How to Create or Edit a Role From the Role Management Page

Use the following procedure to edit existing roles or create new roles. Roles can also be created from certifications and role mining.

Use the approval function to open approval work items for role owners. See How to Approve Role Changes for more information.

Use the impact analysis function to create a report that provides details on the impact these changes can have on the rest of your product implementation. See How to Perform Impact Analysis for more information.

To Create a Role

  1. To Access Role Management, click Setup > Roles.

  2. Click a role to edit.

    — OR —

    Select Add to create a new role.

  3. Enter the role information. This information is used throughout the product.

    • Name — The name of this role; this serves as the programmatic name for the role in the IdentityIQ object model. Single quotation marks, double quotation marks, or commas are not supported in the Name.

    • Display Name — A user-friendly descriptive name of this role. The Display Name is used throughout IdentityIQ, in access requests, approvals, and certifications.

    • Type — The type of role being created. For example, organizational, business, or IT. Role type definitions are customizable and created as part of the configuration process.

    • Owner — The name of the owner for this role. Entering the first few letters of a name displays a select list of valid users and workgroups with names starting with those letters. Select a name from the list.

    • Description — A detailed description of the role.

  4. Enable Activity Monitoring Select this if you want to track activity for any user who is assigned this role.

  5. Provision both profiles and policies If a provisioning policy has been defined on a role, it supersedes the entitlement profile in provisioning operations. This flag indicates that you want it to supplement the entitlement definition instead of override. Provisioning policies and entitlement profiles can be defined for this role in later steps.

  6. Disabled. Select this option to disable the role. Disabled roles can not be assigned or used to manage access.

  7. Custom or Extended Role Attributes: Any extended role attributes configured for your enterprise are displayed with the role information. You can enter data in any of these attribute fields, to be used in rules and workflows written for your installation.

  8. Perform any optional tasks necessary to create or edit the role. See Optional Tasks , below.

  9. For IT roles, add the entitlements to the role (or edit or delete existing entitlements) from the Entitlements panel. Entitlement profiles created for this role are inherited by any role that is a member of this role.

  10. When you have finished creating a new role or editing an existing role, take one of the following actions:

    • Click Submit to save the role or, if the approval work flow is active, open an approval work item for the specified role owner.
      The approval feature is only available if the work flow was activated during configuration.

    • Click Submit with Impact Analysis to create a report that provides details on the impact these changes can have on the rest of your product implementation and open an approval work item if the approval work flow is active.

    • Click Check Policy Conflicts to display any policy violations created by changes made on this page. Policy checking is only available if impact analysis has been run.

Optional Tasks

The following tasks can be performed when you create a Role. You can choose to do some of them or all of them prior to saving the role.

Classifications can categorize and flag a role, to identify it as potentially allowing access to sensitive, privileged, or otherwise significant data. Choose any classifications you want to add to this role from the the drop-down list. The list includes any classifications that have been configured in your system; if no classifications have been defined, the list is empty. See Classifications for more information.

Scheduled events use business processes to automatically activate or deactivate roles based on the dates set in the Add New Event dialog within this section. This section will appear only if your instance of IdentityIQ has been configured to allow for sunrise and sunset dates for roles. See Role Configuration for more information on enabling sunrise and sunset dates.

Note: Only one activation or deactivation event can be defined at a time.

  1. Click Add Event to display the Add New Event dialog.

  2. Manually enter a date or click the calendar icon to select a date.

  3. Select Activate or Deactivate from the Action drop-down list.

  4. Click Save to return to the Role Editor page.

  5. Select an event and click Delete to remove the event.

Assignment rules are used in Business roles to define logic allowing them to be assigned to Identities automatically. An Assignment Rule can be defined using these options:

Match List

Define a list of entitlements to determine role assignment.
For attributes select an attribute from the drop-down list and type a value.
For permissions, type the name (target) and value (right).

Note: If Null is selected, the associated value text box is disabled. When the is null match is processed, the term matches users on the chosen application who have a null value for that attribute/permission.

Filter

Enter a custom XML database query to define user for this role.

Script

Enter a custom script for role assignment. Scripts are similar to rules, but the source is stored with the role and can be edited from this page.

Rule

Select an existing rule from the drop-down list.

Population

Select a population from the list. Members of that population are assigned the role. Populations are generated as the results of identity searches.

Click Modify Permitted Roles in the Permitted Roles panel and modify the list of roles permitted by this role.

  1. Enter the first few letters of a role name in the Select a role field and select a role from the selection list.

  2. Click Add to add the role to the membership list.
    Add as many roles as required.

  3. Click Save.

Click Modify Required Roles in the Required Roles panel and modify the list of roles required by this role.

  1. Enter the first few letters of a role name in the Select a role field and select a role from the selection list.

  2. Click Add to add the role to the membership list.
    Add as many roles as required.

  3. Click Save.

Click Modify Inheritance in the Inherited Roles panel and modify the list of roles of which this role is a member. This role inherits entitlements from any role to which it is a member.

  1. Enter the first few letters of a role name in the Select a role field and select a role from the selection list.

  2. Click Add to add the role to the inheritance list.
    Add as many roles as required.

  3. Click Save.

Note: Any roles that have elevated access will display with an icon next to the name of the role.

Provisioning policies define the fields required for a role to be provisioned, often including a default value or script/rule for calculating a value. The policies available to be assigned to the rule are listed in the Provisioning Policy panel. Click Add Provisioning Policy to create a new policy, or Delete Provisioning Policy to remove any existing policies. See the Role Editor - Provisioning Policy Editor Panel and Provisioning with IdentityIQ for more information.

Additional Information

To work with profiles associated with a role see: