2.9 Configuring the Roles Tab

This section provides details on configuring the underlying subsystem for the Roles tab. Topics include:

2.9.1 Role Service Driver Configuration

After creating the Role Service driver at installation time, you can optionally modify some of the driver configuration settings in iManager. To configure the Role Service driver:

  1. In iManager, click Identity Manager>Identity Manager Overview.

  2. Browse to the driver set where the driver exists, then click Search.

  3. Click the upper-right corner of the Role Service driver icon, then click Edit Properties.

  4. Click on the Driver Configuration tab.

  5. Scroll down to the Driver Settings section of the page.

  6. Make any changes you would like to the settings, and click OK to commit your changes.

You can modify the following standard driver settings (listed under User Application/Workflow Connection on the Driver Configuration page), which get their initial values at installation time:

Table 2-6 Standard Driver Settings

Option

Description

User Application Driver DN

The distinguished name of the User Application driver object that is hosting the role system. Use the eDirectory format, such as UserApplication.driverset.org, or browse to find the driver object. This is a required field.

User Application URL

The URL used to connect to the User Application in order to start Approval Workflows. This is a required field.

User Application Identity

The distinguished name of the object used to authenticate to the User Application in order to start Approval Workflows. This needs to a user who has been assigned as a Provisioning Administrator for the User Application. Use the eDirectory format, such as admin.department.org, or browse to find the user.

The identity needs to be entered in LDAP format (for example, cn=admin,ou=department,o=org), rather than dot format. Note that this is different from the format required at driver install time, where dot notation is expected.

This is a required field.

User Application Password

Password of the account specified in the User Application Identity field. The password is used to authenticate to the User Application in order to start approval workflows. This is a required field.

Reenter User Application Password

Re-enter the password of the account specified in the User Application Identity field.

In addition, you can modify the following additional settings (listed under Miscellaneous on the Driver Configuration page) to customize the behavior of the Role Service driver:

Table 2-7 Additional Settings for Customizing the Role Service Driver

Option

Description

Number of days before processing removed request objects

Specifies the number of days the driver should wait before cleaning up request objects that have finished processing. This value determines how long you are able to track the status of requests that have been fulfilled.

Frequency of reevaluation of dynamic and nested groups (in minutes)

Specifies the number of minutes the driver should wait before reevaluating dynamic and nested groups. This value determines the timeliness of updates to dynamic and nested groups used by the User Application. In addition, this value can have an impact on performance. Therefore, before specifying a value for this option, you need to weigh the performance cost against the benefit of having up-to-date information in the User Application.

Generate audit events

Determines whether audit events are generated by the driver.

For details on audit configuration, see Section 3.0, Setting Up Logging.

Indexing for the Role Service Driver

The Role Service driver creates relevant indexes in eDirectory for roles definitions. If you upload a large number of roles, the indexing of these values may take some time. You can monitor these indexes under Index Management in iManager.

Here is the list of Index Names for the indexes created for the Role Service driver:

nrf(Object Class)
nrf(nrfMemberOf)
nrf(nrfStatus)
nrf(nrfStartDate)
nrf(nrfNextExpiration)
nrf(nrfParentRoles)
nrf(nrfChildRoles)
nrf(nrfCategory)
nrf(nrfRoleCategoryKey)
nrf(nrfLocalizedNames)
nrf(nrfLocalizedDescrs)
nrf(nrfRoles)

2.9.2 User Application Configuration

The Configure Role Subsystem action on the Roles tab of the User Application allows you to specify administrative settings for the Role Subsystem. For details on using the Configure Role Subsystem action, see the section on configuring the role subsystem in the Identity Manager User Application: User Guide.

2.9.3 Security Roles

The Role Subsystem uses a set of system roles to secure access to functions within the Roles tab. Each menu action in the Roles tab is mapped to one or more of the system roles. If a user is not a member of one of the roles associated with an action, the corresponding menu item is not displayed on the Roles tab.

The system roles are administrative roles automatically defined by the system at install time for the purpose of delegated administration. These include the following:

  • Roles Module Administrator

  • Roles Manager

  • Roles Auditor

  • Security Officer

To assign users to the system roles, you need to use the Role Assignments action on the Roles tab. For details on assigning users to roles, see the section “Making Role Assignments” in the Identity Manager User Application: User Guide.

The initial assignment of the Role Module Administrator is specified at installation time and processed when the Role Subsystem is first initialized at startup time.

2.9.4 Trustee Rights

The Roles Module Administrator has unlimited authorization scope within the Role Subsystem, which means that the administrator does not need to have directory browse rights to perform any tasks on the Roles tab. This is not the case for the other security roles.

The Roles Manager, Roles Auditor, and Security Officer roles need to have directory browse rights for the objects they want to work with on the Roles tab. For example, the Roles Manager can modify roles to which the user logged in with role manager privileges has browse rights. In addition, the Roles Manager can request assignment of users, groups, and containers to roles to which the user has browse rights. Similarly, the Roles Auditor must have directory browse rights to a report to run this report, and a Security Officer must have directory browse rights to an SoD constraint to modify this constraint.

