Automatic roles and their filters

I've got automatic roles granted by IDM based on source registry values such as student. I would prefer to save the filter / criteria (example attribute filter: studentstatus=present) to the nrfRole object so that it would be logically where it belongs but nrfRole class does not seem to have such attribute.

How do you implement such automatic roles? How do you make the role filters accessible to the role admins so that they may add/modify the roles?

Without UA I just use a mapping table that holds all data of roles and role admins can do it online or with Excel but with UA we have the role portan and it seems silly to maintain role definitions in two places.
  • One option is that I could still maintain the mapping table and make a driver that monitors changes in the mapping table creating / deleting roles accordingly.
  • On 2019-06-07 08:54, kuronen wrote:
    >
    > I've got automatic roles granted by IDM based on source registry values
    > such as student. I would prefer to save the filter / criteria (example
    > attribute filter: studentstatus=present) to the nrfRole object so that
    > it would be logically where it belongs but nrfRole class does not seem
    > to have such attribute.


    You can create an auxilary class with a custom attribute and attach that
    to the nrfRole objects.

    > How do you implement such automatic roles?


    Create a null driver that watches for changes to the attributes in your
    criteria and then evaluates the all filters for the user.

    > How do you make the role
    > filters accessible to the role admins so that they may add/modify the
    > roles?


    In 4.7.2 you might be able to make those editable using entities:
    https://www.netiq.com/documentation/identity-manager-47/identity_apps_admin_472/data/netiq-identity-manager-entities.html

    Otherwise you need to create your custom UI. E.g. using
    https://github.com/MicroFocus/CX

    >
    > Without UA I just use a mapping table that holds all data of roles and
    > role admins can do it online or with Excel but with UA we have the role
    > portan and it seems silly to maintain role definitions in two places.



    --
    Norbert
  • Thanks for your ideas.

    Aux class is something I've used for the last 15 years but kind of was hoping some now and pristine NetIQ way here :) So far the Excel - mapping table way is kind of nice too, even if it required IDM admin to update the mapping tables. The table can hold all the descriptions and explanations in the world to make everyone happy. I think I might try to make a driver that monitors this mapping table and creates / removes role definitions according to the table. But assigning resources to the roles automatically via driver may be hard. Did you ever do that?

    I suppose there is a way to make a custom role administration page to idm dashboard with the filters? That would be one way. Or just settle with keeping the filters to technical IDM people only..

    The CX link was new to me so I will definitely look around there.