The Role Catalog uses the Identity Vault to store role definitions that the User Application uses to determine:
The set of roles that it can display or modify.
The separation of duties (SoD) constraints between roles.
The provisioning request definition to execute for role membership requests.
The provisioning request definition to execute for SoD constraint exceptions.
The User Application ships with:
Two roles based provisioning request definitions.
A Roles Category list.
Default role levels.
Default mid-level roles including Auditor, Role Approver, Role Module Administrator, Security Officer, and SoD Approver.
You use the Roles Based Provisioning Tools to create new Role Catalog objects and customize existing ones for your own business needs. The Role Catalog node of the Provisioning view provides access to the Identity Manager Roles Based Provisioning Module design and configuration tools.
You can use the Role Catalog node to import, export, deploy, validate, compare, and localize the roles definitions, separation of duties constraints, and the Roles Configuration object as a group or individually. It also provides access to each of the Roles Based Provisioning Module tools.
When you use any of the editors available through the Role Catalog, you modify a set of local XML files. The local files are created when you add a Role Service driver to the Identity Manager project. The files are created in the workspace in the project’s Provisioning\AppConfig\RoleConfig folder.
Table 11-1 Local Roles Directories
The Roles Configuration object definition file resides at the root of the RoleConfig folder. There can be only one such file, and its name is configuration.roleconfig.
The Role Catalog is deployed in the User Application driver’s AppConfig.RoleConfig file.