![]() | |
Sun[TM] Identity Manager 8.0 Administration |
Chapter 4
Roles and ResourcesThis chapter discusses Identity Manager roles and resources.
The information in this chapter is organized into the following topics:
Understanding and Managing RolesRead this section for information about setting up roles in Identity Manager. In large organizations, role-based resource assignments greatly simplify resource management.
Note
Do not confuse roles and admin-roles. Roles are used to manage end-user access to external resources. Admin-roles, on the other hand, are primarily used to manage administrator access to internal Identity Manager objects such as users, organizations, and capabilities.
The information in this section discusses roles. For information about admin-roles, see Understanding and Managing Admin Roles.
What are Roles?
A role is an Identity Manager object that allows resource access rights to be grouped and efficiently assigned to users. Roles are organized into four role types:
Business Roles organize into groups the access rights that people who do similar tasks in an organization need to do their job duties. Typically, Business Roles represent user job functions. In a financial institution, for example, Business Roles might correspond to job functions like bank teller, loan officer, branch manager, clerk, accountant, or administrative assistant.
IT Roles, Applications, and Assets organize resource entitlements into groups. In order to provide end-users with access to resources, IT Roles, Applications, and Assets are assigned to Business Roles so that users can access the resources they need to do their jobs. IT Roles contain a specific set of Applications, Assets, and/or Resources, including specific entitlements on those assigned Resources. IT Roles can also contain other IT Roles.
Note
The concept of role types is new in Identity Manager version 8.0. If your organization upgraded to version 8.0 from an earlier version of Identity Manager, your legacy roles were imported as IT Roles. For more information, see Managing Roles Created In Versions Prior to Version 8.0.
IT Roles, Applications, and Assets can be required, conditional, or optional.
Required, conditional, and optional roles allow a Business Role designer to define coarse-grained access to contained roles in order to achieve regulatory compliance, while still allowing flexibility for an end-user’s manager to fine-tune the end-user’s access rights. Users assigned conditional or optional roles can still share the same assigned Business Role, but have different assigned access rights. With this approach, there is no need to define a new Business Role for each permutation of access requirements within an organization (a problem known as role explosion).
Putting Role Types to Work
The following discussion describes how to use role types effectively. For role type descriptions, see the previous section.
Managing Roles Created In Versions Prior to Version 8.0
Organizations that upgraded from an earlier version of Identity Manager to version 8.0 will automatically have their legacy roles converted to IT Roles. These IT Roles will remain directly assigned to users. Legacy roles will not be assigned a role owner as part of the upgrade process. A role owner can be assigned later, however. (For information on role owners, see (more...) .)
By default, organizations that upgrade to version 8.0 can directly assign both IT Roles and Business Roles to users (see Figure 4-2).
Organizations with legacy roles should consider creating new roles based on the guidelines outlined in the next section.
Using Role Types to Design Flexible Roles
IT Roles, Applications, and Assets are the role designer’s building blocks. These three role types are used in combination to build up user entitlements (or, access rights). IT Roles, Applications, and Assets are then assigned to Business Roles.
Designing Business Roles
In Identity Manager, a user can be assigned one or more roles, or no role. With the introduction of role types in Identity Manager 8.0, it is recommended that you only directly assign Business Roles to users. In fact, by default, you cannot directly assign any of the other role types to users unless your organization had a pre-8.0 version of Identity Manager installed and upgraded to at least version 8.0. This default restriction can be changed by modifying the role configuration object ((more...) ).
To reduce complexity, Business Roles cannot be nested—that is, one Business Role cannot contain another Business Role. In addition, Business Roles cannot directly contain resources and resource groups. Instead, resources and resource groups should be assigned to either an IT Role or an Application, which can then be assigned to one or more Business Roles.
Designing IT Roles
IT Roles can contain Applications, and Assets, as well as other IT Roles. IT Roles can also contain resources and resource groups.
IT Roles are intended to be created and managed either by your organization’s IT staff, or by the resource owners who understand the entitlements that are required to enable specific privileges within the resource.
Designing Applications and Assets
Applications and Assets are role types that are intended to represent commonly used business terms to describe things that end-users need in order to do their jobs. For example, an Application role could be named “Customer Support Tools” or “Intranet HR-Tool Admin.“
- Applications cannot contain roles, but they can contain resources and resource groups. Applications can also define specific entitlements that restrict access to only specific applications on contained resources.
- Assets are (typically) non-connected or non-digital resources, such as mobile phones and portable computers, that require manual provisioning. Consequently, assets cannot contain roles, resources, or resource groups.
Applications and Assets are intended to be assigned to Business Roles and IT Roles.
Note
Role administrators should be assigned one or more of the following capabilities:
See Assigning Capabilities for more information.
Role Types in Summary
Figure 4-1 shows which role-types, resources, and resource-groups can be assigned to each of the four role-types. The figure also shows that role-type exclusions can be assigned to all four role-types. (Role exclusions are described on (more...) .)
Figure 4-1 The Business Role, IT Role, Application, and Asset role-types.
Optional, conditional, and required contained-roles ((more...) ) provide added flexibility. Flexible role definitions can reduce the total number of roles your organization needs to manage.
Figure 4-2 shows that Business Roles and IT Roles are directly assignable to users if a pre-8.0 version of Identity Manager is upgraded to at least version 8.0. On upgrade, legacy roles are converted to IT Roles, and, to ensure backwards compatibility, IT Roles are directly assigned to users. If Identity Manager was not upgraded from a pre-8.0 version, then only Business Roles are directly assignable to users.
Figure 4-2 Roles and resources that can be directly assigned to users.
Creating Roles
This section describes how to create roles. For tips on designing roles, see Using Role Types to Design Flexible Roles.
When you create or edit a role, Identity Manager launches the ManageRole workflow. This workflow saves the new or updated role in the repository, and allows you to insert approvals or other actions before the role is created or saved.
Completing the Create Role Form
To create a role, follow these steps:
- In the Administrator interface, click Roles in the main menu.
The Roles page (List Roles tab) opens.
- Click New at the bottom of the page.
The Create IT Role page opens. To create another type of role, use the Type drop-down menu.
- Complete the form fields on the Identity tab.
