kuronen
Visitor.
95 views

Automatic roles and their filters

I've got automatic roles granted by IDM based on source registry values such as student. I would prefer to save the filter / criteria (example attribute filter: studentstatus=present) to the nrfRole object so that it would be logically where it belongs but nrfRole class does not seem to have such attribute.

How do you implement such automatic roles? How do you make the role filters accessible to the role admins so that they may add/modify the roles?

Without UA I just use a mapping table that holds all data of roles and role admins can do it online or with Excel but with UA we have the role portan and it seems silly to maintain role definitions in two places.
Labels (1)
0 Likes
3 Replies
kuronen
Visitor.

Re: Automatic roles and their filters

One option is that I could still maintain the mapping table and make a driver that monitors changes in the mapping table creating / deleting roles accordingly.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Automatic roles and their filters

On 2019-06-07 08:54, kuronen wrote:
>
> I've got automatic roles granted by IDM based on source registry values
> such as student. I would prefer to save the filter / criteria (example
> attribute filter: studentstatus=present) to the nrfRole object so that
> it would be logically where it belongs but nrfRole class does not seem
> to have such attribute.


You can create an auxilary class with a custom attribute and attach that
to the nrfRole objects.

> How do you implement such automatic roles?


Create a null driver that watches for changes to the attributes in your
criteria and then evaluates the all filters for the user.

> How do you make the role
> filters accessible to the role admins so that they may add/modify the
> roles?


In 4.7.2 you might be able to make those editable using entities:
https://www.netiq.com/documentation/identity-manager-47/identity_apps_admin_472/data/netiq-identity-manager-entities.html

Otherwise you need to create your custom UI. E.g. using
https://github.com/MicroFocus/CX

>
> Without UA I just use a mapping table that holds all data of roles and
> role admins can do it online or with Excel but with UA we have the role
> portan and it seems silly to maintain role definitions in two places.



--
Norbert
0 Likes
kuronen
Visitor.

Re: Automatic roles and their filters

Thanks for your ideas.

Aux class is something I've used for the last 15 years but kind of was hoping some now and pristine NetIQ way here 🙂 So far the Excel - mapping table way is kind of nice too, even if it required IDM admin to update the mapping tables. The table can hold all the descriptions and explanations in the world to make everyone happy. I think I might try to make a driver that monitors this mapping table and creates / removes role definitions according to the table. But assigning resources to the roles automatically via driver may be hard. Did you ever do that?

I suppose there is a way to make a custom role administration page to idm dashboard with the filters? That would be one way. Or just settle with keeping the filters to technical IDM people only..

The CX link was new to me so I will definitely look around there.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.