Chapter 4 Roles and Resources

Read this section for information about setting up roles in Identity Manager. In large organizations, role-based resource assignments greatly simplify resource management.

What are Roles?

A role is an Identity Manager object that allows resource access rights to be grouped and efficiently assigned to users. Roles are organized into four role types:


Note	Do not confuse roles and admin-roles. Roles are used to manage end-user access to external resources. Admin-roles, on the other hand, are primarily used to manage administrator access to internal Identity Manager objects such as users, organizations, and capabilities. The information in this section discusses roles. For information about admin-roles, see Understanding and Managing Admin Roles.

Business Roles

IT Roles

Applications

Assets

Business Roles organize into groups the access rights that people who do similar tasks in an organization need to do their job duties. Typically, Business Roles represent user job functions. In a financial institution, for example, Business Roles might correspond to job functions like bank teller, loan officer, branch manager, clerk, accountant, or administrative assistant.

IT Roles, Applications, and Assets organize resource entitlements into groups. In order to provide end-users with access to resources, IT Roles, Applications, and Assets are assigned to Business Roles so that users can access the resources they need to do their jobs. IT Roles contain a specific set of Applications, Assets, and/or Resources, including specific entitlements on those assigned Resources. IT Roles can also contain other IT Roles.


Note	The concept of role types is new in Identity Manager version 8.0. If your organization upgraded to version 8.0 from an earlier version of Identity Manager, your legacy roles were imported as IT Roles. For more information, see Managing Roles Created In Versions Prior to Version 8.0.

IT Roles, Applications, and Assets can be required, conditional, or optional.

A required role will always be assigned to the end-user.

A conditional role has conditions that must evaluate to true in order for the role to be assigned.

An optional role can be requested separately, and, upon approval, assigned to the end-user.

Required, conditional, and optional roles allow a Business Role designer to define coarse-grained access to contained roles in order to achieve regulatory compliance, while still allowing flexibility for an end-user’s manager to fine-tune the end-user’s access rights. Users assigned conditional or optional roles can still share the same assigned Business Role, but have different assigned access rights. With this approach, there is no need to define a new Business Role for each permutation of access requirements within an organization (a problem known as role explosion).

Putting Role Types to Work

The following discussion describes how to use role types effectively. For role type descriptions, see the previous section.

Managing Roles Created In Versions Prior to Version 8.0

Organizations that upgraded from an earlier version of Identity Manager to version 8.0 will automatically have their legacy roles converted to IT Roles. These IT Roles will remain directly assigned to users. Legacy roles will not be assigned a role owner as part of the upgrade process. A role owner can be assigned later, however. (For information on role owners, see (more...) .)

By default, organizations that upgrade to version 8.0 can directly assign both IT Roles and Business Roles to users (see Figure 4-2).

Organizations with legacy roles should consider creating new roles based on the guidelines outlined in the next section.

Using Role Types to Design Flexible Roles

IT Roles, Applications, and Assets are the role designer’s building blocks. These three role types are used in combination to build up user entitlements (or, access rights). IT Roles, Applications, and Assets are then assigned to Business Roles.

Designing Business Roles

In Identity Manager, a user can be assigned one or more roles, or no role. With the introduction of role types in Identity Manager 8.0, it is recommended that you only directly assign Business Roles to users. In fact, by default, you cannot directly assign any of the other role types to users unless your organization had a pre-8.0 version of Identity Manager installed and upgraded to at least version 8.0. This default restriction can be changed by modifying the role configuration object ((more...) ).

To reduce complexity, Business Roles cannot be nested—that is, one Business Role cannot contain another Business Role. In addition, Business Roles cannot directly contain resources and resource groups. Instead, resources and resource groups should be assigned to either an IT Role or an Application, which can then be assigned to one or more Business Roles.

Designing IT Roles

IT Roles can contain Applications, and Assets, as well as other IT Roles. IT Roles can also contain resources and resource groups.

IT Roles are intended to be created and managed either by your organization’s IT staff, or by the resource owners who understand the entitlements that are required to enable specific privileges within the resource.

Designing Applications and Assets

Applications and Assets are role types that are intended to represent commonly used business terms to describe things that end-users need in order to do their jobs. For example, an Application role could be named “Customer Support Tools” or “Intranet HR-Tool Admin.“

Applications cannot contain roles, but they can contain resources and resource groups. Applications can also define specific entitlements that restrict access to only specific applications on contained resources.

Assets are (typically) non-connected or non-digital resources, such as mobile phones and portable computers, that require manual provisioning. Consequently, assets cannot contain roles, resources, or resource groups.

Applications and Assets are intended to be assigned to Business Roles and IT Roles.

Role Types in Summary


Note	Role administrators should be assigned one or more of the following capabilities: Asset Administrator Application Administrator Business Role Administrator IT Role Administrator See Assigning Capabilities for more information.

Figure 4-1 shows which role-types, resources, and resource-groups can be assigned to each of the four role-types. The figure also shows that role-type exclusions can be assigned to all four role-types. (Role exclusions are described on (more...) .)

Optional, conditional, and required contained-roles ((more...) ) provide added flexibility. Flexible role definitions can reduce the total number of roles your organization needs to manage.

Figure 4-2 shows that Business Roles and IT Roles are directly assignable to users if a pre-8.0 version of Identity Manager is upgraded to at least version 8.0. On upgrade, legacy roles are converted to IT Roles, and, to ensure backwards compatibility, IT Roles are directly assigned to users. If Identity Manager was not upgraded from a pre-8.0 version, then only Business Roles are directly assignable to users.

Creating Roles

When you create or edit a role, Identity Manager launches the ManageRole workflow. This workflow saves the new or updated role in the repository, and allows you to insert approvals or other actions before the role is created or saved.

Completing the Create Role Form

In the Administrator interface, click Roles in the main menu.

The Roles page (List Roles tab) opens.

Click New at the bottom of the page.