Figure 4-3 shows the Identity tab.
- Complete the form fields on the Resources tab (if applicable). For help filling out the fields on this tab, refer to online help, and also see Assigning Resources and Resource Groups.
For help setting extended attributes values on roles, see Editing Assigned Resource Attribute Values.
Figure 4-4 shows the Resources tab.
- Complete the form fields on the Roles tab (if applicable). For help filling out the fields on this tab, refer to online help, and also see Assigning Roles and Role Exclusions.
Figure 4-6 shows the Roles tab.
- Complete the form fields on the Security tab. For help filling out the fields on this tab, refer to online help, and also see Designating Role Owners and Role Approvers and Designating Notifications.
Figure 4-7 shows the Security tab.
- Click Save at the bottom of the page.
Entering a Name and a Description for the Role
Enter a role name and description on the Identity tab of the Create Role form. If you are creating a new role, use the Type drop-down menu to select the role-type you are creating.
Figure 4-3 shows the Create Role form’s Identity tab. For help using this form, see online help.
Figure 4-3 The “Identity” portion of the “Create Role” tabbed form.
Assigning Resources and Resource Groups
Resources and Resource Groups can be directly assigned to IT Roles and Application roles using the Resources tab of the Create Role form. Resources are described later in this chapter on (more...) . Resource Groups are described in the section Resource Groups
- Resources and Resource Groups cannot be directly assigned to Business Roles, because only roles can be assigned to Business Roles.
- Resources and Resource Groups cannot be assigned to Asset roles, because Asset roles are reserved for non-connected or non-digital resources that require manual provisioning.
This procedure describes how to assign resources and resource groups to a role when completing the Create Role form. See Completing the Create Role Form to get started.
To complete the Resources tab, follow these steps:
- Click the Resources tab in the Create Role page.
- To assign a resource, select it in the Available Resources column and move it to the Current Resources column by clicking the arrow buttons.
- If you are assigning multiple resources, you can specify the order in which the resources are updated: Select the Update resources in order checkbox and use the + and - buttons to change the order of the resources in the Current Resources column.
- To assign a resource group to this role, select it in the Available Resource Groups column and move it to the Current Resource Groups column by clicking the arrow buttons. A resource group is a collection of resources that provides another way to specify the order in which resource accounts are created and updated.
- To specify account attributes for this role on a per resource basis, click Set Attribute Values in the Assigned Resources section. See Editing Assigned Resource Attribute Values for more information.
- Click Save to save the role, or click the Identity, Roles, or Security tabs to continue with the role creation process.
Figure 4-4 shows the Create Role form’s Resources tab.
Figure 4-4 The “Resources” portion of the “Create Role” tabbed form
Editing Assigned Resource Attribute Values
Use the Assigned Resources table to set or modify resource attribute values on resources assigned to a role. A resource can have different attribute values defined on a role-by-role basis. Clicking the Set Attribute Values button opens the Resource Account Attributes page.
Figure 4-5 shows the Resource Account Attributes page.
From this page, you can specify new values for each attribute and determine how attribute values are set. Identity Manager enables you to directly set values or use a rule to set values. It also provides a range of options for overriding existing values or merging values with existing values.
For general information about resource attribute values, see Working with Account Attributes.
Make selections to establish values for each resource account attribute:
- Value override — Select one of the following options:
- How to set — Select one of the following options:
- Default value — Makes the rule or text the default attribute value. The user can change or override this value.
- Set to value — Sets the attribute value as specified by the rule or text. The value will be set and override any user changes.
- Merge with value — Merges the current attribute value with the values specified by the rule or text.
- Merge with value, clear existing — Removes the current attribute values; sets the value to a merger of values specified by this and other assigned roles.
- Remove from value — Removes the value specified by the rule or text from the attribute value.
- Authoritative set to value — Sets the attribute value as specified by the rule or text. The value will be set and override any user changes. If you remove the role, the new value is null, even if it previously existed on the attribute.
- Authoritative merge with value — Merges the current attribute value with the values specified by the rule or text. If you remove the role, the new attribute value is null, even if it previously existed on the attribute.
- Rule Name — If you select Rule in the Value override area, select a rule from the list.
- Text — If you select Text in the Value override area, enter text to be added to, deleted from, or used as the attribute value.
Click OK to save your changes and return to the Create or Edit Role page.
Figure 4-5 shows the Resource Account Attributes page, which is used to set extended attribute values on resources assigned to a role.
Figure 4-5 The Resource Account Attributes page.
Assigning Roles and Role Exclusions
Roles can be assigned to Business Roles and IT Roles using the Roles tab of the Create Role form. Assigned roles should be added to the Contained Roles table.
Role exclusions can be assigned to all four role types using the Roles tab of the Create Role form. If a role with a role exclusion is assigned to a user, the excluded role cannot also be assigned to the user. Role exclusions should be added to the Role Exclusions table.
This procedure describes how to assign one or more roles to a role when completing the Create Role form. See Completing the Create Role Form to get started.
To complete the Roles tab, follow these steps:
- Click the Roles tab in the Create Role page.
- Click Add in the Contained Roles section.
The tab refreshes and displays the Find Roles to Contain form.
- Search for the role (or roles) that you will be assigning to this role. Start first with any required roles. (You will add conditional and optional roles later.)
See (more...) for help using the search form. Business Roles cannot be nested or assigned to other role-types.
- Use the checkboxes to select the role(s) to be assigned, then click Add.
The tab refreshes and displays the Add Contained Role form.
- Select Required (or Conditional or Optional, as appropriate) from the Association Type drop-down menu.
Click OK.
- Repeat the previous four steps to add conditional roles (if required). Repeat the previous four steps again to add optional roles (if required).
- Click Save to save the role, or click the Identity, Resources, or Security tabs to continue with the role creation process.
Figure 4-6 shows the Create Role form’s Roles tab. For help using this form, see online help.
Figure 4-6 The “Roles” portion of the “Create Role” tabbed form]
Designating Role Owners and Role Approvers
Roles have designated owners and approvers. Only role owners can authorize changes to the parameters that define the role, and only role approvers can authorize the assignment of the role to end-users.
