To Enable Role Types for Assignable Activation Dates and Deactivation Dates (Sun Identity Manager 8.1 Business Administrator's Guide)

Sun Identity Manager 8.1 Business Administrator's Guide

To Enable Role Types for Assignable Activation Dates and Deactivation Dates

By default, only Business Roles can have activate dates and deactivate dates that can be specified when roles are assigned. All other roles will inherit the activate date or deactivate date of the Business Role that is directly assigned to the user.

Note –

It is a recommended best practice that you only directly assign Business Roles to users. See Using Role Types to Design Flexible Roles for more information.

If you opt to allow another role type to be directly assignable to users (for example, the IT Role type), you may also want to be able to assign activate and deactivate dates for that role type.

Use the following steps to change which role types can have assignable activate dates and deactivate dates:

Open the Role configuration object for editing using the steps in Editing Identity Manager Configuration Objects.

Locate the role object that corresponds to the role type that you want to edit.
- To edit the Business Role, locate Object name=’BusinessRole’
- To edit the IT Role, locate Object name=’ITRole’
- To edit the Application Role, locate Object name=’ApplicationRole’
- To edit the Asset Role, locate Object name=’AssetRole’

Specify a set of instructions to update your configuration.

Depending on how you want to update your configuration, choose one of the following:

To modify a role type so that it can have directly assignable activate dates and deactivate dates, locate the following userAssignment attribute inside the role object:

<Attribute name=’userAssignment’>
        <Attribute name=’manual’ value=’true’/>
     </Attribute>

And replace it with the following:

<Attribute name=’userAssignment’>
        <Object>
            <Attribute name=’activateDate’ value=’true’/>
             <Attribute name=’deactivateDate’ value=’true’/>
             <Attribute name=’manual’ value=’true’/>
        </Object>
    </Attribute>

To modify a role type so that it cannot have directly assignable activate dates and deactivate dates, locate the userAssignment attribute inside the role object and delete the activateDate and deactivateDate attributes as follows:
<Attribute name=’userAssignment’> <Object> </Object> </Attribute>

Save the Role configuration object. You do not need to restart your application servers in order for the changes to take effect.