The Create IT Role page opens. To create another type of role, use the Type drop-down menu.

Complete the form fields on the Identity tab.

Figure 4-3 shows the Identity tab.

Complete the form fields on the Resources tab (if applicable). For help filling out the fields on this tab, refer to online help, and also see Assigning Resources and Resource Groups.

For help setting extended attributes values on roles, see Editing Assigned Resource Attribute Values.

Figure 4-4 shows the Resources tab.

Complete the form fields on the Roles tab (if applicable). For help filling out the fields on this tab, refer to online help, and also see Assigning Roles and Role Exclusions.

Figure 4-6 shows the Roles tab.

Complete the form fields on the Security tab. For help filling out the fields on this tab, refer to online help, and also see Designating Role Owners and Role Approvers and Designating Notifications.

Figure 4-7 shows the Security tab.

Click Save at the bottom of the page.

Entering a Name and a Description for the Role

Enter a role name and description on the Identity tab of the Create Role form. If you are creating a new role, use the Type drop-down menu to select the role-type you are creating.

Figure 4-3 shows the Create Role form’s Identity tab. For help using this form, see online help.

Assigning Resources and Resource Groups

Resources and Resource Groups can be directly assigned to IT Roles and Application roles using the Resources tab of the Create Role form. Resources are described later in this chapter on (more...) . Resource Groups are described in the section Resource Groups

Resources and Resource Groups cannot be directly assigned to Business Roles, because only roles can be assigned to Business Roles.

Resources and Resource Groups cannot be assigned to Asset roles, because Asset roles are reserved for non-connected or non-digital resources that require manual provisioning.

This procedure describes how to assign resources and resource groups to a role when completing the Create Role form. See Completing the Create Role Form to get started.

Click the Resources tab in the Create Role page.

To assign a resource, select it in the Available Resources column and move it to the Current Resources column by clicking the arrow buttons.

If you are assigning multiple resources, you can specify the order in which the resources are updated: Select the Update resources in order checkbox and use the + and - buttons to change the order of the resources in the Current Resources column.

To assign a resource group to this role, select it in the Available Resource Groups column and move it to the Current Resource Groups column by clicking the arrow buttons. A resource group is a collection of resources that provides another way to specify the order in which resource accounts are created and updated.

To specify account attributes for this role on a per resource basis, click Set Attribute Values in the Assigned Resources section. See Editing Assigned Resource Attribute Values for more information.

Click Save to save the role, or click the Identity, Roles, or Security tabs to continue with the role creation process.

Editing Assigned Resource Attribute Values

Use the Assigned Resources table to set or modify resource attribute values on resources assigned to a role. A resource can have different attribute values defined on a role-by-role basis. Clicking the Set Attribute Values button opens the Resource Account Attributes page.

From this page, you can specify new values for each attribute and determine how attribute values are set. Identity Manager enables you to directly set values or use a rule to set values. It also provides a range of options for overriding existing values or merging values with existing values.

Value override — Select one of the following options:

None — The default selection. No value is established.

Rule — Uses a rule to set the value. If you select this option, you must select a rule name from the list.

Text — Uses specified text to set the value. If you select this option, you must enter the text in the adjacent Text field.

How to set — Select one of the following options:

Default value — Makes the rule or text the default attribute value. The user can change or override this value.

Set to value — Sets the attribute value as specified by the rule or text. The value will be set and override any user changes.

Merge with value — Merges the current attribute value with the values specified by the rule or text.

Merge with value, clear existing — Removes the current attribute values; sets the value to a merger of values specified by this and other assigned roles.

Remove from value — Removes the value specified by the rule or text from the attribute value.

Authoritative set to value — Sets the attribute value as specified by the rule or text. The value will be set and override any user changes. If you remove the role, the new value is null, even if it previously existed on the attribute.

Authoritative merge with value — Merges the current attribute value with the values specified by the rule or text. If you remove the role, the new attribute value is null, even if it previously existed on the attribute.

For multi-valued attributes, you must edit the role object in the repository to indicate that it holds a comma-separated value (CSV) string—for example:

Authoritative merge with value, clear existing — Removes the current attribute values; sets the value to a merger of values specified by this and other assigned roles. Clears the attribute value specified by this role if the role is removed, even if it previously existed on the attribute.

Rule Name — If you select Rule in the Value override area, select a rule from the list.

Text — If you select Text in the Value override area, enter text to be added to, deleted from, or used as the attribute value.

Figure 4-5 shows the Resource Account Attributes page, which is used to set extended attribute values on resources assigned to a role.

Assigning Roles and Role Exclusions

Roles can be assigned to Business Roles and IT Roles using the Roles tab of the Create Role form. Assigned roles should be added to the Contained Roles table.

Roles cannot be assigned to Application roles and Asset roles.

Business roles cannot be assigned to any role type.

Role exclusions can be assigned to all four role types using the Roles tab of the Create Role form. If a role with a role exclusion is assigned to a user, the excluded role cannot also be assigned to the user. Role exclusions should be added to the Role Exclusions table.

This procedure describes how to assign one or more roles to a role when completing the Create Role form. See Completing the Create Role Form to get started.

Click the Roles tab in the Create Role page.

Click Add in the Contained Roles section.

The tab refreshes and displays the Find Roles to Contain form.

Search for the role (or roles) that you will be assigning to this role. Start first with any required roles. (You will add conditional and optional roles later.)

See (more...) for help using the search form. Business Roles cannot be nested or assigned to other role-types.

Use the checkboxes to select the role(s) to be assigned, then click Add.

The tab refreshes and displays the Add Contained Role form.

Select Required (or Conditional or Optional, as appropriate) from the Association Type drop-down menu.

Click OK.

Repeat the previous four steps to add conditional roles (if required). Repeat the previous four steps again to add optional roles (if required).

Click Save to save the role, or click the Identity, Resources, or Security tabs to continue with the role creation process.

Figure 4-6 shows the Create Role form’s Roles tab. For help using this form, see online help.