To be a role owner is to be the business owner responsible for the underlying resource account rights that are assigned through the role. If an administrator makes changes to a role, a role owner must approve of the changes before they can be carried out. This feature guards against an administrator changing a role without a business owner’s knowledge and approval. If change approvals have been disabled in the Role configuration object, however, a role owner’s approval is not required in order for changes to be carried out.
In addition to approving role changes, roles cannot be enabled, disabled, or deleted without a role owners’ approval.
Owners and approvers can either be directly added to a role, or dynamically added using a role-assignment rule. In Identity Manager it is possible (but not recommended) to create roles without owners and approvers.
Note
Role-assignment rules have an authType of RoleUserRule. If you need to create a custom role-assignment rule, refer to the three default role-assignment rule objects and use them as an example:
Owners and approvers are notified by email if a work item requires their approval. Change-approval work items and approval work items are discussed on (more...) in the Initiating Change-Approval and Approval Work Items section.
Owners and approvers are added to roles on the Security tab in the Create Role form.
Figure 4-7 shows the Create Role form’s Security tab. For help using this form, see online help.
Figure 4-7 The “Security” portion of the “Create Role” tabbed form
Designating Notifications
One or more administrators can be sent notifications when a role is assigned to a user.
Specifying a notification recipient is optional. You could choose to notify an administrator if you decide not to require an approval when a role is assigned to a user. Or you could designate one administrator to serve as an approver, and, another administrator to serve as a notification recipient when the approval is made.
As with owners and approvers, notifications can either be directly added to a role, or dynamically added using a role-assignment rule. Notification recipients are notified by email when a role is assigned to a user. A work item is not created, however, because an approval is not required.
Notifications are assigned to roles on the Security tab on the Create Role form. Figure 4-7 shows the Create Role form’s Security tab.
Initiating Change-Approval and Approval Work Items
When changes are made to a role, role owners can receive a change-approval email, a change-notification email, or no email. When a role is assigned to a user, role approvers receive role approval emails.
By default, role owners are sent change-approval emails whenever the roles they own are changed. This behavior is configurable, however, on a role-type by role-type basis. For example, you could choose to enable change-approvals for Business Roles and IT Roles, and enable change-notifications for Application and Asset roles.
For instructions on enabling and disabling change-approval and change-notification emails, see Enabling and Disabling Change-Approval and Change-Notification Work Items.
This is how change-approvals and change-notifications work:
- If change-approvals are enabled, when an administrator changes a role, a work item is generated and an approval email is sent to the role owner. A role owner must approve the work item in order for the change to be made. Change-approval work items can be delegated. See Approvals for more information.
When a role is assigned to a user, role approvers receive role approval emails. Role approval emails cannot be disabled in Identity Manager.
This is how role approvals work:
Change-approval and approval work items can be delegated. For more information on delegating work items, see Delegating Work Items.
Editing and Managing Roles
Most role editing and role management tasks can be performed using the Find Roles and List Roles subtabs, which are located under the Roles tab in the main menu.
This section contains the following topics:
Searching for Roles
Use the Find Roles tab to search for roles that meet the search criteria you specify.
Using the Find Roles tab, you can search for roles based on a wide variety of criteria such as role owners and approvers, assigned account types, contained roles, and so on.
For information on finding users assigned to a role, see (more...) .
To open the Find Role tab, follow these steps:
- In the Administrator interface, click the Roles tab.
The List Roles tab opens.
- Click the Find Roles secondary tab.
Figure 4-8 shows the Find Role tab. For help using this form, see online help.
Figure 4-8 The “Find Role” tab
Use the drop-down menus to define the parameters of your search. Click the Add Row button to add additional parameters.
Viewing Roles
Use the List Roles tab to view roles. Use the filter fields at the top of the List Roles page to find roles by name or role type. Filtering is not case-sensitive.
To open the List Roles tab, follow these steps:
Figure 4-9 shows the List Roles tab. For help using this form, see online help.
Figure 4-9 The “List Roles” tab
Editing Roles
Search for the role you want to edit using the List Roles or Find Roles tabs. If you make changes to a role, and change approvals are set to true, a role owner must approve your changes before they can be carried out.
For information on updating users with role changes, see Updating Roles Assigned to Users.
To edit a role, follow these steps:
- Click the name of the role you want to edit.
The Edit Role page opens.
- Edit the role as needed. Refer to the steps in the Completing the Create Role Form section on (more...) for help completing the Identity, Resources, Roles, and Security tabs.
Click Save. The Confirm Role Changes page opens.
- If this role is assigned to users, you can select when to update the users with role changes. See Updating Roles Assigned to Users for more information.
- Click Save to save your changes.
Cloning Roles
To make a copy of a role, follow these steps:
Assigning a Role to a Role
Identity Manager’s requirements around role assignments are described in What are Roles? and Putting Role Types to Work. You should understand this information before assigning roles.
Identity Manager will change a role’s role assignments if the role-owner of the parent role approves.
To assign a role to another role, follow these steps:
- Search for the Business Role or IT Role to which you will be assigning one or more contained roles. (Roles can only be assigned to Business Roles and IT Roles.) Use the instructions on (more...) or (more...) to search for roles.
- Click the Business Role or IT Role to open it.
The Edit Role page opens.
- Click the Roles tab in the Edit Role page.
- Click Add in the Contained Roles section.
The tab refreshes and displays the Find Roles to Contain form.
- Search for the role (or roles) that you will be assigning to this role. Start first with any required roles. (You will add conditional and optional roles later.)
See (more...) for help using the search form. Business Roles cannot be nested or assigned to other role-types.
- Use the checkboxes to select the role(s) to be assigned, then click Add.
The tab refreshes and displays the Add Contained Role form.
- Select Required (or Conditional or Optional, as appropriate) from the Association Type drop-down menu.
Click OK.
- Repeat the previous four steps to add conditional roles (if required). Repeat the previous four steps again to add optional roles (if required).
- Click Save to open the Confirm Role Changes page.
The Confirm Role Changes page opens.
- In the Update Assigned Users section select an Update Assigned Users menu option. See Updating Roles Assigned to Users for more information.
- Click Save to save your role assignments
Removing a Role From a Role
Identity Manager will remove a contained role from another role if the role-owner of the parent role approves. The removed role will be removed from users when users receive role updates. (See Updating Roles Assigned to Users for more information.) When the role is removed, users lose the entitlements that were bestowed by the role.
