one for the role and one for the role as it is undergoing analysis or approval. For example:
- Reference the images from the iiq-custom.css file in the iiq_home/css directory.
-
Optional: Select configuration options for the role type.
-
Click Save to save your changes and return to the Edit Role Configuration page.