Designating Role Owners and Role Approvers

Roles have designated owners and approvers. Only role owners can authorize changes to the parameters that define the role, and only role approvers can authorize the assignment of the role to end-users.

To be a role owner is to be the business owner responsible for the underlying resource account rights that are assigned through the role. If an administrator makes changes to a role, a role owner must approve of the changes before they can be carried out. This feature guards against an administrator changing a role without a business owner’s knowledge and approval. If change approvals have been disabled in the Role configuration object, however, a role owner’s approval is not required in order for changes to be carried out.

In addition to approving role changes, roles cannot be enabled, disabled, or deleted without a role owners’ approval.

Owners and approvers can either be directly added to a role, or dynamically added using a role-assignment rule. In Identity Manager it is possible (but not recommended) to create roles without owners and approvers.

Owners and approvers are added to roles on the Security tab in the Create Role form.


Note	Role-assignment rules have an authType of RoleUserRule. If you need to create a custom role-assignment rule, refer to the three default role-assignment rule objects and use them as an example: Role Approvers Role Notifications Role Owners

Figure 4-7 shows the Create Role form’s Security tab. For help using this form, see online help.

Designating Notifications

One or more administrators can be sent notifications when a role is assigned to a user.

Specifying a notification recipient is optional. You could choose to notify an administrator if you decide not to require an approval when a role is assigned to a user. Or you could designate one administrator to serve as an approver, and, another administrator to serve as a notification recipient when the approval is made.

As with owners and approvers, notifications can either be directly added to a role, or dynamically added using a role-assignment rule. Notification recipients are notified by email when a role is assigned to a user. A work item is not created, however, because an approval is not required.

Notifications are assigned to roles on the Security tab on the Create Role form. Figure 4-7 shows the Create Role form’s Security tab.

Initiating Change-Approval and Approval Work Items

When changes are made to a role, role owners can receive a change-approval email, a change-notification email, or no email. When a role is assigned to a user, role approvers receive role approval emails.

By default, role owners are sent change-approval emails whenever the roles they own are changed. This behavior is configurable, however, on a role-type by role-type basis. For example, you could choose to enable change-approvals for Business Roles and IT Roles, and enable change-notifications for Application and Asset roles.

If change-approvals are enabled, when an administrator changes a role, a work item is generated and an approval email is sent to the role owner. A role owner must approve the work item in order for the change to be made. Change-approval work items can be delegated. See Approvals for more information.

If change-notifications are enabled, when an administrator changes a role, the change is made immediately, and a notification email is sent to the role owner.

When a role is assigned to a user, role approvers receive role approval emails. Role approval emails cannot be disabled in Identity Manager.

When a user is assigned a role, a work item is generated and an approval email is sent to the role approver. A role approver must approve the work item in order for the role to be assigned to the user.

Change-approval and approval work items can be delegated. For more information on delegating work items, see Delegating Work Items.

Editing and Managing Roles

Most role editing and role management tasks can be performed using the Find Roles and List Roles subtabs, which are located under the Roles tab in the main menu.

Searching for Roles

Use the Find Roles tab to search for roles that meet the search criteria you specify.

Using the Find Roles tab, you can search for roles based on a wide variety of criteria such as role owners and approvers, assigned account types, contained roles, and so on.

In the Administrator interface, click the Roles tab.

The List Roles tab opens.

Click the Find Roles secondary tab.

Figure 4-8 shows the Find Role tab. For help using this form, see online help.

Figure 4-8 The “Find Role” tab
Screen capture of the Find Role tab.

Use the drop-down menus to define the parameters of your search. Click the Add Row button to add additional parameters.

Viewing Roles

Use the List Roles tab to view roles. Use the filter fields at the top of the List Roles page to find roles by name or role type. Filtering is not case-sensitive.

In the Administrator interface, click the Roles tab.

The List Roles tab opens.

Figure 4-9 shows the List Roles tab. For help using this form, see online help.

Editing Roles

Search for the role you want to edit using the List Roles or Find Roles tabs. If you make changes to a role, and change approvals are set to true, a role owner must approve your changes before they can be carried out.

Search for the role you want to edit by following the instructions on (more...) or (more...) .

Click the name of the role you want to edit.

The Edit Role page opens.

Edit the role as needed. Refer to the steps in the Completing the Create Role Form section on (more...) for help completing the Identity, Resources, Roles, and Security tabs.

Click Save. The Confirm Role Changes page opens.

If this role is assigned to users, you can select when to update the users with role changes. See Updating Roles Assigned to Users for more information.

Click Save to save your changes.

Cloning Roles

Search for the role you want to edit by following the instructions on (more...) or (more...) .

Click the name of the role you want to clone.

The Edit Role page opens.

Enter a new name in the Name field, and then click Save.

The Role: Create or Rename? page opens.

Click Create to make a copy of the role.

Assigning a Role to a Role

Identity Manager’s requirements around role assignments are described in What are Roles? and Putting Role Types to Work. You should understand this information before assigning roles.

Identity Manager will change a role’s role assignments if the role-owner of the parent role approves.

Search for the Business Role or IT Role to which you will be assigning one or more contained roles. (Roles can only be assigned to Business Roles and IT Roles.) Use the instructions on (more...) or (more...) to search for roles.

Click the Business Role or IT Role to open it.

The Edit Role page opens.

Click the Roles tab in the Edit Role page.

Click Add in the Contained Roles section.

The tab refreshes and displays the Find Roles to Contain form.

Search for the role (or roles) that you will be assigning to this role. Start first with any required roles. (You will add conditional and optional roles later.)

See (more...) for help using the search form. Business Roles cannot be nested or assigned to other role-types.

Use the checkboxes to select the role(s) to be assigned, then click Add.

The tab refreshes and displays the Add Contained Role form.

Select Required (or Conditional or Optional, as appropriate) from the Association Type drop-down menu.

Click OK.

