Managing organizational team access

  • Article

 

Applies To: Forefront Identity Manager

One way to view an individual’s roles in an organization is the individual’s place within the organization itself. For example, an individual employee is typically part of a team of employees who report to the same manager. This team often needs to be able to access a particular set of applications and data that is unique to that particular team. For this reason, roles that are derived from the structure of an organization are often used to allocate specific sets of permissions to members of an organizational team.

One of the important functions of the BHOLD administrator is to oversee the creation and management of organizational units (orgunits) to reflect the structure of the organization which they represent. The administrator is responsible for maintaining the membership of these orgunits, the membership roles that are linked to the orgunits, and the permissions that are linked to those membership roles. In most cases, many of these tasks will be automated by installing the BHOLD Access Management Connector module and synchronizing the BHOLD role model through Forefront Identity Manager with an authoritative identity source, such as a human resources (HR) database. In other cases, the administrator might be required to manage certain elements of the BHOLD role model by using the BHOLD Core portal. Because each BHOLD deployment will differ on which tasks are automated and how that automation is implemented, this subject will explain how to perform all tasks manually.

All activities in this topic require the BHOLD Core portal. For information about using the BHOLD Core portal to administer BHOLD Core, see Using the BHOLD Core portal in this guide.

The following are the basic tasks for managing organizational team access:

  • Managing organizational units

  • Creating a membership role

  • Linking a permission to a membership role

  • Assigning a membership role to an organizational unit

  • Activating a proposed role

  • Removing an unused membership role

Managing organizational units

The BHOLD role model provides the organizational unit (orgunit) as the method for representing the structure of an organization. Because orgunits can contain other orgunits, it is possible to arrange orgunits in the BHOLD role model in a hierarchical structure that mirrors the hierarchy of the organization the role model is designed to support. In addition, you can create other orgunit hierarchies to represent projects, cost centers, geographical location, and so on. These hierarchical structures are especially important when it comes to managing the membership roles that are linked to orgunits, because roles can be inherited from higher-level orgunits. This reduces the need to manually propagate roles throughout a branch of the organizational hierarchy because the roles can be inherited automatically instead.

Note

A BHOLD organizational unit (orgunit) is unrelated to an Active Directory organizational unit (OU). Most often, BHOLD orgunits provide a highly granular representation of a human organization, while Active Directory OUs reflect the structure of the Active Directory forest.

Managing orgunits for organizational team access consists of the following activities:

  • Creating an organizational unit

  • Managing users in an organizational unit

  • Moving an organizational unit

For more information about managing orgunits in BHOLD, see Managing organizational units in this guide.

Creating an organizational unit

If your BHOLD deployment is not configured to import organizational structure from an external source, you must use the BHOLD Core portal to create orgunits.

To create an organizational unit

  1. In the BHOLD Core portal, in the left pane, click Organizational units.

  2. On the Organizational units page, click the orgunit in which you want to create a new orgunit.

    Tip

    If the desired parent orgunit is not listed, in the Attribute type list, click Description, in Search string, type the parent orgunit name, and then click the Search button.

  3. On the Organizational unit/<orgunit> page, next to Organizational unit structure, click Add.

  4. On the Add organizational unit page, in Description, type the name of the new orgunit, and then in the Organizational unit type list, click the type of the new orgunit.

  5. If you do not want the new orgunit to inherit roles from its parent, clear the Roles from parent check box. Otherwise, leave the check box selected.

  6. Click OK.

Managing users in an organizational unit

Most often, the users in an orgunit are added and removed automatically when FIM synchronizes the BHOLD Core database with an external, authoritative identity data source, such as Active Directory Domain Services or a human resources database. If your BHOLD deployment is not configured to synchronize with another identity data source, you can use the BHOLD Core portal to add a user to an orgunit or to move a user to another orgunit.

The following are the typical tasks for managing users in an organizational unit:

  • Add a user to an organizational unit

  • Move a user to a different organizational unit

  • Remove a user from an organizational unit

Add a user to an organizational unit

When orgunit membership is managed manually, there are two ways to add a user to an orgunit:

  • You can create a new user in the orgunit.

  • You can add an existing user to the orgunit.

Every user in the BHOLD Core database must belong to at least one orgunit. For this reason, all new users must be created in an orgunit.

To create a new user in an organizational unit

  1. In the BHOLD Core portal, in the left pane, click Organizational units.

  2. In the Organizational units list, click the orgunit in which you want to add a user.

  3. On the Organizational unit/<orgunit> page, expand Users, and then click Add.

  4. On the Add user page, enter the following information, and then click OK.

    Field Description Required?
    Description The user’s name, or another identifying label. Yes
    Default alias The unique identifier for the user. Often, this is the user’s domain and user name in Active Directory. If you enter an alias that has already been used, the BHOLD Core portal displays an error message. Yes
    End date The date after which the user loses all permissions and all roles are disabled. Use this entry to ensure that temporary users do not retain permissions past their planned termination date. No
    Disabled When selected, the user is deactivated and so does not receive permissions, aliases, or active roles. Use this setting when you want to prevent a user from receiving permissions until you explicitly enable the user. No
    Maximum number of permissions The highest number of permissions that can be assigned to the user. Leave blank or set to 0 for unlimited permissions. No
    Maximum number of roles The highest number of roles that can be assigned to the user. Leave blank or set to 0 for unlimited roles. No
    Email The user’s email address. No

  5. To add more users to the orgunit, in the left pane under History, click the orgunit, and then repeat steps 3 and 4.

You can add an existing user to another orgunit.

