Roles

Use this page to set default behavior for roles. Additional role configuration options are in Role Configuration.

Sunrise and sunset dates are used to make roles and entitlements temporary – they specify when a role (or an individual user's access to a role or an entitlement) becomes active, and when it becomes inactive. This feature offers an efficient, automated way to grant time-limited access to sensitive roles, roles that are seasonal or temporary, or access that for any reason is intended to have a limited duration, such as a short-term assignment to a different team or a special project.

IdentityIQ gives you two ways to use sunrise and sunset dates:

  • On roles themselves, so that the role itself has a temporary duration.

  • When a role or entitlement is granted to a specific user; in other words, the role itself may not have time limits, but a certain user's access to that role should have a limited duration.

Enable the ability to set activation and deactivation dates on roles when they are assigned. Activation and deactivation dates can be used to grant temporary access to sensitive roles.

A workflow to manage assignment and removal of roles or entitlements for this option can be set in Scheduled role / entitlement assignment in the Business Processes section below. A standard workflow (Scheduled Assignment) is provided out of the box, but you can implement a custom workflow if your business needs require one.

Enable the ability to insert activation and deactivation events into roles from the role modeler. Activation events are used to automatically activate or deactivate roles using business processes.

A workflow to manage activation/deactivation of roles or entitlements for this option can be set in Scheduled role activation in the Business Processes section below. A standard workflow (Scheduled Role Activation) is provided out of the box, but you can implement a custom workflow if your business needs require one.

Send a notification to both the requestor and the requestee of the role or entitlement, when access is about to expire. This value determines when the notification is sent. To disable notifications, enter 0. The email template to use for notifications is configured on the Mail Settings tab in the For notice of deprovisioning of sunsetted roles and entitlements field.

In this section you can set business processes to run with the sunrise and sunset options set in the previous section, and to run when roles are created, modified or deleted.

Role create, update, and delete

Select which business process is executed when roles are created, modified, or deleted in the role modeler.

Schedule role activation

Select which business process is executed when a scheduled role assignment becomes due. This assigns the role and can perform provisioning. Use this business process with Enable Sunrise/Sunset Dates on Role Activation.

Schedule role / entitlement assignment

Select which business process is executed when a scheduled role assignment or de-assignment becomes due. This de-assigns the role and can perform provisioning. Use this option with Enable Sunrise / Sunset Dates on Role Assignment.

Note: If this option is not enabled, required roles are assigned to the same account as the top-level role.

Enables an option on the Role Management page that enables a role to specify its own target account, or create a new account, during a role request, even if it is required by another role and included in that roles required roles list.

Note: This option is only available on assignable role types.

Enable an option on the Role Management page that enables a role to be assigned to the same identity multiple times.

Note: This setting supersedes the settings on the individual role definitions.

Make all assignable role types available for multiple assignment to the same identity.

Enables a role change to propagate to all identities that have the role assigned.

Do not remove assigned entitlements from an identity when a detected role with which they are associated is removed from that identity.

Do not remove assigned entitlements from an identity when an assigned role with which they are associated is removed from that identity.

Require comments in Access Requests. The comment requirement applies to both the addition and removal of roles and entitlements in the Access Requests UI.