Repeat the previous four steps to add conditional roles (if required). Repeat the previous four steps again to add optional roles (if required).

Click Save to open the Confirm Role Changes page.

The Confirm Role Changes page opens.

In the Update Assigned Users section select an Update Assigned Users menu option. See Updating Roles Assigned to Users for more information.

Click Save to save your role assignments

Removing a Role From a Role

Identity Manager will remove a contained role from another role if the role-owner of the parent role approves. The removed role will be removed from users when users receive role updates. (See Updating Roles Assigned to Users for more information.) When the role is removed, users lose the entitlements that were bestowed by the role.

For information on removing a role assigned to one or more users, see Removing Roles Assigned to Users.

For information on disabling a role, see Enabling and Disabling Roles.

For information on deleting a role from Identity Manager, see Deleting Roles.

Search for the Business Role or IT Role from which you want to remove a role. Use the instructions on (more...) or (more...) to search for roles.

Click the role to open it.

The Edit Role page opens.

Click the Roles tab in the Edit Role page.

In the Contained Roles section, select the checkbox next to the role that you want to remove, then click Remove. Select multiple checkboxes to remove multiple roles.

The table updates to show the remaining contained roles.

Click Save.

The Confirm Role Changes page opens.

In the Update Assigned Users section select an Update Assigned Users menu option. See Updating Roles Assigned to Users for more information.

Click Save to finalize your changes.

Enabling and Disabling Roles

Roles can be enabled and disabled on the List Roles tab. Role status is displayed in the Status column. Click the Status column header to sort the table by role status.

Roles that are disabled do not appear on the Roles tab in the Create/Edit user form and cannot be directly assigned to users. Roles that contain disabled roles can be assigned to users, but the disabled roles cannot be assigned.

Users who are assigned roles that are later disabled do not lose their entitlements. Role disablement only blocks future role assignments from occurring.

Upon enabling or disabling a role with assigned users, Identity Manager will prompt you to update these users. For more information, see Updating Roles Assigned to Users.

Search for the role you want to delete by following the instructions on (more...) or (more...) .

Click the checkboxes next to the roles that need to be enabled or disabled.

Click Enable or Disable at the bottom of the Roles table.

The Enable Role or Disable Role confirmation page opens.

Click OK to enable or disable the role.

Deleting Roles

For information on removing a role assigned to another role, see Removing a Role From a Role.

For information on removing a role assigned to one or more users, see Removing Roles Assigned to Users.

If you delete a role that is currently assigned to a user, Identity Manager blocks the deletion when you try to save the role. You must unassign (or reassign) all users assigned to a role before Identity Manager can delete it. You also must remove the role from any other roles.

Identity Manager requires a role owner’s approval before it will delete a role.

Search for the role you want to delete by following the instructions on (more...) or (more...) .

Select the checkbox next to each role that you want to delete.

Click Delete.

The Delete Role confirmation page displays.

Click OK to delete the role(s).

Assigning a Resource or Resource Group to a Role

Identity Manager’s requirements around resource and resource group assignments are described in What are Roles? and Putting Role Types to Work. You should understand this information before assigning resources to roles.

Identity Manager will change a role’s resource and resource group assignments if the role-owner approves.

Search for the IT Role or Application to which you want to add a resource or resource group. For instructions on how to search for a role, see (more...) or (more...) .

Click the role to open it.

Click the Resources tab in the Edit Role page.

To assign a resource, select it in the Available Resources column and move it to the Current Resources column by clicking the arrow buttons.

Click Save to open the Confirm Role Changes page.

The Confirm Role Changes page opens.

In the Update Assigned Users section select an Update Assigned Users menu option. See Updating Roles Assigned to Users for more information.

Click Save to save your resource assignments.

Removing a Resource or Resource Group from a Role

Identity Manager will remove a resource or resource group from a role if the role-owner approves. The removed resource will be removed from users when users receive role updates. (See Updating Roles Assigned to Users for more information.) When the resource is removed, users lose their entitlements on that resource unless the resource is also directly assigned to the user.

To remove a resource or resource group assigned to a role, follow these steps:

Search for the IT Role or Application from which you want to remove a resource or resource group. Use the instructions on (more...) or (more...) to search for roles.

Click the role to open it.

The Edit Role page opens.

Click the Resources tab in the Edit Role page.

To remove a resource, select it in the Current Resources column and move it to the Available Resources column by clicking the arrow buttons.

To remove a resource group, select it in the Current Resource Groups column and move it to the Available Resource Groups column by clicking the arrow buttons.

Click Save.

The Confirm Role Changes page opens.

In the Update Assigned Users section select an Update Assigned Users menu option. See Updating Roles Assigned to Users for more information.

Click Save to finalize your changes.

Managing User Role Assignments

Assigning Roles to Users

Activating and Deactivating Roles on Specific Dates

Updating Roles Assigned to Users

Finding Users Assigned to a Role

Removing Roles Assigned to Users

Assigning Roles to Users

End-users can also make role assignment requests for themselves. (Only optional roles where the parent role is already assigned to the user can be requested.) See Requests in the Identity Manager End-User Interface section for information on how end-users can request available roles.

In the Administrator interface, click the Accounts tab.

The List Accounts subtab opens.

To assign a role to an existing user, follow these steps:

Click the user’s name in the User List.

Click the Roles tab.

Click Add to add one or more roles to the user account.

By default, only Business Roles can be directly assigned to users. (If your installation of Identity Manager was upgraded from a pre-8.0 version, both Business Roles and IT Roles can be directly assigned to users.)

In the table of roles, select the role(s) you want to assign to the user and then click OK.

To sort the table alphabetically by Name, Type, or Description, click the column headers. Click a second time to reverse sort. To filter the list by role type, make a selection from the Current drop-down menu.

The table updates to show the selected role assignment(s), plus any required role assignments that are connected to the parent role assignment(s).

Click Add to view optional role assignments that can also be assigned to the user.