- For information on removing a role assigned to one or more users, see Removing Roles Assigned to Users.
- For information on disabling a role, see Enabling and Disabling Roles.
- For information on deleting a role from Identity Manager, see Deleting Roles.
To remove a role assigned to another role, follow these steps:
- Search for the Business Role or IT Role from which you want to remove a role. Use the instructions on (more...) or (more...) to search for roles.
- Click the role to open it.
The Edit Role page opens.
- Click the Roles tab in the Edit Role page.
- In the Contained Roles section, select the checkbox next to the role that you want to remove, then click Remove. Select multiple checkboxes to remove multiple roles.
The table updates to show the remaining contained roles.
- Click Save.
The Confirm Role Changes page opens.
- In the Update Assigned Users section select an Update Assigned Users menu option. See Updating Roles Assigned to Users for more information.
- Click Save to finalize your changes.
Enabling and Disabling Roles
Roles can be enabled and disabled on the List Roles tab. Role status is displayed in the Status column. Click the Status column header to sort the table by role status.
Roles that are disabled do not appear on the Roles tab in the Create/Edit user form and cannot be directly assigned to users. Roles that contain disabled roles can be assigned to users, but the disabled roles cannot be assigned.
Users who are assigned roles that are later disabled do not lose their entitlements. Role disablement only blocks future role assignments from occurring.
Disabling and re-enabling a role requires the permission of the role owner.
Upon enabling or disabling a role with assigned users, Identity Manager will prompt you to update these users. For more information, see Updating Roles Assigned to Users.
To enable/disable roles, follow these steps:
Deleting Roles
This section describes the procedure for deleting a role from Identity Manager.
- For information on removing a role assigned to another role, see Removing a Role From a Role.
- For information on removing a role assigned to one or more users, see Removing Roles Assigned to Users.
If you delete a role that is currently assigned to a user, Identity Manager blocks the deletion when you try to save the role. You must unassign (or reassign) all users assigned to a role before Identity Manager can delete it. You also must remove the role from any other roles.
Identity Manager requires a role owner’s approval before it will delete a role.
To delete a role, follow these steps:
Assigning a Resource or Resource Group to a Role
Identity Manager’s requirements around resource and resource group assignments are described in What are Roles? and Putting Role Types to Work. You should understand this information before assigning resources to roles.
Identity Manager will change a role’s resource and resource group assignments if the role-owner approves.
To assign a resource to a role, follow these steps:
- Search for the IT Role or Application to which you want to add a resource or resource group. For instructions on how to search for a role, see (more...) or (more...) .
- Click the role to open it.
- Click the Resources tab in the Edit Role page.
- To assign a resource, select it in the Available Resources column and move it to the Current Resources column by clicking the arrow buttons.
- If you are assigning multiple resources, you can specify the order in which the resources are updated: Select the Update resources in order checkbox and use the + and - buttons to change the order of the resources in the Current Resources column.
- To assign a resource group to this role, select it in the Available Resource Groups column and move it to the Current Resource Groups column by clicking the arrow buttons. A resource group is a collection of resources that provides another way to specify the order in which resource accounts are created and updated.
- To specify account attributes for this role on a per resource basis, click Set Attribute Values in the Assigned Resources section. See Editing Assigned Resource Attribute Values for more information.
- Click Save to open the Confirm Role Changes page.
The Confirm Role Changes page opens.
- In the Update Assigned Users section select an Update Assigned Users menu option. See Updating Roles Assigned to Users for more information.
- Click Save to save your resource assignments.
Removing a Resource or Resource Group from a Role
Identity Manager will remove a resource or resource group from a role if the role-owner approves. The removed resource will be removed from users when users receive role updates. (See Updating Roles Assigned to Users for more information.) When the resource is removed, users lose their entitlements on that resource unless the resource is also directly assigned to the user.
To remove a resource or resource group assigned to a role, follow these steps:
- Search for the IT Role or Application from which you want to remove a resource or resource group. Use the instructions on (more...) or (more...) to search for roles.
- Click the role to open it.
The Edit Role page opens.
- Click the Resources tab in the Edit Role page.
- To remove a resource, select it in the Current Resources column and move it to the Available Resources column by clicking the arrow buttons.
To remove a resource group, select it in the Current Resource Groups column and move it to the Available Resource Groups column by clicking the arrow buttons.
- Click Save.
The Confirm Role Changes page opens.
- In the Update Assigned Users section select an Update Assigned Users menu option. See Updating Roles Assigned to Users for more information.
- Click Save to finalize your changes.
Managing User Role Assignments
Roles are assigned to users in the Accounts area of Identity Manager.
This section contains the following topics:
Assigning Roles to Users
Use the following procedure to assign one or more roles to a user (or users).
End-users can also make role assignment requests for themselves. (Only optional roles where the parent role is already assigned to the user can be requested.) See Requests in the Identity Manager End-User Interface section for information on how end-users can request available roles.
To assign one or more roles to a user, follow these steps:
- In the Administrator interface, click the Accounts tab.
The List Accounts subtab opens.
- To assign a role to an existing user, follow these steps:
- Click the user’s name in the User List.
- Click the Roles tab.
- Click Add to add one or more roles to the user account.
By default, only Business Roles can be directly assigned to users. (If your installation of Identity Manager was upgraded from a pre-8.0 version, both Business Roles and IT Roles can be directly assigned to users.)
- In the table of roles, select the role(s) you want to assign to the user and then click OK.
To sort the table alphabetically by Name, Type, or Description, click the column headers. Click a second time to reverse sort. To filter the list by role type, make a selection from the Current drop-down menu.
The table updates to show the selected role assignment(s), plus any required role assignments that are connected to the parent role assignment(s).
- Click Add to view optional role assignments that can also be assigned to the user.
Select the optional role(s) to be assigned to the user and click OK.
- (Optional) In the Activate On column, select the date that the role should become active. If you do not specify a date, the role assignment will become active as soon as a designated role approver approves the role assignment.
To make the role assignment temporary, select the date that the role should become inactive in the Deactivate On column. Role deactivation takes effect at the beginning of the selected day.
