Novell Doc: Identity Manager Roles Based Provisioning Module 3.6 User Application: User Guide

16.2 Assigning Roles

The Role Assignments action lets users request role assignments. This action is available to Role Module Administrators, Role Managers, and other authenticated users not specifically assigned to any of the installed system roles.

Role Module Administrators can request assignment of users, groups, and containers to roles. The Role Module Administrator has unlimited scope within the directory.
Role Managers can request assignment of users, groups, and containers to roles to which they have browse rights.
Other authenticated users can request assignment to roles to which they have browse rights.

16.2.1 Assigning Users, Groups, and Containers to a Role

To request assignment of one or more users, groups, or containers to a single role:

Click Role Assignments in the list of Role Assignments actions.
Click the Role icon under How do you want to view assignments?.

Select the role to which you want to assign the users, groups, or containers.

Use the Object Selector or the Show History tool to select the role. For details on using the Object Selector and Show History tools, see Section 1.4.4, Common User Actions.

The User Application displays the current status of assignments for the selected role.

The columns in the assignment list table are described below:

The Assignment column provides the name of the object assigned to the currently selected role.

The Source column indicates the manner in which the object has been assigned to the role, as described below:

Source	Description
Role Relationship	Indicates that this assignment represents a role relationship. The name in the Assignment column is the name of the related role.
User Assigned to Role	Indicates that the user named in the Assignment column has been previously assigned to the currently selected role.
Group Assigned to Role	Indicates that the group named in the Assignment column has been previously assigned to the currently selected role.
Container Assigned to Role	Indicates that the container named in the Assignment column has been previously assigned to the currently selected role.

The Effective Date column shows the date when the assignment goes into effect. If no date is displayed, the assignment went into effect immediately after it was requested.
The Expiration Date column shows the date when the assignment expires. If no date is displayed, the assignment remains in effect indefinitely.
The Status column shows whether the assignment has been granted:

Status

Description

Provisioned

Approved (if necessary) and activated.

You can filter the list of assignments, as follows:
1. To view only those assignments, see Filtering Data for information about what to enter in the Assignment box.
2. To view users assignments only, select the Users box.
3. To view group assignments only, select the Groups box.
4. To view container assignments only, select the Containers box.
5. To view role relationships only, select the Roles box.
6. To apply the filter criteria you’ve specified to the display, click Filter.
7. To clear the currently specified filter criteria, click Reset.
To set the maximum number of assignments displayed on each page, select a number in the Maximum rows per page drop-down list.
To create a new assignment, click New Assignment.

Specify the details for the assignment in the Assignment Details group box.
- In the Type of Assignment drop-down, select User, Group, or Container to indicate what type of object you want to assign to the currently selected role.
- In the Select User(s) field, specify the users to assign.
  
  NOTE:If you select Group as the type of assignment, the user interface displays the Select Group(s) field. If you select Container, it displays the Select Container(s) field.
- In the Initial Request Description field, type text to describe the reason for the assignment request.
- In the Effective Date field, specify the date when you want the assignment to take effect. You can use the Calendar control to select the date.
- In the Expiration Date field, indicate whether you want the assignment to have an expiration date. If the assignment will remain in effect indefinitely, select No Expiration. If you want to define an expiration date, select Specify Expiration and use the Calendar control to select the date.
- Click Submit to submit the role assignment request.
NOTE:The Role Assignments action allows you to see roles that are related to the currently selected role, but does not permit you to create role relationships. To do this, you need to use the Manage Role Relationships action.

Status	Description
Provisioned	Approved (if necessary) and activated.

If a separation of duties conflict will occur if a role is assigned to one or more users, the user interface displays the Separation of Duties Conflicts box at the bottom of the page. In this case, you need to provide a business justification for the role assignment.

To provide a justification:

Type a description in the Justification field that explains why an exception to the separation of duties constraint is needed in this situation.

NOTE:You do not need to provide a justification in cases where the new role assignment conflicts with an existing assignment that the user acquired indirectly, either through a role relationship, or by membership in a group or container. If a user is added to a role indirectly, and a potential separation of duties conflict is detected, the User Application allows the new assignment to be added, and records the violation for reporting and audit purposes. If necessary, role administrators can correct the violation by redefining roles.