Select the optional role(s) to be assigned to the user and click OK.

(Optional) In the Activate On column, select the date that the role should become active. If you do not specify a date, the role assignment will become active as soon as a designated role approver approves the role assignment.

To make the role assignment temporary, select the date that the role should become inactive in the Deactivate On column. Role deactivation takes effect at the beginning of the selected day.

See Activating and Deactivating Roles on Specific Dates for more information.

Click Save.

Activating and Deactivating Roles on Specific Dates

When assigning a role to a user, you can specify an activate date and a deactivate date. Role-assignment work-item requests are created when the assignment is made. If a role assignment is not approved by the scheduled activation date, however, the role is not assigned. Role activations and deactivations take place a little after midnight (12:01 AM) on the date scheduled.

By default, only Business Roles can have activate dates and deactivate dates. All other role-types inherit the activate date and deactivate date of the Business Role that is directly assigned to the user. Identity Manager can be configured to allow other role types to have directly assignable activate and deactivate dates. For instructions, see (more...) .

Scheduling the Deferred Task Scanner Task

The Deferred Task Scanner scans user role assignments and activates and deactivates roles as needed. By default, the Deferred Task Scanner task runs every hour.

In the Administrator interface, click Server Tasks.

Click Manage Schedule in the secondary menu.

In the Tasks Available For Scheduling section, click on the Deferred Task Scanner TaskDefinition.

The “Create New Deferred Task Scanner Task Schedule” page opens.

Complete the form. For help, refer to the i-Helps and online help.

To specify a date and time when the task should run, in Start Date use the format mm/dd/yyyy hh:mm:ss. For example, to schedule a task to start running at 7:00 P.M. on September 29, 2008, type 09/29/2008 19:00:00.

In the Result Options drop-down menu, select rename. If you select wait, future instances of this task will not run until you remove the previous results. See online help for more information on the various Result Options settings.

Click Save to save the task.

Updating Roles Assigned to Users

When editing roles assigned to users you can choose to update users with the new role changes immediately, or defer the update to run during a scheduled maintenance window.

Upon making changes to a role, the Confirm Role Changes page opens. The Confirm Roles Changes page is shown in Figure 4-11 on (more...) .

The Update Assigned Users section of this page displays the number of users who currently have the role assigned.

Use the Update Assigned Users menu to select whether to immediately update users with the new role changes (Update), to defer updating users until a later time (Do not update), or to select a custom scheduled update task.

Because Update updates users immediately, you should avoid choosing this option if a large number of users will be affected. Updating users can be time and resource-intensive. If many users need to be updated, it is preferable to schedule the update for off-peak hours.

When Do not update is selected for a role, users assigned to the role will not receive role updates until an administrator views the user’s user profile or until the user is updated by the Update Role Users task. For information on scheduling the Update Role Users task, see the next section.

If you have created an Update Role Users task schedule, you can select it from the menu. The selected Update Role Users task will update users assigned to the role according to the schedule defined for the task. See the next section for more information.

Figure 4-11 shows the Confirm Role Changes page. The Update Assigned Users section displays the number of users who currently have this role assigned. The Update Assigned Users drop-down menu has two default options: Do not update and Update. You can also select from a list of scheduled Update Role Users tasks. For instructions on creating scheduled Update Role Users tasks, see Scheduling the Update Role Users Task.

You can update users assigned to roles by selecting one or more roles and clicking the Update Assigned Users button. This procedure runs an instance of the Update Role Users Task for the roles specified.

Search for the role (or roles) whose assigned users should be updated by following the instructions on (more...) or (more...) .

Select the role (or roles) using the checkboxes.

Click Update Assigned Users.

The Update Users Assigned to Roles page (Figure 4-12) displays.

Click Launch to start the update.

Check the status of the Update Role Users task by clicking Server Tasks in the main menu, then click All Tasks in the secondary menu.

Figure 4-12

The Update Users Assigned to Roles page

Scheduling the Update Role Users Task

It is recommended that an Update Role Users task be scheduled to run on a regular basis.

To update users with outstanding role changes, schedule the Update Role Users task using the following steps:

In the Administrator interface, click Server Tasks.

Click Manage Schedule in the secondary menu.

In the Tasks Available For Scheduling section, click on the Update Role Users TaskDefinition.

The “Create New Update Role Users Task Schedule” page opens, or, if you are editing an existing task, the “Edit Task Schedule” page opens (Figure 4-13).

Complete the form. For help, refer to the i-Helps and online help.

Click Save to save the task.

Figure 4-13 shows the scheduled task form for the Update Role Users task. Specific roles can be assigned to specific Update Role Users tasks (as shown in the Task Parameters section.) See Updating Roles Assigned to Users for more information.

Finding Users Assigned to a Role

In the Administrator interface, click Accounts.

Click Find Users in the secondary menu. The Find Users page opens.

Locate the search type User has [Select Role Type...] role assigned.

Select the option box and use the Select Role Type... drop-down menu to filter the list of available roles.

A second role menu opens.

Select a role.

Clear the other search-type checkboxes, unless you want to narrow your search further.

Click Search.

Figure 4-14 Searching for users assigned a role using the Find Users page

Removing Roles Assigned to Users

Using the Edit User page, one or more roles can be removed from a user account. Only a directly assigned role can be removed. Indirectly assigned roles (that is, conditional and/or required contained roles) are removed when the parent role is removed. Another way for an indirectly assigned role to be removed from a user is if the role is removed from the parent role (see Removing a Role From a Role).

In the Administrator interface, click the Accounts tab.

The List Accounts subtab opens.

Click the user from which you want to remove a rule (or rules).

The Edit User page opens.

Click the Roles tab.

In the table of roles, select the role(s) you want to remove from the user and then click OK.

To sort the table alphabetically by Name, Type, Activate On, Deactivate On, Assigned By, or Status, click the column headers. Click a second time to reverse sort. To filter the list by role type, make a selection from the Current drop-down menu.

