Editing and Managing Roles

Most role editing and role management tasks can be performed using the Find Roles and List Roles tabs, which are located under the Roles tab in the main menu.

This section contains the following topics:

• To Search for Roles

• To View Roles

• To Edit a Role

• To Clone a Role

• To Assign a Role to Another Role

• To Remove a Role Assigned to Another Role

• To Enable or Disable Roles

• To Delete a Role

• To Assign a Resource or a Resource Group to a Role

• To Remove a Resource or Resource Group Assigned to a Role

To Search for Roles

Use the Find Roles tab to search for roles that meet the search criteria you specify.

Using the Find Roles tab, you can search for roles based on a wide variety of criteria such as role owners and approvers, assigned account types, contained roles, and so on.

For information on finding users assigned to a role, see To Find Users Assigned to a Specific Role.

1. In the Administrator interface, click the Roles tab.

   The List Roles tab opens.

2. Click the Find Roles secondary tab.

   Figure 5–7 shows the Find Role tab. For help using this form, see online help.

   Figure 5–7 The Find Role Tab

   
   

   Use the drop-down menus to define the parameters of your search. Click the Add Row button to add additional parameters.

To View Roles

Use the List Roles tab to view roles. Use the filter fields at the top of the List Roles page to find roles by name or role type. Filtering is not case-sensitive.

1. In the Administrator interface, click the Roles tab.

   The List Roles tab opens.

   Figure 5–8 shows the List Roles tab. For help using this form, see online help.

   Figure 5–8 The List Roles Tab

   
   

To Edit a Role

Search for the role you want to edit using the List Roles or Find Roles tabs. If you make changes to a role, and change approvals are set to true, a role owner must approve your changes before they can be carried out.

For information on updating users with role changes, see To Update Roles Assigned to Users.

1. Search for the role you want to edit by following the instructions on To Search for Roles or To View Roles.

2. Click the name of the role you want to edit.

   The Edit Role page opens.

3. Edit the role as needed. Refer to the steps in the To Create Roles Using the Create Role Form section for help completing the Identity, Resources, Roles, and Security tabs.

   Click Save. The Confirm Role Changes page opens.

4. If this role is assigned to users, you can select when to update the users with role changes. See To Update Roles Assigned to Users for more information.

5. Click Save to save your changes.

To Clone a Role

1. Search for the role you want to edit by following the instructions on To Search for Roles or To View Roles.

2. Click the name of the role you want to clone.

   The Edit Role page opens.

3. Enter a new name in the Name field, and then click Save.

   The Role: Create or Rename? page opens.

4. Click Create to make a copy of the role.

To Assign a Role to Another Role

Identity Manager’s requirements around role assignments are described in What are Roles? and Putting Role Types to Work. You should understand this information before assigning roles.

Identity Manager will change a role’s role assignments if the role-owner of the parent role approves.

1. Search for the Business Role or IT Role to which you will be assigning one or more contained roles. (Roles can only be assigned to Business Roles and IT Roles.) Use the instructions on To Search for Roles or To View Roles to search for roles.

2. Click the Business Role or IT Role to open it.

   The Edit Role page opens.

3. Click the Roles tab in the Edit Role page.

4. Click Add in the Contained Roles section.

   The tab refreshes and displays the Find Roles to Contain form.

5. Search for the role (or roles) that you will be assigning to this role. Start first with any required roles. (You will add conditional and optional roles later.)

   See To Search for Roles for help using the search form. Business Roles cannot be nested or assigned to other role-types.

6. Use the checkboxes to select one or more roles to be assigned, then click Add.

   The tab refreshes and displays the Add Contained Role form.

7. Select Required (or Conditional or Optional, as appropriate) from the Association Type drop-down menu.

   Click OK.

8. Repeat the previous four steps to add conditional roles (if required). Repeat the previous four steps again to add optional roles (if required).

9. Click Save to open the Confirm Role Changes page.

   The Confirm Role Changes page opens.

10. In the Update Assigned Users section select an Update Assigned Users menu option and then click Save to save your role assignments.

    See To Update Roles Assigned to Users for more information.

To Remove a Role Assigned to Another Role

Identity Manager will remove a contained role from another role if the role-owner of the parent role approves. The removed role will be removed from users when users receive role updates. (See To Update Roles Assigned to Users for more information.) When the role is removed, users lose the entitlements that were bestowed by the role.

• For information about removing a role assigned to one or more users, see To Remove One or More Roles From a User.

• For information about disabling a role, see To Enable or Disable Roles.

• For information about deleting a role from Identity Manager, see To Delete a Role.

1. Search for the Business Role or IT Role from which you want to remove a role. Use the instructions on To Search for Roles or To View Roles to search for roles.

