Chat now with support
Chat with Support

Identity Manager 8.0 - Application Roles Administration Guide

Application Roles for Custom Tasks

NOTE: This application role is available if the Identity Management Base Module is installed.

The following custom functions are available for application roles:

Table 12: Application Roles
Application Role Description


Administrators must be assigned to the application role Custom | Administrators.

Users with this application role:

  • Administrate custom application roles.
  • Set up other application roles for managers, if required.


Managers must be assigned to the application role Custom | Managers or a subordinate role.

Users with this application role:

  • Add custom task in the One Identity Manager.

You can use these application roles, for example, to guarantee One Identity Manager users write permissions on custom tables or columns. All application roles that you define here must obtain their write permissions through custom permissions groups.

Implementing Application Roles

IMPORTANT: To use application roles you must add one employee to the application role Base roles | Administrators. This employee is the authorized to assigned administrative One Identity Manager application roles to other employees.

Only run this task once.

To initially add an employee to the application role Base roles | Administrators

  1. Log into the Manager as a non role-based administrative user.
  2. Select the Employees | Employees.
  3. Select the employee to be assigned to the application role Base role | Administrators.
  4. Select Authorize as One Identity Manager administrator in the task view.

NOTE: As soon as you refresh the Manager view, the task Authorize as One Identity Manager Administrator is no longer shown in the task view. That means that the task can only be run when there are no other employees assigned to this application role.

It is possible that no more employees assigned to the application role Base roles | Administrators after you have been working with the One Identity Manager for a while. In this case, proceed as described above in order to reassign an employee to this application role.

The One Identity Manager user with the application role Base roles | Administrators can now add more employees to application roles and edit the application role master data.

Related Topics

How to Edit Application roles

To set up your first application roles you need to add an employee to the application role Base roles | Administrators. This employee is authorized to add more employees to different administration application roles. For more information, see Implementing Application Roles.

NOTE: To edit the application role, log on to the Manager using a role-based authentication module.

Administrators can edit child application roles, set up more application roles and assigned employees.

To edit attestation roles

  1. Select the category One Identity Manager administration.
  2. Select a category in the navigation view.
  3. Select the application role in the result list. Select Change master data in the task view.

    - OR -

    Click in the result list toolbar.

  4. Edit the application role's master data.
  5. Save the changes.

NOTE: You cannot delete default application roles.
Related Topics

Application Role Master Data

Application Role Master Data

If you add a new application role, you must fill out the compulsory fields.

Table 13: Application Role Properties



Application role

Application role name.

Internal name

Empty text field for a internal company identifier

Full name

Full name of application role. Is made up automatically from the application role name and the parent application role.

Parent application role

Application role to which the application role being edited is subordinate.

Department, location, cost center

Additional information for the application role definition. These input fields are only used for information. They do not indicate for which department, cost center or location the application roles are responsible.

Permissions group

Permissions group for determining write permissions on role-based login. The application role is given access permissions of the associated permissions group. If there is no permissions group assigned, the application role gets write permissions from the parent application role.

Administrators can assign the rest of the application roles to custom defined permissions groups. For more information, see Customized Extension of Application Role Write Permissions.

NOTE: Permissions groups for default administrator application roles for cannot be edited.


Spare text box for additional explanation.


Spare text box for additional explanation.

Certification status

Status of the application role's certification. You can select the following certification statuses:

  • New - The application role has been added to the One Identity Manager database.
  • Certified - The application role's master data has been granted approval by a manager.
  • Denied - The application role's master data has been denied approval by a manager.

Block inheritance

Specifies whether employees from parent application roles can also be determined as approvers for requests in the IT Shop that use the approval methods RD, RL, RO or RP. If this option is set, only employee that are assigned to exactly this application can be determined as approvers.

NOTE: This option available on compatibility grounds with older versions of the program. It is recommended that you set this option.

Dynamic roles not allowed

Specifies whether a dynamic role can be created for the application role.

Spare fields no. 01.....spare field no. 10

Additional company specific information. Use the Designer to customize display names, formats and templates for the input fields.

Related Documents