NOTE:You should not define trustee rights for the system roles themselves.

Directory browse rights for roles-related objects should be defined as follows:

Table 2-8 Directory Browse Rights Required for Trustees

Property Name

Assigned Rights

Inherit

[All attribute rights]

Read right checked.

Checked

[Entry rights]

Browse right checked.

Checked

The Browse right setting for Entry rights is required for authorization to make role assignments. The Read right on attributes is required for attributes that are used in role searches.

Here is an example showing the trustee rights defined on the Level10 roles definition container for the IT group:

Figure 2-8 Trustee Rights for a Roles Container

Here is another example showing the trustee rights defined on the SoDDefs container for secOfficerUser, a sample user who has been assigned to the Security Officer role:

Figure 2-9 Trustee Rights for a Sample User

You can define rights for various types of trustees, including containers, subcontainers, groups, and users. One approach you might want to use is described below:

  1. Assign users to a group and give rights to objects to the group.

  2. Create a subcontainer for several objects (such as roles) and assign rights to the subcontainer.

Combining the two approaches might give you the greatest flexibility and effectiveness in assigning security rights.

NOTE:When a Role Manager creates a role, the Role Manager automatically receives trustee rights for the role definition. Similarly, when a Security Officer creates an SoD constraint, the Security Officer automatically receives trustee rights for the constraint definition.

2.9.5 View Request Status Search Limit

By default, the View Request Status action retrieves up to 10,000 request objects. If a user attempts to retrieve a larger result set, the user will see a message indicating that the limit has been reached. In this case, the user should narrow the search (by specifying a particular user or status, for example) to limit the number of objects returned in the result set. Note that when a user applies a filter to a role name, the filter limits what the user sees and its order, not the number of objects returned.

The administrator can change the maximum number of request objects retrieved by modifying the entity definition for the nrfRequest object in iManager. To do this, the administrator needs to modify the <search-max>10000</search-max> setting by editing the XmlData attribute of the sys-nrf-request object. The sys-nrf-request object can be found under EntityDefs.DirectoryModel.AppConfig within the User Application driver for the Roles Based Provisioning Module.

2.9.6 Result Set and Pagination Settings

The Administration tab in the User Application provides several settings you can use to control how result sets are processed and displayed on pages within the application. To configure the settings for result sets and pagination:

  1. Open the Administration tab in the User Application.

  2. Select the Provisioning tab.

  3. Select Delegation, Proxy and Tasks from the left navigation menu.

  4. Scroll down to the Provisioning Interface Display Settings section of the page.

  5. Modify any of the following settings, and click Save.

    Setting

    Description

    Default number of results displayed per page

    Specifies the default number of rows to display on the following pages:

    • My Roles

    • View Request Status

    • Browse Role Catalog

    • Manage Role Relationships

    When a user initiates a query on any of the pages listed above, the User Application caches the data obtained by the query, and returns the number of rows specified for this setting to the browser. Each time the user requests to see the next page, another set of rows is returned from the cache.

    The default value for this setting is 25.

    Options for number of results displayed per page (use spaces to separate values)

    Allows you to specify additional values that the user can select to override the default number of rows displayed on the My Roles, View Request Status, Browse Role Catalog, and Manage Role Relationships pages. The list of values you type must be separated by spaces.

    Note that the number specified in the Default number of results displayed per page control is always included in the list of values for the user to select.

    The default value for this setting is 5 10 50 100 500.

    NOTE:This setting also applies to the Team Tasks page on the Requests & Approvals tab and to the Object Selector. The default number of rows displayed on the Team Tasks page and in the Object Selector, however, is not controlled by the Default number of results displayed per page setting. The default number of rows for team tasks is set at 5, and the default number of rows for the Object Selector is set at 10.

    Threshold for browser-based sorting and filtering

    Specifies the maximum amount of memory (expressed in rows) for the client browser to use for sorting and filtering on the My Roles, View Request Status, Browse Role Catalog, and Manage Role Relationships pages. If you specify a very high value, client-side sorting and filtering will be very fast, but an excessive amount of memory might be used on the client. If you specify a very low value, the client-side memory usage might be low, but sorting and filtering might also be too slow.

    This setting applies only if the size of the result set is less than or equal to the threshold value. If the size of the result set is larger than the threshold value specified, sorting and filtering operations are performed on the server.

    The default value for this setting is 1000.

    NOTE:This setting also applies to the Team Tasks page on the Requests & Approvals tab and the Object Selector.

2.9.7 E-Mail Notification

The Role Subsystem uses two templates that are specific to roles-based provisioning:

  • New Role Request (Role Request Notification)

  • Role Request Approval Notification (Role Request Approval Completed Notification)

You can edit the templates to change the content and format of e-mail messages. For more information on these templates, see Section 18.4, Working with E-Mail Templates.