To add an existing user to an organizational unit

  1. In the BHOLD Core portal, in the left pane, click Organizational units.

  2. In the Organizational units list, click the orgunit in which you want to add a user.

  3. On the Organizational unit/<orgunit> page, expand Users, and then click Modify.

  4. On the Organizational unit – Users/<orgunit> page, in the Attribute type list, click the attribute you want to use to locate the user you want to add to the orgunit, in Search string (Users), type the user’s description (name) or default alias, and then click the Search button.

    Tip

    To display all users, leave Search string (Users) empty when you click the Search button.

  5. Under UnLinked Users, next to the user you want to add to the orgunit, click Add.

  6. When you have finished adding users to the orgunit, click Done.

Move a user to a different organizational unit

Every user must be a member of at least one orgunit. If a user belongs to only one orgunit, removing the user from that orgunit deletes the user from the BHOLD Core database. For this reason, moving a user from one orgunit to another orgunit is a two-step process: You add the user to the new orgunit, and then you remove the user from the old orgunit.

To move a user to a different organizational unit

  1. In the BHOLD Core portal, in the left pane, click Organizational units.

  2. In the Organizational units list, click the orgunit to which you want to move a user.

  3. On the Organizational unit/<orgunit> page, expand Users, and then click Modify.

  4. On the Organizational unit – Users/<orgunit> page, in the Attribute type list, click the attribute you want to use to locate the user you want to add to the orgunit, in Search string (Users), type the user’s description (name) or default alias, and then click the Search button.

    Tip

    To display all users, leave Search string (Users) empty when you click the Search button.

  5. Under UnLinked Users, next to the user you want to move to the orgunit, click Add, and then click Done.

  6. In the left pane, click Organizational units.

  7. In the Organizational units list, click the orgunit from which you want to move the user.

  8. On the Organizational unit/<orgunit> page, expand Users, and then click Modify.

  9. Under Linked Users, click Remove next to the user being moved, and then click Done.

Remove a user from an organizational unit

You can remove a user from an organizational unit (orgunit) if the user belongs to another orgunit. Because every user must belong to at least one orgunit, you cannot remove a user from the only orgunit of which it is a member.

To remove a user from an organizational unit

  1. In the BHOLD Core portal, in the left pane, click Organizational units.

  2. In the Organizational units list, click the orgunit from which you want to remove the user.

  3. On the Organizational unit/<orgunit> page, expand Users, and then click Modify.

  4. Under Linked Users, click Remove next to the user being moved, and then click Done.

Moving an organizational unit

When the structure of your organization changes, it will likely be necessary to move orgunits from one parent to another. Moving an orgunit affects the roles and permissions that are inherited from the parent orgunit.

To move an organizational unit

  1. In the BHOLD Core portal, in the left pane, click Organizational units.

  2. In the Organizational units list, click the orgunit which you want to move.

    Tip

    If the desired orgunit is not listed, in the Attribute type list, click Description, in Search string, type the parent orgunit name, and then click the Search button.

  3. On the Organizational unit/<orgunit> page, expand Organizational unit structure, and then click Move.

  4. On the Move organizational unit/<orgunit> page, in the Organizational unit list, click the new parent orgunit, and then click OK.

    Important

    The BHOLD Core portal might display the warning message “Session ID missing: The Session ID is not found in URL. You can continue working using the menu at the left.” This does not indicate that the request to move the orgunit failed, simply that the request was not processed quickly enough to display in the portal. To verify that the move has completed, wait about 10 seconds, and then click the orgunit under History in the left pane.

Creating a membership role

A user who belongs to an organizational unit (orgunit) automatically inherits roles that are inheritable from the parent orgunit. Even so, usually one of the reasons to create an orgunit and to add users to the orgunit is to provide the users in the orgunit with a set of permissions that are particularly appropriate for those users. For example, a project team can be made up of several subteams, each with their own special function that requires a special set of permissions. An orgunit can be created in which to put the members of a subteam, and then a role can be assigned to that orgunit that provides the particular permissions the subteam needs to do its job.

A role that is linked to an orgunit to assign permissions to the members of that orgunit is called a membership role. This term simply describes how the role is used; there is nothing to distinguish a membership role from other roles. Consequently, if you create a membership role, you should use a naming convention (such as prefixing the role name with MR-) to make it easier to distinguish a membership role from other roles.

When BHOLD Core creates orgunits, it also automatically creates a membership role for the new orgunit and links it to the orgunit. The name of the membership role is MR- followed by the name of the orgunit. For example, when BHOLD Core creates a membership role for an orgunit named Sales, it gives the membership role the name MR-Sales.

