11.5 About the Role Configuration Editor
The Role Configuration editor is a graphical tool for defining administrative settings for the Roles Configuration object. The Roles Configuration object resides in the Role Catalog (nrfConfigurationobject), and it contains basic settings for an instance of the Role subsystem. There is only one configuration object per Role Catalog, and it resides at the root of the RoleConfig folder. The Roles Configuration object is a protected object, so the menu items and are disabled. You can copy and paste this object from another project; a paste operation overwrites the existing object. To start the role configuration editor:
-
Expand the , then navigate to and open the .
-
Double-click the node.
Designer displays the Role Configuration editor.
-
Fill in the fields as described in Table 11-5.
11.5.1 Role Configuration Editor Properties
The properties you set in the Role Configuration editor are described in Table 11-5.
Table 11-5 Roles Configuration Properties
|
Category |
Field |
Description |
|---|---|---|
|
|
|
Specifies the amount of time, in seconds, before a role assignment is removed from the Role Catalog. The value is 0 by default. A grace period of zero means that when someone is removed from a role assignment, the removal happens immediately and the subsequent revocation of entitlements is initiated immediately. You might use the grace period to delay the removal from a role of an account that would subsequently be re-added (for example if a person was being moved between containers). An entitlement can disable an account (this is the default) rather than removing it. |
|
|
|
Read-only level that defines the role hierarchy. The hierarchy rules are:
|
|
|
Specifies the text to display in the User Application tab for each role level. By default, they are Permission Role (Level 10), IT Role (Level 20), and Business Role (Level 30). You can translate this text into any of the languages supported by the User Application. For more information, see Section 2.10, Localizing Provisioning Objects. NOTE:The User Application caches this value in the RoleSystem cache holder. For your changes to Role Level Display Name to be visible in the User Application, you must flush the RoleSystem cache after you deploy the Role Configuration object. |
|
|
|
Specifies the text to display in the User Application tab for each Role Level Description. You can translate this text into any of the languages supported by the User Application. For more information, see Section 2.10, Localizing Provisioning Objects. NOTE:The User Application caches this value in the RoleSystem cache holder. For your changes to Role Level Description to be visible in the User Application, you must flush the RoleSystem cache after you deploy the Role Configuration object. |
|
|
|
|
Select if you want the SoD to be approved sequentially by the approvers in the order they appear in the approvers list. |
|
Select Quorum if you want the SoD to be approved in parallel and complete when the percentage of users specified is reached. For example, if you wanted to require that 25 percent of approvers in the list approve the condition, you would specify Quorum and specify a number; the value is assumed to be a percentage. |
||
|
|
The actual list of individuals that can approve or deny an SoD exception/override. This list can be overridden in the definition of an SoD constraint in the SoD editor. You can use the following buttons to manage the list:
|
|
|
|
|
Read-only name of the provisioning request definition that runs for a role approval request for this driver. |
|
|
Read-only name of the provisioning request definition that runs for a SoD exception approval for this driver. |
Click to add an approver. Adds the name to the bottom of the list.
Click to delete the selected approver.
Click to access the Identity Vault to search for an approver to add.
Click to move an approver lower on the list.
Click to move an approver higher on the list.