2. Click the role to open it.

   The Edit Role page opens.

3. Click the Roles tab in the Edit Role page.

4. In the Contained Roles section, select the checkbox next to the role that you want to remove, then click Remove. Select multiple checkboxes to remove multiple roles.

   The table updates to show the remaining contained roles.

5. Click Save.

   The Confirm Role Changes page opens.

6. In the Update Assigned Users section select an Update Assigned Users menu option. See To Update Roles Assigned to Users for more information.

7. Click Save to finalize your changes.

To Enable or Disable Roles

Roles can be enabled and disabled on the List Roles tab. Role status is displayed in the Status column. Click the Status column header to sort the table by role status.

Disabled roles do not appear on the Roles tab in the Create/Edit user form and cannot be directly assigned to users. Roles that contain disabled roles can be assigned to users, but the disabled roles cannot be assigned.

Users who are assigned roles that are later disabled do not lose their entitlements. Role disablement only blocks future role assignments from occurring.

Disabling and re-enabling a role requires the permission of the role owner.

Upon enabling or disabling a role with assigned users, Identity Manager will prompt you to update these users. For more information, see To Update Roles Assigned to Users.

1. Search for the role you want to delete by following the instructions on To Search for Roles or To View Roles.

2. Click the checkboxes next to the roles that need to be enabled or disabled.

3. Click Enable or Disable at the bottom of the Roles table.

   The Enable Role or Disable Role confirmation page opens.

4. Click OK to enable or disable the role.

To Delete a Role

This section describes the procedure for deleting a role from Identity Manager.

• For information on removing a role assigned to another role, see To Remove a Role Assigned to Another Role.

• For information on removing a role assigned to one or more users, see To Remove One or More Roles From a User.

If you delete a role that is currently assigned to a user, Identity Manager blocks the deletion when you try to save the role. You must unassign (or reassign) all users assigned to a role before Identity Manager can delete it. You also must remove the role from any other roles.

Identity Manager requires a role owner’s approval before it will delete a role.

1. Search for the role you want to delete by following the instructions on To Search for Roles or To View Roles.

2. Select the checkbox next to each role that you want to delete.

3. Click Delete.

   The Delete Role confirmation page displays.

4. Click OK to delete one or more of the roles.

To Assign a Resource or a Resource Group to a Role

Identity Manager’s requirements around resource and resource group assignments are described in What are Roles? and Putting Role Types to Work. You should understand this information before assigning resources to roles.

Identity Manager will change a role’s resource and resource group assignments if the role-owner approves.

1. Search for the IT Role or Application to which you want to add a resource or resource group. For instructions on how to search for a role, see To Search for Roles or To View Roles.

2. Click the role to open it.

3. Click the Resources tab in the Edit Role page.

4. To assign a resource, select it in the Available Resources column and move it to the Current Resources column by clicking the arrow buttons.

5. If you are assigning multiple resources, you can specify the order in which the resources are updated: Select the Update resources in order checkbox and use the + and - buttons to change the order of the resources in the Current Resources column.

6. To assign a resource group to this role, select it in the Available Resource Groups column and move it to the Current Resource Groups column by clicking the arrow buttons. A resource group is a collection of resources that provides another way to specify the order in which resource accounts are created and updated.

7. To specify account attributes for this role on a per resource basis, click Set Attribute Values in the Assigned Resources section. See To View or Edit Resource Account Attributes for more information.

8. Click Save to open the Confirm Role Changes page.

   The Confirm Role Changes page opens.

9. In the Update Assigned Users section select an Update Assigned Users menu option. See To Update Roles Assigned to Users for more information.

10. Click Save to save your resource assignments.

To Remove a Resource or Resource Group Assigned to a Role

Identity Manager will remove a resource or resource group from a role if the role-owner approves. The removed resource will be removed from users when users receive role updates. (See To Update Roles Assigned to Users for more information.) When the resource is removed, users lose their entitlements on that resource unless the resource is also directly assigned to the user.

1. Search for the IT Role or Application from which you want to remove a resource or resource group. Use the instructions on To Search for Roles or To View Roles to search for roles.

2. Click the role to open it.

   The Edit Role page opens.

3. Click the Resources tab in the Edit Role page.

4. To remove a resource, select it in the Current Resources column and move it to the Available Resources column by clicking the arrow buttons.

   To remove a resource group, select it in the Current Resource Groups column and move it to the Available Resource Groups column by clicking the arrow buttons.

5. Click Save.

   The Confirm Role Changes page opens.

6. In the Update Assigned Users section select an Update Assigned Users menu option. See To Update Roles Assigned to Users for more information.

7. Click Save to finalize your changes.