See Activating and Deactivating Roles on Specific Dates for more information.
- Click Save.
Activating and Deactivating Roles on Specific Dates
When assigning a role to a user, you can specify an activate date and a deactivate date. Role-assignment work-item requests are created when the assignment is made. If a role assignment is not approved by the scheduled activation date, however, the role is not assigned. Role activations and deactivations take place a little after midnight (12:01 AM) on the date scheduled.
By default, only Business Roles can have activate dates and deactivate dates. All other role-types inherit the activate date and deactivate date of the Business Role that is directly assigned to the user. Identity Manager can be configured to allow other role types to have directly assignable activate and deactivate dates. For instructions, see (more...) .
Scheduling the Deferred Task Scanner Task
The Deferred Task Scanner scans user role assignments and activates and deactivates roles as needed. By default, the Deferred Task Scanner task runs every hour.
To edit the schedule for the Deferred Task Scanner, follow these steps:
- In the Administrator interface, click Server Tasks.
- Click Manage Schedule in the secondary menu.
- In the Tasks Available For Scheduling section, click on the Deferred Task Scanner TaskDefinition.
The “Create New Deferred Task Scanner Task Schedule” page opens.
- Complete the form. For help, refer to the i-Helps and online help.
To specify a date and time when the task should run, in Start Date use the format mm/dd/yyyy hh:mm:ss. For example, to schedule a task to start running at 7:00 P.M. on September 29, 2008, type 09/29/2008 19:00:00.
In the Result Options drop-down menu, select rename. If you select wait, future instances of this task will not run until you remove the previous results. See online help for more information on the various Result Options settings.
- Click Save to save the task.
Figure 4-10 shows the scheduled task form for the Deferred Task Scanner task.
Figure 4-10 The Deferred Task Scanner
scheduled task form.
Updating Roles Assigned to Users
When editing roles assigned to users you can choose to update users with the new role changes immediately, or defer the update to run during a scheduled maintenance window.
Upon making changes to a role, the Confirm Role Changes page opens. The Confirm Roles Changes page is shown in Figure 4-11 on (more...) .
- The Update Assigned Users section of this page displays the number of users who currently have the role assigned.
- Use the Update Assigned Users menu to select whether to immediately update users with the new role changes (Update), to defer updating users until a later time (Do not update), or to select a custom scheduled update task.
- Because Update updates users immediately, you should avoid choosing this option if a large number of users will be affected. Updating users can be time and resource-intensive. If many users need to be updated, it is preferable to schedule the update for off-peak hours.
- When Do not update is selected for a role, users assigned to the role will not receive role updates until an administrator views the user’s user profile or until the user is updated by the Update Role Users task. For information on scheduling the Update Role Users task, see the next section.
- If you have created an Update Role Users task schedule, you can select it from the menu. The selected Update Role Users task will update users assigned to the role according to the schedule defined for the task. See the next section for more information.
Figure 4-11 shows the Confirm Role Changes page. The Update Assigned Users section displays the number of users who currently have this role assigned. The Update Assigned Users drop-down menu has two default options: Do not update and Update. You can also select from a list of scheduled Update Role Users tasks. For instructions on creating scheduled Update Role Users tasks, see Scheduling the Update Role Users Task.
Figure 4-11 The Confirm Role Changes page.
Manually Updating Assigned Users
You can update users assigned to roles by selecting one or more roles and clicking the Update Assigned Users button. This procedure runs an instance of the Update Role Users Task for the roles specified.
To start updating users assigned to roles, follow these steps:
- Search for the role (or roles) whose assigned users should be updated by following the instructions on (more...) or (more...) .
- Select the role (or roles) using the checkboxes.
- Click Update Assigned Users.
The Update Users Assigned to Roles page (Figure 4-12) displays.
- Click Launch to start the update.
- Check the status of the Update Role Users task by clicking Server Tasks in the main menu, then click All Tasks in the secondary menu.
Figure 4-12
The Update Users Assigned to Roles pageScheduling the Update Role Users Task
It is recommended that an Update Role Users task be scheduled to run on a regular basis.
To update users with outstanding role changes, schedule the Update Role Users task using the following steps:
- In the Administrator interface, click Server Tasks.
- Click Manage Schedule in the secondary menu.
- In the Tasks Available For Scheduling section, click on the Update Role Users TaskDefinition.
The “Create New Update Role Users Task Schedule” page opens, or, if you are editing an existing task, the “Edit Task Schedule” page opens (Figure 4-13).
- Complete the form. For help, refer to the i-Helps and online help.
To specify a date and time when the task should run, in Start Date use the format mm/dd/yyyy hh:mm:ss. For example, to schedule a task to start running at 7:00 P.M. on September 29, 2008, type 09/29/2008 19:00:00.
In the Result Options drop-down menu, select rename. If you select wait, future instances of this task will not run until you remove the previous results. See online help for more information on the various Result Options settings.
- Click Save to save the task.
Figure 4-13 shows the scheduled task form for the Update Role Users task. Specific roles can be assigned to specific Update Role Users tasks (as shown in the Task Parameters section.) See Updating Roles Assigned to Users for more information.
Figure 4-13 The Update Role Users scheduled task
form.
Finding Users Assigned to a Role
You can search for users who have a specific role assigned.
To find users with a specific role assigned, follow these steps:
- In the Administrator interface, click Accounts.
- Click Find Users in the secondary menu. The Find Users page opens.
- Locate the search type User has [Select Role Type...] role assigned.
- Select the option box and use the Select Role Type... drop-down menu to filter the list of available roles.
A second role menu opens.
- Select a role.
- Clear the other search-type checkboxes, unless you want to narrow your search further.
- Click Search.
Figure 4-14 Searching for users assigned a role using the Find Users page
Removing Roles Assigned to Users
Using the Edit User page, one or more roles can be removed from a user account. Only a directly assigned role can be removed. Indirectly assigned roles (that is, conditional and/or required contained roles) are removed when the parent role is removed. Another way for an indirectly assigned role to be removed from a user is if the role is removed from the parent role (see Removing a Role From a Role).
End-users can also request that assigned roles be removed from their user accounts. See Requests in the Identity Manager End-User Interface section.