The table shows the parent role assignment(s) (those roles that can be selected), plus any role assignments that are connected to the parent role assignment(s) (those roles that cannot be selected).

Click Remove.

The table of assigned roles updates to show the remaining assigned roles.

Click Save.

The Update Resource Accounts page opens. Deselect any resource accounts that you do not want removed.

Click Save to save your changes.

Configuring Role Types

Role Type functionality can be modified by editing the Role configuration object.

Configuring Role Types to be Directly Assignable to Users

By default, only certain role types can be directly assigned to users. To change these settings, use the following steps.

To change which role types can be directly assigned to users, follow these steps:


Note	It is a recommended best practice that you only directly assign Business Roles to users. See Using Role Types to Design Flexible Roles for more information.

Open the Role configuration object for editing using the steps in Editing Identity Manager Configuration Objects.

Locate the role object that corresponds to the role type that you wish to edit.

To edit the IT Role, locate Object name='ITRole'

To edit the Application Role, locate Object name='ApplicationRole'

To edit the Asset Role, locate Object name='AssetRole'

Depending on how you want to update your configuration, pick the appropriate set of instructions:

To modify a role type so that it can be directly assigned to a user, locate the following userAssignment attribute inside the role object:

And replace it with the following:

To modify a role type so that it cannot be directly assigned to a user, locate the userAssignment attribute inside the role object and delete the manual attribute as follows:

Save the Role configuration object. You do not need to restart your application server(s) in order for the changes to take effect.

Enabling Role Types for Assignable Activation Dates and Deactivation Dates

By default, only Business Roles can have activate dates and deactivate dates that can be specified when roles are assigned. All other roles will inherit the activate date /deactivate date of the Business Role that is directly assigned to the user.

If you opt to allow another role type to be directly assignable to users (for example, the IT Role type), you may also want to be able to assign activate and deactivate dates for that role type.


Note	It is a recommended best practice that you only directly assign Business Roles to users. See Using Role Types to Design Flexible Roles for more information.

To change which role types can have assignable activate dates and deactivate dates, follow these steps:

Open the Role configuration object for editing using the steps in Editing Identity Manager Configuration Objects.

Locate the role object that corresponds to the role type that you wish to edit.

To edit the Business Role, locate Object name='BusinessRole'

To edit the IT Role, locate Object name='ITRole'

To edit the Application Role, locate Object name='ApplicationRole'

To edit the Asset Role, locate Object name='AssetRole'

Depending on how you want to update your configuration, pick the appropriate set of instructions:

To modify a role type so that it can have directly assignable activate dates and deactivate dates, locate the following userAssignment attribute inside the role object:

And replace it with the following:

To modify a role type so that it cannot have directly assignable activate dates and deactivate dates, locate the userAssignment attribute inside the role object and delete the activateDate and deactivateDate attributes as follows:

Save the Role configuration object. You do not need to restart your application server(s) in order for the changes to take effect.

Enabling and Disabling Change-Approval and Change-Notification Work Items

By default, change-approval work items are enabled for all role types. This means that every time a role is changed (whether it is a Business Role, an IT Role, an Application, or an Asset), if the role has an owner, the owner must approve the change in order for the change to be made.

To enable or disable change-approval and change-notification work items for role types, follow these steps:

Open the Role configuration object for editing using the steps in Editing Identity Manager Configuration Objects.

Locate the role object that corresponds to the role type that you wish to edit.

To edit the Business Role, locate Object name='BusinessRole'

To edit the IT Role, locate Object name='ITRole'

To edit the Application Role, locate Object name='ApplicationRole'

To edit the Asset Role, locate Object name='AssetRole'

Locate the following attributes located in the <Object> element, which is located in the <Attribute name=’features’> element:

Set the attribute values to true or false as needed.

If necessary, repeat steps 2 - 4 to configure another role type.

Save the Role configuration object. You do not need to restart your application server(s) in order for the changes to take effect.

Configuring the Maximum Number of Rows that the Role List Page will Load

The “List Roles” page in the Administrator interface can display a configurable maximum number of rows. The default number is 500. Use the steps in the section to change the number.

To change the maximum number of rows that the “List Roles” page can display, follow these steps:

Open the Role configuration object for editing using the steps in Editing Identity Manager Configuration Objects.

Locate the following attribute and change the value:

Save the Role configuration object. You do not need to restart your application server(s) in order for the changes to take effect.

Synchronizing Identity Manager Roles and Resource Roles

You can synchronize Identity Manager roles with roles created natively on a resource. When synchronized, the resource is assigned, by default, to the role. This applies to roles that are created with the synchronization task, as well as existing Identity Manager roles that match one of the resource role names.

To synchronize an Identity Manager role with a Resource role, follow these steps:

In the Administrator interface, click Server Tasks in the main menu.

Click Run Tasks. The Available Tasks page opens.

Click the Synchronize Identity System Roles with Resource Roles task.

Complete the form. Click Help for more information.

Click Launch.

Understanding and Managing Resources

Read this section for information and procedures to help you set up Identity Manager resources.

What are Resources?

Identity Manager resources store information about how to connect to a resource or system on which accounts are created. Identity Manager resources define the relevant attributes about a resource and help specify how resource information is displayed in Identity Manager.

Identity Manager provides resources for a wide range of resource types, including:

Mainframe security managers

Databases

Directory services

Operating systems

Enterprise Resource Planning (ERP) systems

Messaging platforms

The Resources Area in the Interface

Identity Manager displays information about existing resources on the Resources page.

Resources in the resource list are grouped by type. Each resource type is represented by a folder icon. To see currently defined resources, click the indicator next to the folder. Collapse the view by clicking the indicator again.

When you expand a resource type folder, it dynamically updates and displays the number of resource objects it contains (if it is a resource type that supports groups).

Organizations

Organizational units

Groups

Roles

Select an object from the resources list, and then make selections from one of these options lists to initiate a management task:

Resource Actions — Perform a range of actions on resources, including edit, active synchronization, rename, and delete; as well as work with resource objects and manage resource connection.