16.2.2 Assigning Roles to a Single User

To request assignment of one or more roles to a single user:

Click Role Assignments in the list of Role Assignments actions.
Click the User icon under How do you want to view assignments?.

Select the user to whom you want to assign one or more roles.

Use the Object Selector or the Show History tool to select the user. For details on using the Object Selector and Show History tools, see Using the Object Selector Button for Searching.

The User Application displays the current status of assignments for the selected user.

The columns in the assignment list table are described below:

The Assignment column provides the name of the role assigned to the currently selected user.

The Source column indicates how the role was assigned to the user, as described below:

Source	Description
Direct Assignment	Indicates that this role was assigned directly to the currently selected user.
Membership in Role role name	Indicates that the user received this role by being a member in a related role.
Membership in Group group name	Indicates that the user received this role by being a member in a group.
Membership in Container container name	Indicates that the user received this role or by being a member in a container.

The Effective Date column shows the date when the assignment goes into effect. If no date is displayed, the assignment went into effect immediately after it was requested.
The Expiration Date column shows the date when the assignment expires. If no date is displayed, the assignment remains in effect indefinitely.
The Status column shows whether the assignment has been granted and provisioned:

Status

Description

Provisioned

Approved (if necessary) and activated.

You can filter the list of assignments, as follows:
1. To view only those assignments that start with a particular string of characters, see Filtering Data for information about what to type in the Assignment box.
2. To view only those assignments that were assigned directly to the user, select the Direct box.
3. To view only those assignments that were assigned indirectly, select the Indirect box. Indirect assignments are those assignments that a user receives through a role relationship, or by being a member in a group or container.
4. To apply the filter criteria you’ve specified to the display, click Filter.
5. To clear the currently specified filter criteria, click Reset.
To set the maximum number of assignments displayed on each page, select a number in the Maximum rows per page drop-down list.
To create a new assignment, click New Assignment.

Specify the details for the assignment in the Assignment Details group box.
- In the Select Role(s) field, specify the roles to assign.
- In the Initial Request Description field, type text to describe the reason for the assignment request.
- In the Effective Date field, specify the date when you want the assignment to take effect. You can use the Calendar control to select the date.
- In the Expiration Date field, indicate whether you want the assignment to have an expiration date. If the assignment will remain in effect indefinitely, select No Expiration. If you want to define an expiration date, select Specify Expiration and use the Calendar control to select the date.
- Click Submit to submit the role assignment request.

Status	Description
Provisioned	Approved (if necessary) and activated.

If a separation of duties conflict will occur if a role is assigned to the currently selected user, the user interface displays the Separation of Duties Conflicts box at the bottom of the page. In this case, you need to provide a business justification for the role assignment.

To provide a justification:

Type a description in the Justification field that explains why an exception to the separation of duties constraint is needed in this situation.

Indirect role assignments and SoD conflicts You do not need to provide a justification in cases where the new role assignment conflicts with an existing assignment that the user acquired indirectly, either through a role relationship, or by membership in a group or container. If a user is added to a role indirectly, and a potential separation of duties conflict is detected, the User Application allows the new assignment to be added, and records the violation for reporting and audit purposes. If necessary, role administrators can correct the violation by redefining roles.

16.2.3 Assigning Roles to a Single Group

To request assignment of one or more roles to a single group:

Click Role Assignments in the list of Role Assignments actions.
Click the Group icon under How do you want to view assignments?.

Select the group to which you want to assign one or more roles.

Use the Object Selector or the Show History tool to select the group. For details on using the Object Selector and Show History tools, see Using the Object Selector Button for Searching.

The User Application displays the current status of assignments for the selected group.

The columns in the assignment list table are described below:

The Assignment column provides the name of the role assigned to the currently selected group.

The Source column indicates how the role was assigned to the group, as described below:

Source	Description
Direct Assignment	Indicates that this role was assigned directly to the currently selected group.
Membership in Role role name	Indicates that the group was given this role because it is assigned to a related role.

