Chat now with support
Chat with Support

Identity Manager 8.0 - Application Roles Administration Guide

Assigning Employees to Application Roles

Assigned employees obtain all the write permissions of the permission group to which the application role (or a parent application role) is assigned. In addition, employees obtain the company resources assigned to the application role. Employees of the parent application role are inherited if no employees are directly assigned to an application role.

NOTE: The application role Base roles | Everyone (Change), Base roles | Everyone (Lookup), Base roles | Employee Managers and Base roles | Birthright Assignments are automatically assign to employees. Do not make any manually assignments to these application roles.

To assign employees to an application role

  1. Select the category One Identity Manager administration.
  2. Select a category in the navigation view.
  3. Select an application role in the result list.
  4. Select Assign employees in the task view.
  5. Assign employees in Add assignments.

    - OR -

    Remove employees from Remove assignments.

  6. Save the changes.

Customized Extension of Application Role Write Permissions

Customized Extension of Application Role Write Permissions

For role-based login, the application roles require a link to a permissions group in which write permissions for One Identity Manager are defined. The application role is given access permissions of the associated permissions group. If there is no permissions group assigned, the application role gets write permissions from the parent application role.

Different role-based authentication modules are available for role-based login on One Identity Manager tools. First, the employee memberships in application roles are determined during log in with role-based authentication. Assignments of permissions group to application roles are used to determine which permissions groups apply to the employee. A dynamic system user is determined from these permissions groups that will be used for the employee’s login.

Some of the default application roles are already assigned permissions groups. The permissions groups have write permissions to tables and columns and are equipped with menu items, forms, methods and program functions for editing application data with the Manager and the Web Portal.

You can assign customized permissions groups to application roles so that the write permissions for application roles meet your company requirements. You need to ensure that your custom permissions groups contain all the write permissions of the default permissions groups for these application roles. This allows users with these application roles to use all default One Identity Manager functionality.

NOTE: You can simplify grouping of permissions by using hierarchical linking of permissions groups. Permissions from hierarchical permissions groups are inherited from top to bottom. That means that a permissions group contains all the permissions belonging parent permissions groups.

Proceed as follows:

  1. Create a new permissions group in the Designer.

    NOTE: Set the option Only use for role-based authentication.
  2. Set up dependencies for the new permissions group to the default permissions group for the application role.

    The default permissions group must be assigned as a subgroup. This means that the new permissions group inherits the properties.

  3. Allocate additional write permissions for menu items, forms, tables and columns.
  4. Assign the permissions group to the application role in the Manager.

If a user logs into the Manager or the Web Portal with this type of altered application role they get, in additional to the default permissions for this application role, the custom defined edit permissions.

For detailed information about creating permissions groups and editing entitlements, see the One Identity Manager Configuration Guide.

Related Topics

Additional Tasks for Managing Application Roles

After you have entered the master data, you can apply different tasks to it. The task view contains different forms with which you can run the following tasks.

Creating Dynamic Roles for Application Roles

Creating Dynamic Roles for Application Roles

Use this task to assign employees to an application role through dynamic roles. For more detailed information about using dynamic roles, see the One Identity Manager Identity Management Base Module Administration Guide.

NOTE: The task Create dynamic role is only available for application roles, which do not have the option Dynamic roles not allowed set.

To create a dynamic role

  1. Select the category One Identity Manager administration.
  2. Select a category in the navigation view.
  3. Select an application role in the result list.
  4. Select Create dynamic role in the task view.
  5. Enter the required master data. The following applies to dynamic roles for application roles:
    • Object class

      "Person"

    • Application role

      This is preset with the selected application role. If these objects fulfill the dynamic role conditions, they become members in the application role.

    • Dynamic role

      The dynamic role identifier is made up by default of the object class and the full name of the application role.

  6. Save the changes.

To edit a dynamic role

  1. Select the category One Identity Manager administration.

    Application roles are grouped by category in the navigation. Those application roles are shown corresponding to the application roles you are allowed to edit

  2. Select a category in the navigation view.
  3. Select an application role in the result list.
  4. Select Application role overview in the task view.
  5. Select the form element "dynamic roles" and click on the dynamic role.
  6. Select Change master data in the task view.
  7. Edit the dynamic role.
  8. Save the changes.
Related Topics
Related Documents