test

Sun Identity Manager 8.1 Business Administrator's Guide

Configuring Role Types

Role Type functionality can be modified by editing the Role configuration object.

ProcedureTo Configure Role Types to be Directly Assignable to Users

By default, only certain role types can be directly assigned to users. To change these settings, use the following steps.

Note –

It is a recommended best practice that you only directly assign Business Roles to users. See Using Role Types to Design Flexible Roles for more information.

To change which role types can be directly assigned to users, follow these steps:

  1. Open the Role configuration object for editing using the steps in Editing Identity Manager Configuration Objects.

  2. Locate the role object that corresponds to the role type that you want to edit.

    • To edit the IT Role, locate Object name=’ITRole’

    • To edit the Application Role, locate Object name=’ApplicationRole’

    • To edit the Asset Role, locate Object name=’AssetRole’

  3. Specify a set of instructions to update your configuration.

    Depending on how you want to update your configuration, choose one of the following:

    • To modify a role type so that it can be directly assigned to a user, locate the following userAssignment attribute inside the role object:


      <Attribute name=’userAssignment’>
        <Object/>
    </Attribute>

      And replace it with the following:


      <Attribute name=’userAssignment’>
        <Object>
            <Attribute name=’manual’ value=’true’/>
         </Object>
    </Attribute>

    • To modify a role type so that it cannot be directly assigned to a user, locate the userAssignment attribute inside the role object and delete the manual attribute as follows:


      <Attribute name=’userAssignment’>
        <Object>
        </Object>
    </Attribute>

  4. Save the Role configuration object. You do not need to restart your application servers in order for the changes to take effect.

ProcedureTo Enable Role Types for Assignable Activation Dates and Deactivation Dates

By default, only Business Roles can have activate dates and deactivate dates that can be specified when roles are assigned. All other roles will inherit the activate date or deactivate date of the Business Role that is directly assigned to the user.

Note –

It is a recommended best practice that you only directly assign Business Roles to users. See Using Role Types to Design Flexible Roles for more information.

If you opt to allow another role type to be directly assignable to users (for example, the IT Role type), you may also want to be able to assign activate and deactivate dates for that role type.

Use the following steps to change which role types can have assignable activate dates and deactivate dates:

  1. Open the Role configuration object for editing using the steps in Editing Identity Manager Configuration Objects.

  2. Locate the role object that corresponds to the role type that you want to edit.

    • To edit the Business Role, locate Object name=’BusinessRole’

    • To edit the IT Role, locate Object name=’ITRole’

    • To edit the Application Role, locate Object name=’ApplicationRole’

    • To edit the Asset Role, locate Object name=’AssetRole’

  3. Specify a set of instructions to update your configuration.

    Depending on how you want to update your configuration, choose one of the following:

    • To modify a role type so that it can have directly assignable activate dates and deactivate dates, locate the following userAssignment attribute inside the role object:


      <Attribute name=’userAssignment’>
        <Attribute name=’manual’ value=’true’/>
     </Attribute>

      And replace it with the following:


      <Attribute name=’userAssignment’>
        <Object>
            <Attribute name=’activateDate’ value=’true’/>
             <Attribute name=’deactivateDate’ value=’true’/>
             <Attribute name=’manual’ value=’true’/>
        </Object>
    </Attribute>

    • To modify a role type so that it cannot have directly assignable activate dates and deactivate dates, locate the userAssignment attribute inside the role object and delete the activateDate and deactivateDate attributes as follows:


      <Attribute name=’userAssignment’>
        <Object>
        </Object>
    </Attribute>

  4. Save the Role configuration object. You do not need to restart your application servers in order for the changes to take effect.

ProcedureTo Enable or Disable Change-Approval and Change-Notification Work Items

By default, change-approval work items are enabled for all role types. This means that every time a role is changed (whether it is a Business Role, an IT Role, an Application, or an Asset), if the role has an owner, the owner must approve the change in order for the change to be made.

For more information on change-approval and change-notification work items, see Initiating Change-Approval and Approval Work Items.

Use the following steps to enable or disable change-approval and change-notification work items for role types, follow these steps:

  1. Open the Role configuration object for editing using the steps in Editing Identity Manager Configuration Objects.

  2. Locate the role object that corresponds to the role type that you want to edit.

    • To edit the Business Role, locate Object name=’BusinessRole’

    • To edit the IT Role, locate Object name=’ITRole’

    • To edit the Application Role, locate Object name=’ApplicationRole’

    • To edit the Asset Role, locate Object name=’AssetRole’

  3. Locate the following attributes located in the <Object> element, which is located in the <Attribute name=’features’> element:


    <Attribute name=’changeApproval’ value=’true’/>
 <Attribute name=’changeNotification’ value=’true’/>

  4. Set the attribute values to true or false as needed.

  5. If necessary, repeat steps 2 - 4 to configure another role type.

  6. Save the Role configuration object. You do not need to restart your application servers in order for the changes to take effect.

ProcedureTo Configure the Maximum Number of Rows that the Role List Page Can Load

The List Roles page in the Administrator interface can display a configurable maximum number of rows. The default number is 500. Use the steps in the section to change the number.

Use the following steps to change the maximum number of rows that the List Roles page can display.

  1. Open the Role configuration object for editing using the steps in Editing Identity Manager Configuration Objects.

  2. Locate the following attribute and change the value:


    <Attribute name=’roleListMaxRows’ value=’500’/>

  3. Save the Role configuration object. You do not need to restart your application servers in order for the changes to take effect.