Managing individual user access

Applies To: Forefront Identity Manager

One of the principal benefits of role-based access control (RBAC) is that it greatly simplifies the task of managing the rights and privileges granted to a user by grouping those rights and privileges according to the various roles that individuals and groups fulfill in an organization and then assigning users to those roles. In a well-designed role model, practically all the rights and privileges that a user would need are provided through these role assignments.

Although a role is usually considered to be a category that contains multiple users, there are instances when it is appropriate or even necessary to consider a role to be appropriate for only one user, making it a personal role. For example, one of the responsibilities an individual user might have is that of managing the user’s personal folder on a file server. In this case, it would be appropriate for the user’s personal role to be linked to the permissions needed to carry out that responsibility.

When a user is created in the BHOLD role model, BHOLD Core creates a personal role and links the user to the role. Personal roles can be identified by the prefix PR- followed by the user’s name (the Description field in the user’s database record). After the user and role have been created, you can link permissions to the role to grant the user the individual rights and privileges that the user needs. You can also create additional personal roles and assign them to users, as your organization’s needs dictate.

In addition to managing individual user access through personal roles, you can also use proposed roles to control access by individuals. A proposed role is a role that is linked to an organizational unit (orgunit), but which must be activated for some or all of the members of the orgunit before it is effective. To use a proposed role to manage individual user access, you link the role to an orgunit that the user belongs to as a proposed role and then you activate or deactivate the role for the user, as needed. You can also restrict the time when the role is effective for the user.

All activities in this topic require the BHOLD Core portal. For information about using the BHOLD Core portal to administer BHOLD Core, see Using the BHOLD Core portal in this guide.

The following are the basic tasks for managing individual user access:

• Creating and assigning a personal role

• Linking a permission to a personal role

• Renaming a personal role

• Removing an unused personal role

• Linking and activating a proposed role

Creating and assigning a personal role

In addition to the default personal role that BHOLD Core creates for each user, you can create and assign additional roles to individual users. This might be useful when a user is given a temporary assignment within your organization. In such a case, you can create a personal role for that user and link the necessary permissions to the role. Then, when the user is no longer working on the temporary assignment, you can remove all those permissions simply by revoking the personal role you created for that purpose.

To create and assign a personal role

1. In the BHOLD Core portal, in the left pane, click Roles.

2. On the Roles page, click Add.

3. On the Add role page, enter the following information, and then click OK:

   Field	Description	Required?
   Description	The name of the new role. Tip: You should use a naming convention that distinguishes this as a personal role but that distinguishes it from the default personal role. For example, if you are creating a temporary personal role, you could prefix the user’s name with TPR-.	Yes
   Supervisor role	Identifies the new role as a supervisor role. When this is selected, the role appears in lists of supervisor roles.	No
   Orgunit context adaptable	Specifies that the role will be linked to a context adaptable permission (CAP). For more information, see Managing context adaptable permissions in this guide.	No
   Supervising role	The name of the role whose users can manage the new role.	Yes
   Maximum number of permissions	The highest number of permissions that can be linked to the new role. Leave blank or set to 0 for unlimited permissions.	No
   Maximum number of Subroles	The highest number of roles that can be subordinate to the new role. Leave blank or set to 0 for unlimited roles.	No
   Maximum number of users	The highest number of users that can be linked to the new role. Leave blank or set to 0 for unlimited users.	No
   Role type	Enter Personal to indicate that this is a personal role.	No
   Managed by FIM	Enter Yes to specify that this role is managed by FIM.	No

4. On the Role/<role> page, expand Users, and then click Modify.

5. On the Role – Users/<role> page, in the Attribute type list, click Description, in Search string (Users), type the user’s description (name), and then click the Search button.

   Tip

   To display all users, leave Search string (Users) empty when you click the Search button.

6. Under UnLinked Users, next to the user you want to assign to the role, click Add, and then click Done.

Linking a permission to a personal role

You use a personal role to bring together a particular set of rights in one or more applications so they can be assigned as a group to a particular user. In the BHOLD role model, these rights are represented as permissions, and these permissions are assigned to users by linking them to roles that are, in turn, linked to the users who are to receive the permissions.

For information about creating and managing permissions, see Managing permissions in this guide.

To link a permission to a role

1. In the BHOLD Core portal, in the left pane, click Roles.

2. On the Roles page, click the role to which you want to assign a permission.

   Tip

   If the desired parent role is not listed, in the Attribute type list, click Description, in Search string, type the role name, and then click the Search button.

