Managing roles

  • Article

 

Applies To: Forefront Identity Manager

As you would expect, roles provide the foundation for role-based access control (RBAC). By assigning permissions to roles rather than users or groups, an RBAC implementation makes it easier to manage access control by tying the controls to users’ and groups’ job functions within an organization instead of to their placement within the organization. Roles, then, provide the means of assigning permissions to individual users and members of organizational units (orgunits) based on their function within the organization.

Roles can be related to each other, allowing parent roles to inherit permissions from lower-level roles called subroles.

Important

Orgunits and roles differ in how inheritance flows. In the case of orgunits, characteristics of higher-level orgunits are inherited by lower-level (member) orgunits. The opposite is true for roles, however. Higher-level roles inherit the permissions that are linked to their subroles.

Roles provide additional mechanisms for fine-tuning access control, including maintaining role cardinality (limits on the number of users and orgunits that can be assigned a role), attribute-based authorization (policies that control authorization based on the values of user attributes), and requiring proposed roles to be activated.

All activities in this topic require the BHOLD Core portal. For information about using the BHOLD Core portal to administer BHOLD Core, see Using the BHOLD Core portal in this guide.

The following are basic tasks for managing roles:

  • Creating a role

  • Linking a permission to a role

  • Managing permission inheritance

  • Managing role supervisors

  • Assigning a role to an individual user

  • Assigning a role to an organizational unit

  • Activating a proposed role

  • Limiting permissions and users

  • Managing attribute-based authorization policy for a role

  • Managing an automatically created role

  • Removing a role

Creating a role

Many roles are automatically created by BHOLD Core. For example, for each new organizational unit (orgunit), BHOLD Core creates a membership role (with the MR- prefix) for that orgunit. BHOLD Core also creates personal roles (prefixed with PR-) for individual users. Another method for creating roles automatically is by using attribute-based roles. For information about attribute-based roles, see Managing category-based access in this guide.

These automatically created roles are valuable for helping you implement role-based access control (RBAC), but it’s likely that you will need to create roles directly to account for situations where roles extend across individual, orgunit, and category boundaries.

To create a role

  1. In the BHOLD Core portal, in the left pane, click Roles.

  2. On the Roles page, click Add.

  3. On the Add role page, enter the following information, and then click OK:

    Field Description Required?
    Description The name of the new role. Tip: You should use a naming convention that indicates the type of role to make it easier to identify how the role is used. Yes
    Supervisor role Identifies the new role as a supervisor role. When this is selected, the role appears in lists of supervisor roles. No
    Orgunit context adaptable Specifies that the role will be linked to a context adaptable permission (CAP). For more information, see Managing context adaptable permissions in this guide. No
    Supervising role The name of the role whose users can manage the new role. A default supervisor role is provided; you can add other, previously created supervisor roles. Yes
    Maximum number of permissions The highest number of permissions that can be linked to the new role. Leave blank or set to 0 for unlimited permissions. No
    Maximum number of Subroles The highest number of roles that can be subordinate to the new role. Leave blank or set to 0 for unlimited roles. No
    Maximum number of users The highest number of users that can be linked to the new role. Leave blank or set to 0 for unlimited users. No
    Role type Type a label that you can use to search for this role, such as the project name. No
    Managed by FIM Enter Yes to specify that this role is managed by FIM. No

Linking a permission to a role

The principal purpose of a role is to bring together users who should share a particular set of rights in one or more applications. In the BHOLD role model, these rights are represented as permissions, and these permissions are assigned to users by linking them to roles that are, in turn, linked to the users who are to receive the permissions.

For information about creating and managing permissions, see Managing permissions in this guide.

  1. In the BHOLD Core portal, in the left pane, click Roles.

  2. On the Roles page, click the role to which you want to assign a permission.

    Tip

    If the desired parent role is not listed, in the Attribute type list, click Description, in Search string, type the role name, and then click the Search button.

  3. On the Role/<role> page, expand Permissions, and then click Modify.

  4. On the Role–permissions/<role> page, in the Application list, click the application that the permission belongs to, in Search string (Permission), type the name of the permission, and then click the search button.

    Tip

    To display all the permissions for an application, leave Search string (Permissions) empty when you click the Search button.

  5. In the Unlinked Permissions list, click Add next to the permission you want to assign to the role, and then click Done.