For information on removing a role using a scheduled deactivation date, see Activating and Deactivating Roles on Specific Dates.
To remove one or more roles from a user, follow these steps:
- In the Administrator interface, click the Accounts tab.
The List Accounts subtab opens.
- Click the user from which you want to remove a rule (or rules).
The Edit User page opens.
- Click the Roles tab.
- In the table of roles, select the role(s) you want to remove from the user and then click OK.
To sort the table alphabetically by Name, Type, Activate On, Deactivate On, Assigned By, or Status, click the column headers. Click a second time to reverse sort. To filter the list by role type, make a selection from the Current drop-down menu.
The table shows the parent role assignment(s) (those roles that can be selected), plus any role assignments that are connected to the parent role assignment(s) (those roles that cannot be selected).
- Click Remove.
The table of assigned roles updates to show the remaining assigned roles.
- Click Save.
The Update Resource Accounts page opens. Deselect any resource accounts that you do not want removed.
- Click Save to save your changes.
Configuring Role Types
Role Type functionality can be modified by editing the Role configuration object.
Configuring Role Types to be Directly Assignable to Users
By default, only certain role types can be directly assigned to users. To change these settings, use the following steps.
Note
It is a recommended best practice that you only directly assign Business Roles to users. See Using Role Types to Design Flexible Roles for more information.
To change which role types can be directly assigned to users, follow these steps:
- Open the Role configuration object for editing using the steps in Editing Identity Manager Configuration Objects.
- Locate the role object that corresponds to the role type that you wish to edit.
- Depending on how you want to update your configuration, pick the appropriate set of instructions:
- To modify a role type so that it can be directly assigned to a user, locate the following userAssignment attribute inside the role object:
<Attribute name='userAssignment'>
<Object/>
</Attribute>And replace it with the following:
<Attribute name='userAssignment'>
<Object>
<Attribute name='manual' value='true'/>
</Object>
</Attribute>- To modify a role type so that it cannot be directly assigned to a user, locate the userAssignment attribute inside the role object and delete the manual attribute as follows:
<Attribute name='userAssignment'>
<Object>
</Object>
</Attribute>- Save the Role configuration object. You do not need to restart your application server(s) in order for the changes to take effect.
Enabling Role Types for Assignable Activation Dates and Deactivation Dates
By default, only Business Roles can have activate dates and deactivate dates that can be specified when roles are assigned. All other roles will inherit the activate date /deactivate date of the Business Role that is directly assigned to the user.
Note
It is a recommended best practice that you only directly assign Business Roles to users. See Using Role Types to Design Flexible Roles for more information.
If you opt to allow another role type to be directly assignable to users (for example, the IT Role type), you may also want to be able to assign activate and deactivate dates for that role type.
To change which role types can have assignable activate dates and deactivate dates, follow these steps:
- Open the Role configuration object for editing using the steps in Editing Identity Manager Configuration Objects.
- Locate the role object that corresponds to the role type that you wish to edit.
- Depending on how you want to update your configuration, pick the appropriate set of instructions:
- To modify a role type so that it can have directly assignable activate dates and deactivate dates, locate the following userAssignment attribute inside the role object:
<Attribute name='userAssignment'>
<Attribute name='manual' value='true'/>
</Attribute>And replace it with the following:
<Attribute name='userAssignment'>
<Object>
<Attribute name='activateDate' value='true'/>
<Attribute name='deactivateDate' value='true'/>
<Attribute name='manual' value='true'/>
</Object>
</Attribute>- To modify a role type so that it cannot have directly assignable activate dates and deactivate dates, locate the userAssignment attribute inside the role object and delete the activateDate and deactivateDate attributes as follows:
<Attribute name='userAssignment'>
<Object>
</Object>
</Attribute>- Save the Role configuration object. You do not need to restart your application server(s) in order for the changes to take effect.
Enabling and Disabling Change-Approval and Change-Notification Work Items
By default, change-approval work items are enabled for all role types. This means that every time a role is changed (whether it is a Business Role, an IT Role, an Application, or an Asset), if the role has an owner, the owner must approve the change in order for the change to be made.
For more information on change-approval and change-notification work items, see Initiating Change-Approval and Approval Work Items.
To enable or disable change-approval and change-notification work items for role types, follow these steps:
- Open the Role configuration object for editing using the steps in Editing Identity Manager Configuration Objects.
- Locate the role object that corresponds to the role type that you wish to edit.
- Locate the following attributes located in the <Object> element, which is located in the <Attribute name=’features’> element:
<Attribute name='changeApproval' value='true'/>
<Attribute name='changeNotification' value='true'/>- Set the attribute values to true or false as needed.
- If necessary, repeat steps 2 - 4 to configure another role type.
- Save the Role configuration object. You do not need to restart your application server(s) in order for the changes to take effect.
Configuring the Maximum Number of Rows that the Role List Page will Load
The “List Roles” page in the Administrator interface can display a configurable maximum number of rows. The default number is 500. Use the steps in the section to change the number.
To change the maximum number of rows that the “List Roles” page can display, follow these steps:
- Open the Role configuration object for editing using the steps in Editing Identity Manager Configuration Objects.
- Locate the following attribute and change the value:
<Attribute name='roleListMaxRows' value='500'/>
- Save the Role configuration object. You do not need to restart your application server(s) in order for the changes to take effect.
Synchronizing Identity Manager Roles and Resource Roles
You can synchronize Identity Manager roles with roles created natively on a resource. When synchronized, the resource is assigned, by default, to the role. This applies to roles that are created with the synchronization task, as well as existing Identity Manager roles that match one of the resource role names.
To synchronize an Identity Manager role with a Resource role, follow these steps:
Understanding and Managing ResourcesRead this section for information and procedures to help you set up Identity Manager resources.
What are Resources?
Identity Manager resources store information about how to connect to a resource or system on which accounts are created. Identity Manager resources define the relevant attributes about a resource and help specify how resource information is displayed in Identity Manager.
Identity Manager provides resources for a wide range of resource types, including:
The Resources Area in the Interface
Identity Manager displays information about existing resources on the Resources page.
To access resources, select Resources on the menu bar.