Resource Object Actions — Edit, create, delete, rename, save as, and find resource objects.

Resource Type Actions — Edit resource policies, work with the account index, and configure managed resources.

When you create or edit a resource, Identity Manager launches the ManageResource workflow. This workflow saves the new or updated resource in the repository, and allows you to insert approvals or other actions before the resource is created or saved.

Managing the Resources List

Before you can create a new resource, you have to tell Identity Manager which resource types you want to be able to manage. To enable resources and create custom resources, use the “Configure Managed Resources” page.

Opening the Configure Managed Resources Page

Locate the Resource Type Actions drop-down list and select Configure Managed Resources.

The Configure Managed Resources page opens.

Resources — This section lists resource types that are commonly found in large enterprise environments. The version of the Identity Manager adapter that connects to the resource is listed in the Version column.

Custom resources — This section is used to add custom resources to the Resources list.

Enabling Resource Types

The Configure Managed Resources page should be open. If not, open it ((more...) ).

In the Resources section, select the box in the Managed? column for the resource type that you want to enable.

To enable all of the listed resource types, select Manage all resources.

Click Save at the bottom of the page.

The resource is added to the Resources list.

Adding a Custom Resource

The Configure Managed Resources page should be open. If not, open it ((more...) ).

In the Custom Resources section, click Add Custom Resource to add a row to the table.

Enter the resource class path for the resource, or enter your custom-developed resource. For adapters provided with Identity Manager, see the Identity Manager Resources Reference for the full class path.

Click Save to add the resource to the Resources list.

Creating Resources

Once a resource type is enabled, you can then create an instance of that resource in Identity Manager. To create a resource, use the Resource Wizard. The Resource Wizard will guide you in setting up the following items:

Resource-specific parameters — You can modify these values from the Identity Manager interface when creating a specific instance of this resource type.

Account attributes — Defined in the schema map for the resource. These determine how Identity Manager user attributes map to attributes on the resource.

Account DN or identity template — Includes account name syntax for users, which is especially important for hierarchical namespaces.

Identity Manager parameters for the resource — Sets up policies, establishes resource approvers, and sets up organization access to the resource.

The Resource Wizard guides you through the process of configuring the Identity Manager resource adapter that will manage objects on the resource.

Click the Resources tab. Verify that the List Resources subtab is selected.

Locate the Resource Type Actions drop-down list and select New Resource.

The “New Resource” page opens.

Select a resource type from the drop-down list. (If the resource type you are looking for is not listed, you need to enable it. See Managing the Resources List.)

Click New to display the Resource Wizard Welcome page.

Click Next to begin defining the resource. Resource Wizard steps and pages display in the following order:

Resource Parameters — Set up resource-specific parameters that control authentication and resource adapter behavior. Enter parameters, and then click Test Connection to ensure the connection is valid. On confirmation, click Next to set up account attributes.

Figure 4-15 shows the Resource Parameters page for Solaris resources. The form fields on this page are different for different resources.

Figure 4-15 Resource Wizard: Resource Parameters
Set up resource parameters in the Resource Wizard.

Account Attributes (schema map) — Maps Identity Manager account attributes to resource account attributes. For more information about resource account attributes, see Working with Account Attributes.

To add an attribute, click Add Attribute.

To remove one or more attributes, select the boxes next to the attribute and click Remove Selected Attribute(s).

When finished, click Next to set up the Identity Template.

Figure 4-16 shows the Account Attributes page in the Resource Wizard.

Figure 4-16 Resource Wizard: Account Attributes (Schema Map)
The schema map maps Identity Manager account attributes to resource account attributes.

Identity Template — Defines account name syntax for users. This feature is particularly important for hierarchical namespaces.

To add an attribute to the template, select it from the Insert Attribute list.

To delete an attribute, highlight it in the string and use the delete key on your keyboard. Delete the attribute name, as well as the preceding and following $ (dollar sign) characters.

Type of accounts—Identity Manager provides the ability to assign multiple resource accounts to a single user. For example, a user may require an administrator-level account as well as a regular user account on a particular resource. To support multiple account types on this resource, select the Type of accounts check box.

Note: You cannot select the Type of accounts check box if you have not created one or more Identity Generation rules identified by the subtype IdentityRule. Because accountIds must be distinct, different types of accounts must generate different accountIds for a given user. Identity Generation rules specify how these unique accountIds should be created.

Sample identity rules are provided in sample/identityRules.xml.

You cannot remove an account type until it is no longer referenced by other objects within Identity Manager. You cannot rename an account type.

See online Help for more information on completing the Type of accounts form.

For more information on creating multiple resource accounts for a user, see (more...) .

Figure 4-17 Resource Wizard: Identity Template
Screen capture of the Resource Wizard - Identity Template. Use the drop-down list to add attributes to the Identity Template.

Identity System Parameters — Sets Identity Manager parameters for the resource, including retry and policy configuration, as shown in Figure 4-18.

Figure 4-18 Resource Wizard: Identity System Parameters
Use the Identity Manager Parameters page to set up retry and policy configuration, as well as ActiveSync configuration.

Use Next and Back to move among the pages. When you complete all selections, click Save to save the resource and return to the list page.

Managing Resources

View the Resource List

Use the Resource List to view existing resources. The Resource List commands can be used to perform a range of edit actions on a resource.

Click Resources in the main menu.

The Resource List is displayed on the List Resources subtab.

Edit a Resource Using the Resource Wizard

Use the Resource Wizard to edit resource parameters, account attributes, and identity system parameters. You can also specify the identity template that should be used for users created on the resource.

In the Identity Manager Administrator Interface, click Resources in the main menu.

The Resource List is displayed on the List Resources subtab.

Select the resource you want to edit.

In the Resource Actions drop-down menu, select Resource Wizard (under Edit).

The Resource Wizard opens in Edit mode for the selected resource.