Managing permission inheritance

Roles can be linked together so permissions can be automatically shared by the roles that are linked together. When roles are linked together, one role is called the parent role and the other role is called the subrole. Unlike other kinds of inheritance, however, in BHOLD Core, the inheritance works in the opposite direction. That is, the parent role inherits the permissions of the subrole, not the other way around.

The parent-subrole relationship is not hierarchical. That is, a role can have any number of parents and any number of subroles. The only limitation is that roles cannot be linked together to produce a circular inheritance.

To link two roles, you modify a role to specify either its parent role or its subrole. These roles must already exist. You cannot create a new subrole as a member of another role, for example.

To designate a parent role

  1. In the BHOLD Core portal, in the left pane, click Roles.

  2. On the Roles page, click the role that you want to designate a parent role for.

  3. On the Role/<role> page, expand Parent roles, and then click Modify.

  4. On the Role–parent roles/<role> page, in Search string (Roles), type the name of the role that you want to make a parent role of this role, and then click the Search button.

    Tip

    To list all roles, leave Search string (Roles) empty when you click the Search button.

  5. Click Add next to the role that you want to designate as a parent role, and then click Done.

To designate a subrole

  1. In the BHOLD Core portal, in the left pane, click Roles.

  2. On the Roles page, click the role that you want to designate a subrole for.

  3. On the Role/<role> page, expand Sub-roles, and then click Modify.

  4. On the Role–sub-roles/<role> page, in Search string (Roles), type the name of the role that you want to make a subrole of this role, and then click the Search button.

    Tip

    To list all roles, leave Search string (Roles) empty when you click the Search button.

  5. Click Add next to the role that you want to designate as a subrole, and then click Done.

Managing role supervisors

Users who are assigned to a supervisor role for a role are able to link the role to organizational units (orgunits) and users, to link permissions to the role, to make the role the parent or subrole of another role, and to modify the attributes of the role. Every role must have at least one supervisor role. When you create a role, the role is automatically assigned the default supervisor role. You can assign additional supervisor roles to a role to give other users the ability to manage the role .

To assign a supervisor role to a role

  1. In the BHOLD Core portal, in the left pane, click Roles.

  2. On the Roles page, click the role which you want to assign a supervisor role to.

  3. On the Role/<role> page, expand Supervision, expand Supervisor roles, and then click Modify.

  4. On the Role–supervisors/<role> page, in the Role list, click the role you want to assign to the orgunit, click Add, and then click Done.

Assigning a role to an individual user

Most often, roles are assigned to users automatically as a result of membership in an organizational unit (orgunit), through attribute-based roles, or when a personal (PR-) role is created for the user when the user is added to BHOLD. In some cases it is necessary to assign a role directly to an individual user, for example, when the user is part of a short-term project that crosses organizational boundaries.

To assign a role to a user

  1. In the BHOLD Core portal, in the left pane, click Roles.

  2. On the Roles page, click the role which you want to assign to a user.

  3. On the Role/<role> page, expand Users, and then click Modify.

  4. On the Role–users/<role> page, in the Attribute type list, click the attribute you want to use to find the user, in Search string (users) type the value of the search attribute, and then click the Search button.

    Tip

    To display all users, leave Search string (users) blank.

  5. Under Unlinked users, to the right of the user you want to assign the role to, click Add, and then click Done.

Assigning a role to an organizational unit

By default, BHOLD creates and assigns a membership role (MR-) for each organizational unit (orgunit) when it is added to BHOLD. In addition to this default membership role, you can assign additional roles to an orgunit which will then apply to all users who belong to the orgunit.

To assign a role to an organizational unit

  1. In the BHOLD Core portal, in the left pane, click Organizational units.

  2. On the Organizational units page, click the orgunit which you want to link to a role.

  3. On the Organizational unit/<orgunit> page, expand Roles, and then click Modify.

  4. On the Organizational unit–roles/<orgunit> page, in Search string (Roles), type the role’s description (name), and then click the Search button.

    Tip

    To display all roles, leave Search string (Roles) empty when you click the Search button.

  5. In the UnLinked Roles list, next to the role you want to assign to the orgunit, click Add.

  6. Under Link role, in the Relation type list, click Effective to assign the role immediately to the orgunit, or click Proposed to require approval of the role assignment to the orgunit.

  7. To allow the role to be inherited by member orgunits, select the Children inherit this role check box.

  8. To limit the amount of time that the role is linked to an orgunit, do the following:

    1. In the Relation type list, click Proposed.

    2. In the Duration type list, click Hours or Days to specify the units you will use to specify the duration.

    3. Select the Duration fixed check box.

    4. In Duration length, type the number of hours or days you want the role to be effective for the orgunit.

  9. Click Add, and then click Done.

Activating a proposed role

If you assigned to an organizational unit (orgunit) a role that you designated as a proposed role, the role does not grant permissions to users in the orgunit until it is activated.

