The Role Configuration object defines the supported Role Types, Actions, and List Columns. The following sections describe the supported elements of a Role Type definition:
Role type attributes are configured in the types section of the Role Configuration object. For each type of role in the list, for example business or IT roles, you must specify the following attributes:
Specifies the type’s display name whose value is a message catalog key.
Specifies the authorization type associated with the role type. An authorization type enables fine-grain authorization for who is allowed to view and manage this role type. If you have not yet defined an authType, add one to the AuthorizationTypes configuration object. You must reference that authType within an AdminGroup (capability) as a type within a Permission that grants access to roles of this authType.
All roles have an authorization type. If you load a role without an authorization type, the authorization type defaults to ITRole.
The type of work items that can be created for role assignment approval and role change approval. If you have not yet defined the specified workItem types, add them to the WorkItemTypes configuration object.
The features attribute includes the following features:
changeApproval. If specified, indicates that Owners specified in the Role must approve any changes to a Role of this type. If no Owners are specified, then no approvals occur.
changeNotification. If specified, indicates that any changes to a Role of this type will send email notifications to the owners of the specified Role.
containedTypes. Required feature whose value is the list of Role types that can be contained in this type, where the allowed values are:
BusinessRole
ITRole
ApplicationRole
AssetRole
Custom role types
assignResources. If specified, indicates that resources and resource groups can be assigned to roles of this type. If not specified, defaults to no Resources can be assigned to Roles of this type.
userAssignment. If specified, indicates whether Roles of this type can be directly assigned to Users. If this Role type can be assigned directly to Users, this feature also specifies whether the Users can be assigned manually and automatically. If not specified, defaults to user assignment not allowed.
Automatic assignment is not supported in this release, but will be in a future release.
manual. If specified (for example true or false), indicates whether you can manually assign Roles of this type to Users.
activateDate. If specified (for example true or false), indicates whether you can specify a future activation (start) date for Roles of this type when assigned to a User. Note that this feature is valid only if userAssignment.manual is true.
deactivateDate. If specified (for example true or false), indicates whether you can specify a future deactivation (end) date for Roles of this type when assigned to a User. Note that this feature is valid only if userAssignment.manual is true.
You can set both activateDate and deactivateDate to true, even if userAssignment.manual is not. If you set both attributes to true for a roleType, and if the role is contained by another role optionally, then you can specify activate and deactivate dates when assigning the optional role to a user.
roleExclusions. If specified, indicates that Roles of this type allow the Role editor to specify a list of Roles that cannot be assigned to a user if this Role is assigned; an exclusion list.
The Actions attribute defines a set of actions that a Role administrator can take on one or more Roles in the list Roles table and when adding role exclusions to contained roles to an existing role.
Three sets of actions are specified in role configuration:
actions. Actions displayed in the main role list and on the Find Role Results pages.
addContainedRoleActions. Actions displayed as an administrator is adding contained roles to a role.
addRoleExclusionsActions. Actions displayed as an administrator is adding a role exclusion to a role.
Each action is defined with the following attributes:
action. Specifies the command.
label. Specifies the display name message key.
requiredPermissions. Permissions that control whether the action is displayed, depending on the administrator’s permissions.
Type. Type of object to which an administrator must have the given rights.
Rights. List of rights that an administrator must have for the given object type
selectionRequired. Indicates that a role must be selected for this action.
type. Specifies the role action type, which can be create, update, delete, or task.
view. Copies the contents of this attribute onto the role view during the execution of the action for create, update, and delete role action types.
task. Specifies the task to launch for task action types.
skipTaskLaunchForm. If set to true, skips the task launch form. Otherwise the task launch form (if present) is displayed. Applies to task action types.
The List Columns attribute defines the set of attribute names and labels to display as column headings when viewing lists of Roles (for example, List roles and find role results).
You can specify unique sets of attributes to display as list column headings. The attributes for each defined column are
name. Name of the role attribute to display
displayName. Display name to appear in the column header
rule. Optional rule that might format the attribute value. The rule is invoked for each row in the list, and the value returned by the rule is what displays in each table cell.
You can also set the following options in the Role Configuration object:
roleListMaxRows. The maximum number or roles to list
roleListPageSize. The number of roles to display on a single page