Edit a Resource Using the Resource List Command Options

In addition to the Edit Resource Wizard, you can use the Resource List commands to perform a range of edit actions on a resource:

Delete resources — Select one or more resources, and then select Delete from the Resource Actions list. You can select resources of several types at the same time. You cannot delete a resource if any roles or resource groups are associated with it.

Search for resource objects — Select a resource, and then select Find Resource Object from the Resource Object Actions list to find a resource object (such as an organization, organizational unit, group, or person) by object characteristics.

Manage resource objects — For some resource types, you can create new objects. Select the resource, and then select Create Resource Object from the Resource Object Actions list.

Rename resources — Select a resource, and then select Rename from the Resource Actions list. Enter a new name in the entry box that appears, and then click Rename.

Clone resources — Select a resource, and then select Save As from the Resource Actions list. Enter a new name in the entry box that appears. The cloned resource appears in the resource list with the name you select.

Perform bulk operations on resources — Specify a list of resources and actions to apply (from CSV-formatted input) to all resources in the list. Then launch bulk operations to initiate the bulk-operation background task.

Working with Account Attributes

Resource account attributes (or schema maps) provide an abstract method for referring to attributes on managed resources. The schema map allows you to specify how attributes will be referred to within Identity Manager (the left side of the schema map) and how that name is mapped to the attribute name on the actual resource (the right side of the schema map). You can then refer to the Identity Manager attribute name within forms or workflow definitions and effectively reference the attribute on the resource, itself.

An example of a mapping between attributes in Identity Manager and those for an LDAP resource is as follows:

Identity Manager Attribute		LDAP Resource Attribute
firstname	<-->	givenName
lastname	<-->	sn

Any reference to the Identity Manager attribute, firstname, is actually a reference to the LDAP attribute, givenName when an action is taken upon that resource.

When managing multiple resources from Identity Manager, mapping a common Identity Manager account attribute to many resource attributes can greatly simplify resource management. For example, the Identity Manager fullname attribute can be mapped to the Active Directory resource attribute displayName. Meanwhile, on an LDAP resource, the same Identity Manager fullname attribute can be mapped to the LDAP attribute cn. As a result, an administrator only needs to provide a fullname value once. When the user is saved, the fullname value is then passed to the resources that have different attribute names.

By setting up a schema map on the Account Attributes page of the Resource Wizard, you can do the following:

Define attribute names and data types for attributes coming from managed resources

Limit resource attributes to only those that are essential for your company or organization

Create common Identity Manager attribute names to use with multiple resources

Identify required user attributes and attribute types

Editing Resource Account Attributes

In the Administrator interface, click Resources.

Select the resource for which you want to view or edit the account attributes.

In the Resource Actions list, click Edit Resource Schema.

The Edit Resource Account Attributes page opens.

Figure 4-16 shows the Resource Account Attributes page.

The left column of the schema map (titled Identity System User Attribute) contains the names of Identity Manager account attributes that are referenced by the forms used in the Identity Manager Administrator and User interfaces. The right column of the schema map (titled Resource User Attribute) contains the names of attributes from the external source.

Resource Groups

Use the resources area to manage resource groups, which let you group resources to be updated in a specific order. By including and ordering resources in a group, and assigning the group to a user, you determine the order in which that user’s resources are created, updated, and deleted.

Activities are performed on each resource in turn. If an action fails on a resource, the remaining resources are not updated. This type of relationship is important for related resources.

For example, an Exchange Server 2007 resource relies on an existing Windows Active Directory account. This account must exist before the Exchange account can be successfully created. By creating a resource group with (in order) a Windows Active Directory resource and an Exchange Server 2007 resource, you ensure the correct sequence when creating users. Conversely, this order ensures that resources are deleted in the correct sequence when you delete users.

Select Resources, and then select List Resource Groups to display a list of currently defined resource groups. From that page, click New to define a resource group. When defining a resource group, a selection area lets you choose and then order chosen resources, as well as select the organizations to which the resource group will be available.

Global Resource Policy

You can edit properties in the Global Resource Policy for a resource. From the Edit Global Resource Policy Attributes page, you can edit the following policy attributes:

Default Capture Timeout — Enter a value, in milliseconds, that specifies the maximum time that the adapter should wait from the command line prompt before the adapter times out. This value applies to GenericScriptResourceAdapter or ShellScriptSourceBase adapters only. Use this setting when the results of a command or script are important and will be parsed by the adapter.

Default Wait for Timeout — Enter a value, in milliseconds, to specify the maximum time that a scripted adapter should wait between polls before checking to see if a command has characters (or results) ready. This value applies to GenericScriptResourceAdapter or ShellScriptSourceBase adapters only. Use this setting when the results of a command or script are not examined by the adapter.

Wait for Ignore Case — Enter a value, in milliseconds, to specify the maximum time the adapter should wait for the command line prompt before timing out. This value applies to GenericScriptResourceAdapter or ShellScriptSourceBase adapters only. Use this setting when the case (uppercase or lowercase) is irrelevant.

Resource Account Password Policy — If applicable, select a resource account password policy to apply to the selected resource. None is the default selection.

Excluded Resource Accounts Rule — If applicable, select a rule that governs excluded resource accounts. None is the default selection.

Setting additional Timeout values

You can modify the maxWaitMilliseconds property by editing the Waveset properties file. The maxWaitMilliseconds property controls the frequency in which an operation’s timeout will be monitored. If this value is not specified, the system will use a default value of 50.

Bulk Resource Actions

You can perform bulk operations on resources by using a CSV-formatted file or by creating or specifying the data to apply for the operation.

The options available for the bulk resource operation depend on the Action you select for the operation. You can specify a single action to apply to the operation or select From Action List to specify multiple actions.

Previous Contents Index Next
Sun[TM] Identity Manager 8.0 Administration


Note	The actions you enter in the input area list or in the file must be in comma-separated value (CSV) format.