Even when BHOLD Core creates a membership role for an orgunit, you can create additional membership roles to manage inheritance or to produce membership roles that can be assigned to more than one orgunit, for example.

For more information about creating and using roles, see Managing roles in this guide.

To create a membership role

  1. In the BHOLD Core portal, in the left pane, under Model, click Roles.

  2. On the Roles page, click Add.

  3. On the Add role page, enter the following information, and then click OK:

    Field Description Required?
    Description The name of the new role. Tip: You should use a naming convention that indicates this is a membership role, but which distinguishes it from the default membership role. For example, if you are creating a temporary membership role, you could prefix the name of the role with TMR-. Yes
    Supervisor role Identifies the new role as a supervisor role. When this is selected, the role appears in lists of supervisor roles. No
    Orgunit context adaptable Specifies that the role will be linked to a context adaptable permission (CAP). For more information, see Managing context adaptable permissions in this guide. No
    Supervising role The name of the role whose users can manage the new role. Yes
    Maximum number of permissions The highest number of permissions that can be linked to the new role. Leave blank or set to 0 for unlimited permissions. No
    Maximum number of Subroles The highest number of roles that can be subordinate to the new role. Leave blank or set to 0 for unlimited roles. No
    Maximum number of users The highest number of users that can be linked to the new role. Leave blank or set to 0 for unlimited users. No
    Role type Type Membership to indicate that this is a personal role. No
    Managed by FIM Enter Yes to specify that this role is managed by FIM. No

Linking a permission to a membership role

The principal purpose of a role is to bring together users who should share a particular set of rights in one or more applications. In the BHOLD role model, these rights are represented as permissions, and these permissions are assigned to users by linking them to roles that are, in turn, linked to the users who are to receive the permissions.

For information about creating and managing permissions, see Managing permissions in this guide.

  1. In the BHOLD Core portal, in the left pane, click Roles.

  2. On the Roles page, click the role to which you want to assign a permission.

    Tip

    If the desired parent role is not listed, in the Attribute type list, click Description, in Search string, type the role name, and then click the Search button.

  3. On the Role/<role> page, expand Permissions, and then click Modify.

  4. On the Role–permissions/<role> page, in the Application list, click the application that the permission belongs to, in Search string (Permission), type the name of the permission, and then click the search button.

    Tip

    To display all the permissions for an application, leave Search string (Permissions) empty when you click the Search button.

  5. In the Unlinked Permissions list, click Add next to the permission you want to assign to the role, and then click Done.

Assigning a membership role to an organizational unit

After you have assigned permissions to a role, you must link that role to the organizational unit whose members you want to receive the permissions.

To assign a role to an organizational unit

  1. In the BHOLD Core portal, in the left pane, click Organizational units.

  2. On the Organizational units page, click the orgunit which you want to link to a role.

  3. On the Organizational unit/<orgunit> page, expand Roles, and then click Modify.

  4. On the Organizational unit–roles/<orgunit> page, in Search string (Roles), type the role’s description (name), and then click the Search button.

    Tip

    To display all roles, leave Search string (Roles) empty when you click the Search button.

  5. In the UnLinked Roles list, next to the role you want to assign to the orgunit, click Add.

  6. Under Link role, in the Relation type list, click Effective to assign the role immediately to the orgunit, or click Proposed to require approval of the role assignment to the orgunit.

  7. To allow the role to be inherited by member orgunits, select the Children inherit this role check box.

  8. To limit the amount of time that the role is linked to an orgunit, do the following:

    1. In the Relation type list, click Proposed.

    2. In the Duration type list, click Hours or Days to specify the units you will use to specify the duration.

    3. Select the Duration fixed check box.

    4. In Duration length, type the number of hours or days you want the role to be effective for the orgunit.

  9. Click Add, and then click Done.

Activating a proposed role

If you assigned to an organizational unit (orgunit) a role that you designated as a proposed role, the role does not grant permissions to users in the orgunit until it is activated.

To activate a proposed role

  1. In the BHOLD Core portal, in the left pane, click Organizational units.

  2. In the Organizational units list, click the orgunit for which you want to activate a role.

  3. On the Organizational unit/<orgunit> page, expand Roles, and then click Modify.

  4. On the Organizational unit–roles/<orgunit> page, expand Roles, next to the role you want to activate, click Activate, and then click Done.

Removing an unused membership role

When an organizational unit (orgunit) is removed, BHOLD Core does not delete the membership role of the orgunit. When you remove an orgunit, you should evaluate whether the orgunit’s membership role is still needed, that is, if you expect to create another orgunit with the same name and whose members should receive the same permissions. If not, you should immediately remove the membership role to avoid the possibility of another orgunit with the same name being created and inadvertently assigning the roles’ permissions to the members of the new orgunit.

To remove an unused membership role

  1. In the BHOLD Core portal, in the left pane, click Roles.

  2. On the Roles page, click the role you want to remove.

    Tip

    If the desired role is not listed, in the Attribute type list, click Description, in Search string, type the role name, and then click the Search button.

  3. On the Role/<role> page, verify that Organizational Units is followed by (0), and then click Remove.

See also