Assigned employees obtain all the permissions of the permission group to which the application role (or a parent application role) is assigned. In addition, employees obtain the company resources assigned to the application role.
If there are no employees directly assigned to an application role, the employees of the parent application role inherit the permissions.
NOTE: The application roles for Base roles | Everyone (Change), Base roles | Everyone (Lookup), Base roles | Employee Managers, and Base roles | Birthright Assignments are automatically assigned to employees. Do not make any manually assignments to these application roles.
To assign employees to an application role
-
In the Manager, select an application role in the One Identity Manager Administration category.
-
Select the Assign employees task.
-
In the Add assignments pane, add employees.
TIP: In the Remove assignments pane, you can remove assigned employees.
To remove an assignment
- Save the changes.
Related topics
For role-based login, application roles must link to a permissions group in which permissions for One Identity Manager are defined. The application role is given the permissions of the associated permissions group. If no permissions group assigned, the application role is obtains the permissions from the parent application role.
Some of the default application roles are already assigned permissions groups. These permissions groups have the permissions for the tables and columns and are equipped with menu items, forms, tasks, and program functions, which allow the application data to be edited in the Manager and in the Web Portal.
You can assign customized permissions groups to application roles so that the permissions for application roles meet your company requirements. You need to ensure that your custom permissions groups contain all the write permissions of the default permissions groups for these application roles. This allows users with these application roles to use all default One Identity Manager functionality.
NOTE: You can simplify grouping of permissions by using hierarchical linking of permissions groups. Permissions from hierarchical permissions groups are inherited from top to bottom. That means that a permissions group contains all the permissions belonging parent permissions groups.
Proceed as follows:
-
In the Designer, create a new permissions group .
NOTE: Set the Only use for role-based authentication option for the permissions group.
-
In the Designer, make the new permissions group dependent on the default permissions group of the application role. Assign the default permissions group as a parent permissions group. This means the newly defined permissions group inherits the properties of the default permissions group.
-
In the Designer, grant additional edit permissions for menu items, forms, tables, or columns.
-
In the Manager, assign the new permissions group to the application role.
A user who logs in to the Manager or to the Web Portal with an application role changed in this way receives – in addition to the default privileges of this application role – the custom permissions.
Related topics
Use this task to assign employees to an application role through dynamic roles. For more information about using dynamic roles, see the One Identity Manager Identity Management Base Module Administration Guide.
NOTE: The task Create dynamic role is only available for application roles that do not have the option Dynamic roles not allowed set.
To create a dynamic role for the application role
-
In the Manager in the One Identity Manager Administration category, select the application role.
-
Select the Create dynamic role task.
-
Enter the required main data. The following applies to dynamic roles for application roles:
-
Object class: Select Employee.
-
Application role: This data is preset with the selected application role. If these objects fulfill the dynamic role conditions, they become members in the application role.
-
Dynamic role: The dynamic role name is made up of the object class and the full name of the application role by default.
- Save the changes.
To edit a dynamic role
-
In the Manager in the One Identity Manager Administration category, select the application role.
-
Select the Application role overview task.
-
In the overview form, click the dynamic role name in the Dynamic roles form element.
-
Select the Change main data task.
-
Edit the dynamic role.
- Save the changes.
Related topics