Resources in the resource list are grouped by type. Each resource type is represented by a folder icon. To see currently defined resources, click the indicator next to the folder. Collapse the view by clicking the indicator again.
When you expand a resource type folder, it dynamically updates and displays the number of resource objects it contains (if it is a resource type that supports groups).
Some resources have additional objects you can manage, including the following:
Select an object from the resources list, and then make selections from one of these options lists to initiate a management task:
- Resource Actions — Perform a range of actions on resources, including edit, active synchronization, rename, and delete; as well as work with resource objects and manage resource connection.
- Resource Object Actions — Edit, create, delete, rename, save as, and find resource objects.
- Resource Type Actions — Edit resource policies, work with the account index, and configure managed resources.
When you create or edit a resource, Identity Manager launches the ManageResource workflow. This workflow saves the new or updated resource in the repository, and allows you to insert approvals or other actions before the resource is created or saved.
Managing the Resources List
Before you can create a new resource, you have to tell Identity Manager which resource types you want to be able to manage. To enable resources and create custom resources, use the “Configure Managed Resources” page.
Opening the Configure Managed Resources Page
To open the “Configure Managed Resources” page, follow these steps:
The Configure Managed Resources page has two sections:
Enabling Resource Types
Enable a resource type from the Configure Managed Resources page.
To enable a resource type, do the following:
- The Configure Managed Resources page should be open. If not, open it ((more...) ).
- In the Resources section, select the box in the Managed? column for the resource type that you want to enable.
To enable all of the listed resource types, select Manage all resources.
- Click Save at the bottom of the page.
The resource is added to the Resources list.
Adding a Custom Resource
Add a custom resource from the Configure Managed Resources page.
To add a custom resource, do the following:
- The Configure Managed Resources page should be open. If not, open it ((more...) ).
- In the Custom Resources section, click Add Custom Resource to add a row to the table.
- Enter the resource class path for the resource, or enter your custom-developed resource. For adapters provided with Identity Manager, see the Identity Manager Resources Reference for the full class path.
- Click Save to add the resource to the Resources list.
Creating Resources
Once a resource type is enabled, you can then create an instance of that resource in Identity Manager. To create a resource, use the Resource Wizard. The Resource Wizard will guide you in setting up the following items:
- Resource-specific parameters — You can modify these values from the Identity Manager interface when creating a specific instance of this resource type.
- Account attributes — Defined in the schema map for the resource. These determine how Identity Manager user attributes map to attributes on the resource.
- Account DN or identity template — Includes account name syntax for users, which is especially important for hierarchical namespaces.
- Identity Manager parameters for the resource — Sets up policies, establishes resource approvers, and sets up organization access to the resource.
Creating a Resource with the Resource Wizard
The Resource Wizard guides you through the process of configuring the Identity Manager resource adapter that will manage objects on the resource.
To create a resource, follow these steps:
- Log in to the Administrator interface.
- Click the Resources tab. Verify that the List Resources subtab is selected.
- Locate the Resource Type Actions drop-down list and select New Resource.
The “New Resource” page opens.
- Select a resource type from the drop-down list. (If the resource type you are looking for is not listed, you need to enable it. See Managing the Resources List.)
- Click New to display the Resource Wizard Welcome page.
- Click Next to begin defining the resource. Resource Wizard steps and pages display in the following order:
- Resource Parameters — Set up resource-specific parameters that control authentication and resource adapter behavior. Enter parameters, and then click Test Connection to ensure the connection is valid. On confirmation, click Next to set up account attributes.
Figure 4-15 shows the Resource Parameters page for Solaris resources. The form fields on this page are different for different resources.
Figure 4-15 Resource Wizard: Resource Parameters
- Account Attributes (schema map) — Maps Identity Manager account attributes to resource account attributes. For more information about resource account attributes, see Working with Account Attributes.
When finished, click Next to set up the Identity Template.
Figure 4-16 shows the Account Attributes page in the Resource Wizard.
Figure 4-16 Resource Wizard: Account Attributes (Schema Map)
- Identity Template — Defines account name syntax for users. This feature is particularly important for hierarchical namespaces.
- To add an attribute to the template, select it from the Insert Attribute list.
- To delete an attribute, highlight it in the string and use the delete key on your keyboard. Delete the attribute name, as well as the preceding and following $ (dollar sign) characters.
- Type of accounts—Identity Manager provides the ability to assign multiple resource accounts to a single user. For example, a user may require an administrator-level account as well as a regular user account on a particular resource. To support multiple account types on this resource, select the Type of accounts check box.
Note: You cannot select the Type of accounts check box if you have not created one or more Identity Generation rules identified by the subtype IdentityRule. Because accountIds must be distinct, different types of accounts must generate different accountIds for a given user. Identity Generation rules specify how these unique accountIds should be created.
Sample identity rules are provided in sample/identityRules.xml.
You cannot remove an account type until it is no longer referenced by other objects within Identity Manager. You cannot rename an account type.
See online Help for more information on completing the Type of accounts form.
For more information on creating multiple resource accounts for a user, see (more...) .
Figure 4-17 Resource Wizard: Identity Template
- Identity System Parameters — Sets Identity Manager parameters for the resource, including retry and policy configuration, as shown in Figure 4-18.
Figure 4-18 Resource Wizard: Identity System Parameters
Use Next and Back to move among the pages. When you complete all selections, click Save to save the resource and return to the list page.
Managing Resources
This section describes how to manage existing resources.
View the Resource List
Use the Resource List to view existing resources. The Resource List commands can be used to perform a range of edit actions on a resource.
To view the Resource List, follow these steps:
Edit a Resource Using the Resource Wizard
Use the Resource Wizard to edit resource parameters, account attributes, and identity system parameters. You can also specify the identity template that should be used for users created on the resource.
To edit a resource using the Resource Wizard, follow these steps:
- In the Identity Manager Administrator Interface, click Resources in the main menu.
The Resource List is displayed on the List Resources subtab.
- Select the resource you want to edit.
- In the Resource Actions drop-down menu, select Resource Wizard (under Edit).
The Resource Wizard opens in Edit mode for the selected resource.