3. On the Role/<role> page, expand Permissions, and then click Modify.

4. On the Role–permissions/<role> page, in the Application list, click the application that the permission belongs to, in Search string (Permission), type the name of the permission, and then click the search button.

   Tip

   To display all the permissions for an application, leave Search string (Permissions) empty when you click the Search button.

5. In the Unlinked Permissions list, click Add next to the permission you want to assign to the role, and then click Done.

Renaming a personal role

If you change the description (rename) a user, BHOLD Core automatically creates a personal role with the new name and links the personal role to the user. This new personal role is not linked to any permissions, however. Also, BHOLD Core does not modify or remove the personal role that it had created when the user was added to BHOLD Core. After renaming a user, if you want the user to remain linked to the previous personal role but change that role’s name to match the user’s new name, you must first remove the new personal role and then rename the previous personal role. For information on removing a personal role, see Removing an unused personal role in this guide.

To rename a role

1. In the BHOLD Core portal, in the left pane, click Roles.

2. On the Roles page, click the role you want to remove.

   Tip

   If the desired role is not listed, in the Attribute type list, click Description, in Search string, type the role name, and then click the Search button.

3. On the Role/<role> page, click Modify.

4. On the Modify role attributes/<role> page, in Description, type a new name for the role, and then click OK.

Removing an unused personal role

When a user is removed, BHOLD Core does not delete any personal roles that were linked to the user. When you remove a user, you should immediately remove the user’s personal roles to avoid the possibility of another user with the same name being created and inadvertently assigning the roles’ permissions to the new user.

To remove an unused personal role

1. In the BHOLD Core portal, in the left pane, click Roles.

2. On the Roles page, click the role you want to remove.

   Tip

   If the desired role is not listed, in the Attribute type list, click Description, in Search string, type the role name, and then click the Search button.

3. On the Role/<role> page, verify that Users is followed by (0), and then click Remove.

Linking and activating a proposed role

Proposed roles provide an alternative method for linking permissions to individual users. You can assign a proposed role to an organizational unit (orgunit) that a user belongs to, and then to make the role and its permissions effective for the user, you activate the proposed role for the user. You can also deactivate a proposed role when it is no longer needed.

To assign a proposed role to an organizational unit

1. In the BHOLD Core portal, in the left pane, click Organizational units.

2. On the Organizational units page, click the orgunit which you want to link to a role.

3. On the Organizational unit/<orgunit> page, expand Roles, and then click Modify.

4. On the Organizational unit–roles/<orgunit> page, in Search string (Roles), type the role’s description (name), and then click the Search button.

   Tip

   To display all roles, leave Search string (Roles) empty when you click the Search button.

5. In the UnLinked Roles list, next to the role you want to assign to the orgunit, click Add.

6. Under Link role, in the Relation type list, click Proposed.

7. To allow the role to be inherited by member orgunits, select the Children inherit this role check box.

8. To limit the amount of time that the role is linked to the members of the orgunit, do the following:

   1. In the Duration type list, click Hours or Days to specify the units you will use to specify the duration.

   2. Select the Duration fixed check box.

   3. In Duration length, type the number of hours or days you want the role to be effective for the orgunit members.

9. Click Add, and then click Done.

To activate a proposed role for an individual user

1. In the BHOLD Core portal, in the left pane, click Users.

2. On the Users page, in Search string, type the name (description) of the user you want to change, and then click the Search button.

   Tip

   If you are not sure of the spelling, you can use wildcard characters in the search string to match unknown parts of the target string.

3. In the search results list, click the user you want to change.

4. On the User/<user> page, expand Inherited roles, and then click Modify.

5. On the User–roles/<user> page, expand Inherited roles, and then next to the proposed role, click Activate.

6. On the User–assign temporary roles/<user> page, do one of the following:

   • To make the role immediately effective without time limit, in Reason for linking, type an explanation for why you are activating the role for the user, and then click Add.

   • To make the role immediately effective for a limited period of time, in the Duration type list, click days or hours, in Duration length, type the number of days or hours the role is to be effective, in Reason for linking, type an explanation for why you are activating the role for the user, and then click Add.

   • To make the role effective during a range of time, in the Duration type list, click free, in Start date-time, type the date and (optionally) time when the role is to begin to be effective, in End date-time, type the date and (optionally) time when the role is to cease being effective, in Reason for linking, type an explanation for why you are activating the role for the user, and then click Add.

7. On the User—roles/<user> page, click Done.

See also

• Microsoft BHOLD Core Operations Guide

  • Introduction to administering Microsoft BHOLD Core

  • Administering Microsoft BHOLD Core

    • Managing roles

    • Managing users