One Identity Manager Video Series, Video No. 5: Use cases – Roles

[MUSIC PLAYING] We're now going to talk a bit about roles. Now, Identity Manager has a comprehensive support for roles. The roles inside Identity Manager are either business roles or system roles. Now, business roles are what analysts typically say enterprise roles. These are competitions of things that you assign to identities. What we call system roles is more like compositional entitlements that you can add into your business roles, if you like, or directly assigned to identities. So what I'm going to do now, I'm going to log on as one of the users that has a lot of capabilities inside Identity Management solution. And I'm going to take a look at some system roles and some business roles. And I will also create a new business role. Now as I said, this user has a lot of capabilities and responsibilities. The user is the owner of 51 business roles in this demo environment. And he's also the owner of two system roles. If we take a quick look at the system roles first, there are only two system roles defining the solution. If I select one of them, the application role two is just a name. And if the name needs to be changed, you can call it whatever. If we look at the overview on that role, we can see that the role, it actually has some employees assigned to it. They are not directly assigned, but they have access to this role. We can also see that there are entitlements inside this system role. And this system role is actually part of a business role called DBA Oracle. So the entitlements, they are typically entitlements. In this particular example, they are inside an LDAP server and they're also inside an Active Directory. If I, again, go back here, being a manager of this role, I can add memberships to it. And I can also add or remove entitlements to this technical or system role. So if I want to add something new, I just simply click on the Add New here. And the type is, of course, what kind of entitlement. Well, I could say, for instance, I want to add some Active Directory groups to the role. If I click on Assign here, I get a list of the available roles. I can, for instance, search for something that starts with application. I can see all the groups I have in Active Directory. Let's select this one, for example. And I say Assign Here. Now if I now look at the role, what's happening in the background? Everyone who has a membership in this role, either directly or indirectly, they will also have this entitlement now called application corporate Facebook access. Now this was a system role or a technical role, but if I go to the start page, again, here, as you remember, this person also has the ownership of 51 business roles. So if I click on this one and I can see the business roles, they can be hierarchical. So, for instance, if I open up Development, I can see some roles that belong to development. I can select one to take a look at them, like this. I click on Application Developers. Again, it's just a name. Now this is a business role so there are more capabilities here. We can do a lot of things on the business role level. We can split the role into another role. We can compare with another business role. We can merge them together, if we like. We can also look at the history view here to see what happened with this role over time. We can see that we obviously did some change here. Some members were added at this point in time. If I go backwards in the history, I can see we actually created that at this point in time, in October last year. Now, again, if I go back a couple of times here, I can also create a new business role. Because I am an owner, so I have this capability. So if I say Create a New Business Role, I can give it a name-- for instance, user acceptance testers, like this. Any business role needs to have what we call a role clause. The role clause actually decides a couple of things. It decides the inheritance order, if it's top down or bottom up. But it also decides what you can assign to the role. Now, I only have two different role classes here so I will select something that we have configured called job roles. And I can also assign another manager for the role. But I'm going to be the manager myself, this Ben Paxton. So I just press Save here, and now, I have a new role called user acceptance tester. If I click on that role, again, I can look at an overview of the role. It's not going to show me that much this time, because it's really just a role right now. There are no members. There are no entitlements or anything assigned to the role. But if I click on the back button here, I can start off by assigning entitlements to the role. If I click on this one, it looks very similar. As you can see, there is nothing in the list right now. But if I click on the Add New button, again, it will ask me, what kind of things do we want to add to the role? And I can, for instance, say, I want to add a system role to it. And the next question, of course, which system role are we going to add to it? Let's select the application role one, which was an existing system role. And now, there's a difference here. I don't just say, add. It's actually going to be a request. We're going to talk a bit more about request later on in the video series. But in this particular case, if there is a separation between the owner and the approver on this role, the approver needs to approve this request of adding something to the role. Now, in this particular example, the role has no specific approval. So this request will be automatically approved, because we didn't assign a specific approval for the role. So the owner will be the approver. So if I look at my request history, I requested a in role entitlement assignment. If I look at the workflow, I can see that it was automatically granted. So if I, again, go back to my role, where we were previously on this role now, I can click on the entitlements again. And I will see that it has an entitlement assigned to it, and that was the system role, application role one. So now, my business role has some kind of entitlements attached to it. The next thing I can do is to add members to the role. It works in a very similar way. Members are also treated as requests. But as you remember, this role only has an owner. So whenever this person requests anything, it will be automatically approved. Now I can just select some from this list, or I can search. Or I can do all sorts of things just to find which members should be added to the role, and I add it. And it's treated in a similar way. It's going to be requests, but I submit them now. It's role membership requests for, in this particular case, three new members to the role. And once it's approved, and again, in this example, it will be automatically approved. Those members will actually be assigned a role, and the entitlements in the role will be automatically a provision to those new members. What we saw here was role management from the web UI. I'm just using the web interface to create roles, to assign members to the roles, to assign entitlements to the roles. Now in this example, they were directly assigned to the roles. But for the business roles, we can also manage the membership based on calculations. We call it dynamic roles, which effectively means that, if you have a business role, and you have some kind of, for instance, properties on the user, or other memberships of the user, or anything that you can look at in the database, that can be used to calculate memberships. To show you this, I'm going to open up one of the tools, the manager tool. Now in the manager tool, there is a menu option for business roles. If we click on the role class job roles, we will find the role that we previously created. It was called user acceptance testers, as you may remember. If I click on that road now, I will see that these three individuals have access to the role, because we requested that from the web UI. And also, we added the system role call application role one. And if I click on that one, I can see that there are some entitlement connected to that specific application roles. On this view, we can see that the business role user acceptance tester had the application role, and the application role had these entitlements. Now we can also, as I said, we can make the membership calculation based on some kind of condition. For that purpose, I have a couple of examples here. I have a role called account payable Stockholm. Now what we can see on the screen here is that there is a node here called dynamic roles. That effectively means that there is a calculation behind this that will give us the members of this role. So if I click on that node, and I can see that there is a calculation that is affecting this role. And it checks using this schedule to check it. If I open up the calculation itself, I will see the logic on the screen. And what I'm actually looking at for any person, where the primary business role is account payable, and the primary location is Stockholm, they will be members of this role. And this is a very simple wizard being used here, and I can always click on the Information button here to see its effect to employees. And as you remember, there were two employees that had this role, and you can change the behavior here. You can do all sorts of either simple or very advanced calculations to calculate memberships of this role. So again, this account payable Stockholm is only assigned to the people that actually have the account payable as their primary role, and they are located in Stockholm. So if I just simply click on one of them, I open up that particular identity, and I can see that the primary location for this person is Stockholm. And the primary business role is account payable, so this person should really have also the membership in the account payable Stockholm role.