Edit a Resource Using the Resource List Command Options
In addition to the Edit Resource Wizard, you can use the Resource List commands to perform a range of edit actions on a resource:
- Delete resources — Select one or more resources, and then select Delete from the Resource Actions list. You can select resources of several types at the same time. You cannot delete a resource if any roles or resource groups are associated with it.
- Search for resource objects — Select a resource, and then select Find Resource Object from the Resource Object Actions list to find a resource object (such as an organization, organizational unit, group, or person) by object characteristics.
- Manage resource objects — For some resource types, you can create new objects. Select the resource, and then select Create Resource Object from the Resource Object Actions list.
- Rename resources — Select a resource, and then select Rename from the Resource Actions list. Enter a new name in the entry box that appears, and then click Rename.
- Clone resources — Select a resource, and then select Save As from the Resource Actions list. Enter a new name in the entry box that appears. The cloned resource appears in the resource list with the name you select.
- Perform bulk operations on resources — Specify a list of resources and actions to apply (from CSV-formatted input) to all resources in the list. Then launch bulk operations to initiate the bulk-operation background task.
Working with Account Attributes
Resource account attributes (or schema maps) provide an abstract method for referring to attributes on managed resources. The schema map allows you to specify how attributes will be referred to within Identity Manager (the left side of the schema map) and how that name is mapped to the attribute name on the actual resource (the right side of the schema map). You can then refer to the Identity Manager attribute name within forms or workflow definitions and effectively reference the attribute on the resource, itself.
Figure 4-16 shows the Resource Account Attributes page.
An example of a mapping between attributes in Identity Manager and those for an LDAP resource is as follows:
Any reference to the Identity Manager attribute, firstname, is actually a reference to the LDAP attribute, givenName when an action is taken upon that resource.
When managing multiple resources from Identity Manager, mapping a common Identity Manager account attribute to many resource attributes can greatly simplify resource management. For example, the Identity Manager fullname attribute can be mapped to the Active Directory resource attribute displayName. Meanwhile, on an LDAP resource, the same Identity Manager fullname attribute can be mapped to the LDAP attribute cn. As a result, an administrator only needs to provide a fullname value once. When the user is saved, the fullname value is then passed to the resources that have different attribute names.
By setting up a schema map on the Account Attributes page of the Resource Wizard, you can do the following:
- Define attribute names and data types for attributes coming from managed resources
- Limit resource attributes to only those that are essential for your company or organization
- Create common Identity Manager attribute names to use with multiple resources
- Identify required user attributes and attribute types
Editing Resource Account Attributes
To view or edit resource account attributes, follow these steps:
- In the Administrator interface, click Resources.
- Select the resource for which you want to view or edit the account attributes.
- In the Resource Actions list, click Edit Resource Schema.
The Edit Resource Account Attributes page opens.
Figure 4-16 shows the Resource Account Attributes page.
The left column of the schema map (titled Identity System User Attribute) contains the names of Identity Manager account attributes that are referenced by the forms used in the Identity Manager Administrator and User interfaces. The right column of the schema map (titled Resource User Attribute) contains the names of attributes from the external source.
Resource Groups
Use the resources area to manage resource groups, which let you group resources to be updated in a specific order. By including and ordering resources in a group, and assigning the group to a user, you determine the order in which that user’s resources are created, updated, and deleted.
Activities are performed on each resource in turn. If an action fails on a resource, the remaining resources are not updated. This type of relationship is important for related resources.
For example, an Exchange Server 2007 resource relies on an existing Windows Active Directory account. This account must exist before the Exchange account can be successfully created. By creating a resource group with (in order) a Windows Active Directory resource and an Exchange Server 2007 resource, you ensure the correct sequence when creating users. Conversely, this order ensures that resources are deleted in the correct sequence when you delete users.
Select Resources, and then select List Resource Groups to display a list of currently defined resource groups. From that page, click New to define a resource group. When defining a resource group, a selection area lets you choose and then order chosen resources, as well as select the organizations to which the resource group will be available.
Global Resource Policy
You can edit properties in the Global Resource Policy for a resource. From the Edit Global Resource Policy Attributes page, you can edit the following policy attributes:
- Default Capture Timeout — Enter a value, in milliseconds, that specifies the maximum time that the adapter should wait from the command line prompt before the adapter times out. This value applies to GenericScriptResourceAdapter or ShellScriptSourceBase adapters only. Use this setting when the results of a command or script are important and will be parsed by the adapter.
- Default Wait for Timeout — Enter a value, in milliseconds, to specify the maximum time that a scripted adapter should wait between polls before checking to see if a command has characters (or results) ready. This value applies to GenericScriptResourceAdapter or ShellScriptSourceBase adapters only. Use this setting when the results of a command or script are not examined by the adapter.
- Wait for Ignore Case — Enter a value, in milliseconds, to specify the maximum time the adapter should wait for the command line prompt before timing out. This value applies to GenericScriptResourceAdapter or ShellScriptSourceBase adapters only. Use this setting when the case (uppercase or lowercase) is irrelevant.
- Resource Account Password Policy — If applicable, select a resource account password policy to apply to the selected resource. None is the default selection.
- Excluded Resource Accounts Rule — If applicable, select a rule that governs excluded resource accounts. None is the default selection.
You must click Save to save your changes to the policy.
Setting additional Timeout values
You can modify the maxWaitMilliseconds property by editing the Waveset properties file. The maxWaitMilliseconds property controls the frequency in which an operation’s timeout will be monitored. If this value is not specified, the system will use a default value of 50.
To set this value, add the following line to the Waveset.properties file:
com.waveset.adapter.ScriptedConnection.ScriptedConnection.maxwaitMilliseco nds.
Bulk Resource Actions
You can perform bulk operations on resources by using a CSV-formatted file or by creating or specifying the data to apply for the operation.
Figure 4-19 shows the launch page for bulk operations using a create action.
Figure 4-19 Launch Bulk Resource Actions Page
The options available for the bulk resource operation depend on the Action you select for the operation. You can specify a single action to apply to the operation or select From Action List to specify multiple actions.
For a single action selection, you will be presented with options to specify the the resource involved with the action. For a Create action, you will specify the resource type.
If you specify From Action List, use the Get action list from area to specify either the file to use that contains the actions or the actions you specify in the Input area.
Click Launch to start the operation, which runs as a background task.