Managing Lifecycle User Roles
User roles define the permissions and level of access granted to an end user of the system, as well as which users are allowed access to the admin console.
You can create and manage custom user roles within Lifecycle with extremely granular controls. In addition, there are two default user roles within the product that can grant users specific permissions related to profile types.
Refer to Managing Administrators for details on creating the administrator role.
Note
Lifecycle roles can't be applied to portal users, and collaboration roles can't be applied to lifecycle users. Refer to Collaboration User Roles to create and manage collaboration roles for portal users.
Managing Custom Lifecycle Roles
You can create custom roles in your tenant to manage user access to parts of your site, and to assign users in bulk to manage profiles. They're also used to grant users access to the admin console.
Users are assigned roles based on the groups or entitlements they have within your identity provider. Each time a user authenticates using your identity provider, either through Identity Security Cloud or directly from the IDP, Non-Employee Risk Management receives a list of the user's entitlements. If any of their entitlements match the groups required for a role, the user is assigned that role within Non-Employee.
Notes
- If a user's entitlements don't match one or more roles, they will be unable to authenticate to Non-Employee Risk Management.
- Identity Security Cloud administrators can access Non-Employee Risk Management without the use of an identity provider. If they authenticate without an IDP, they will be granted the
NERM Administrator
role based on theirORG_ADMIN
permissions in Identity Security Cloud. This allows them to troubleshoot connectivity issues depending on the permissions associated with that role. - If an Identity Security Cloud administrator authenticates using your identity provider, they are granted roles based on their groups provided by the IDP and are not automatically granted the
NERM Administrator
role.
Creating a Custom Role
Creating a role allows you to customize details about the role and the permissions it grants.
To create a new lifecycle role:
-
Go to Admin > Lifecycle > User Roles.
-
On the DIRECTORY GROUPS tab, select the + New Role button.
-
In the BASIC SETTINGS section:
-
Enter a unique name for the role.
The UID is generated automatically based on the name. This can be modified during the role's creation, but it can't be edited later.
-
Select the Private checkbox to hide this role from users on the user dashboard within the profile's CONTRIBUTORS tab.
-
In the Directory groups field, enter the complete and exact names of one or more groups from your identity provider.
Users with one or more of these groups will be granted this role and the access that comes with it. These groups must be included within the
groups
attribute in the SAML assertion sent by your identity provider during authentication to be applied to the user.
-
-
In the PERMISSIONS section, choose the permissions you want users with this role to have.
- In the Application section, choose the access users with this role should have within your Non-Employee tenant, such as whether they can add additional contributors to a profile or whether they can delegate their assigned work to other users.
-
In the Profile Access section, choose the access this role should grant to the profile types in your tenant. If you choose All Users With This Role, users with this role can manage profiles in that profile type. If you choose Only Contributors, users with this role won't be able to manage profiles in this profile type unless they are already marked as a profile contributor for the profile.
Selecting a profile type in this section grants users the access you select in the Attributes and Workflows sections for this profile type.
-
In the Attributes section, choose whether users with this role can view or edit attributes on the profiles they can access, or whether they should have no access to those attributes.
- In the Workflows section, choose which workflows users with this role should be allowed to execute on the profiles they're assigned to. Users with this role who don't have permission to execute workflows can still approve or deny requests associated with the workflow, complete fulfillment tasks, and contribute to the workflow in other ways.
- Under API Access, choose the types of API calls users with this role should be permitted to make related to a variety of functions within Non-Employee. This doesn't impact what the users can access within the UI. This section is only available to customers using a legacy on-premise implementation.
Note
When a user has more than one role, including default roles, the permissions applied to each user for a profile type are cumulative.
-
Select the create button.
Editing a Custom Lifecycle Role
You can view and edit existing custom roles.
-
Go to Admin > Lifecycle > User Roles.
In the DIRECTORY GROUPS page, you can see the active and archived user roles in your tenant.
-
Make any necessary changes to the roles on the list.
Review the possible changes you can make below.
Update Roles in Bulk
You can make some changes to the roles in your tenant in bulk.
-
Select the checkbox beside the roles you want to edit.
To select all roles, select the the checkbox next to the NEPROFILE GROUP ROLES header.
-
Select the ellipsis icon next to the Actions button to display the available actions.
- Archive - Immediately deactivates the selected roles and moves them to the Archived tab.
- Unarchive - Immediately activates the selected roles and moves them to the Active tab.
- Export - Generates a JSON file containing the metadata about the selected roles and any related configuration. When the file has been generated, select Download to save the metadata to a local file.
Update an Individual Role
You can make updates to the details and permissions for a specific role.
-
Select the name of the role you want to edit.
-
In the BASIC SETTINGS section, make any necessary changes to the name and other settings for the role.
Note
- The Uid of a role can't be edited once the role has been created.
- Removing a group from the Directory groups list causes users with that group to lose access to the role, unless they have another group in the list.
-
In the PERMISSIONS section, make any necessary changes to the permissions this role grants to users.
Users with this role will have their permissions updated when you save the role.
-
Select save.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.