The Effective Date column shows the date when the assignment goes into effect. If no date is displayed, the assignment went into effect immediately after it was requested.
The Expiration Date column shows the date when the assignment expires. If no date is displayed, the assignment remains in effect indefinitely.
The Status column shows whether the assignment has been granted and provisioned:

Status

Description

Provisioned

Approved (if necessary) and activated.

You can filter the list of assignments, as follows:
1. To view only those assignments that start with a particular string of characters, see Filtering Data, for information about what to enter in the Assignment box.
2. To view only those assignments that were assigned directly to the group, select the Direct box.
3. To view only those assignments that were assigned indirectly, select the Indirect box. Indirect assignments are those assignments that a group receives through a role relationship.
4. To apply the filter criteria you’ve specified to the display, click Filter.
5. To clear the currently specified filter criteria, click Reset.
To set the maximum number of assignments displayed on each page, select a number in the Maximum rows per page drop-down list.
To create a new assignment, click New Assignment.

Specify the details for the assignment in the Assignment Details group box.
- In the Select Role(s) field, specify the roles to assign.
- In the Initial Request Description field, type text to describe the reason for the assignment request.
- In the Effective Date field, specify the date when you want the assignment to take effect. You can use the Calendar control to select the date.
- In the Expiration Date field, indicate whether you want the assignment to have an expiration date. If the assignment will remain in effect indefinitely, select No Expiration. If you want to define an expiration date, select Specify Expiration and use the Calendar control to select the date.
- Click Submit to submit the role assignment request.

Status	Description
Provisioned	Approved (if necessary) and activated.

16.2.4 Assigning Roles to a Single Container

To request assignment of one or more roles to a single container:

Click Role Assignments in the list of Role Assignments actions.
Click the Container icon under How do you want to view assignments?.

Select the container to which you want to assign one or more roles.

Use the Object Selector or the Show History tool to select the container. For details on using the Object Selector and Show History tools, see Using the Object Selector Button for Searching.

The User Application displays the current status of assignments for the selected container.

The columns in the assignment list table are described below:

The Assignment column provides the name of the role assigned to the currently selected container.

The Source column indicates how the role was assigned to the container, as described below:

Source	Description
Direct Assignment	Indicates that this role assignment was assigned directly to the currently selected container.
Membership in Role role name	Indicates that the container was given this role because it is assigned to a related role.
Membership in Container container name	Indicates that the container was assigned this role because it is nested within a higher-level container.

The Effective Date column shows the date when the assignment goes into effect. If no date is displayed, the assignment went into effect immediately after it was requested.
The Expiration Date column shows the date when the assignment expires. If no date is displayed, the assignment remains in effect indefinitely.
The Status column shows whether the assignment has been granted and provisioned:

Status

Description

Provisioned

Approved (if necessary) and activated.

You can filter the list of assignments, as follows:
1. To view only those assignments that start with a particular string of characters, see Filtering Data for information about what to enter in the Assignment box.
2. To view only those assignments that were assigned directly to the container, select the Direct box.
3. To view only those assignments that were assigned indirectly, select the Indirect box. Indirect assignments are those assignments that a container receives through a role relationship.
4. To apply the filter criteria you’ve specified to the display, click Filter.
5. To clear the currently specified filter criteria, click Reset.
To set the maximum number of assignments displayed on each page, select a number in the Maximum rows per page drop-down list.
To create a new assignment, click New Assignment.

Specify the details for the assignment in the Assignment Details group box.
- In the Select Role(s) field, specify the roles to assign.
- In the Initial Request Description field, type text to describe the reason for the assignment request.
- In the Effective Date field, specify the date when you want the assignment to take effect. You can use the Calendar control to select the date.
- In the Expiration Date field, indicate whether you want the assignment to have an expiration date. If the assignment will remain in effect indefinitely, select No Expiration. If you want to define an expiration date, select Specify Expiration and use the Calendar control to select the date.
- To propagate this role assignment to users in all subcontainers, select Apply role assignment(s) to sub-containers.
- Click Submit to submit the role assignment request.