To activate a proposed role

  1. In the BHOLD Core portal, in the left pane, click Organizational units.

  2. In the Organizational units list, click the orgunit for which you want to activate a role.

  3. On the Organizational unit/<orgunit> page, expand Roles, and then click Modify.

  4. On the Organizational unit–roles/<orgunit> page, expand Roles, next to the role you want to activate, click Activate, and then click Done.

Limiting permissions and users

One way to ensure that a role is not being assigned inappropriately is to apply limits to the number of users or permissions that the role can be assigned to. That way you can make sure that errors in the implementation of features such as inheritance or attribute-based authorization (ABA) policies do not result in a role being assigned to more users or permissions than is desired. This limitation in the number of users or permissions that a role can be assigned to is known as cardinality. You can also apply the principles of cardinality to users (to limit the number of permissions or roles assigned to the user) and to permissions (to limit the number of roles and users the permission can be assigned to).

If a maximum number of users is set, any users who are assigned that role beyond the maximum number are assigned the role but are disabled.

Important

When a role has both cardinality limits and attribute-based authorization (ABA) policies, BHOLD applies cardinality limits before evaluating the ABA policies. Consequently, if the cardinality limits of a role are more restrictive than its ABA policies, the number of users or orgunits that are assigned by the ABA policies will not exceed the number of assignments allowed by the cardinality limits.

To limit permissions and users for a role

  1. In the BHOLD Core portal, in the left pane, click Roles.

  2. On the Roles page, click the role for which you want to manage cardinality.

  3. On the Role/<role> page, click Modify.

  4. On the Modify role attributes/<role> page, in Maximum number of permissions, type a number specifying the maximum number of permissions you want to allow to be assigned to the role, or leave blank to allow an unlimited number.

  5. In Maximum number of users, type a number specifying the maximum number of users you want to allow to be assigned to the role, or leave blank to allow an unlimited number.

  6. Click OK, and then click Done.

Managing attribute-based authorization policy for a role

Attribute-based authorization (ABA) provides a means for you to directly assign roles to users based on the users’ attributes. To be assigned an ABA role, a user does not have to belong to a particular organizational unit (orgunit) or to be assigned the role directly. Instead, the role is assigned to the user based on the value of an attribute in the user’s database record. Depending on the policy, if the attribute value changes, BHOLD can automatically rescind the role assignment. Conversely, you can modify the ABA policy to automatically change the set of users that the role is assigned to.

An ABA policy of a role is essentially a Boolean expression that, if evaluated to be true for a user, assigns the role to the user. A role can have more than one ABA policy. If a role has more than one policy, a user is assigned the role if any of the policies is true for the user. A policy can be deactivated so that it is not evaluated to determine whether a role should be assigned to a user.

This section describes procedures for manually managing roles with ABA policies. For information about configuring BHOLD to automatically manage attribute-based roles, see Managing category-based access.

Creating an ABA policy for a role

When you create an attribute-based authorization (ABA) policy for a role, you specify a user attribute and how the attribute is to be evaluated:

  • Is the value of the attribute equal, less than, or greater than a value that you specify?

  • Does the value of the attribute fall within a range of values that you specify?

  • Does the value of the attribute match a regular expression that you specify?

  • Is the value of the attribute a date that occurs on, before, or after a date that you specify?

As previously noted, if any of the expressions is evaluated to be true for a user, the user is assigned the role that the ABA policy applies to.

To create an ABA policy for a role

  1. In the BHOLD Core portal, in the left pane, click Roles.

  2. On the Roles page, click the role for which you want to create an ABA policy.

  3. On the Role/<role> page, expand Policies, and then click Modify.

  4. In the Policy dialog box, in Select the user attribute for the Policy, click the user attribute that you want the policy to evaluate, do one of the following, and then click Apply Policy:

    • To evaluate the value of the attribute, click Values, in Values, type the value you want to compare with the user attribute, and then in Operator, click the type of comparison you want to perform.

    • To evaluate whether the value of the attribute falls within a range of values, click Range, in Minimum Value, type the starting value of the range, and then in Maximum Value, type then ending value of the range.

    • To evaluate whether the value of the attribute matches a regular expression, click Regular Expressions, and then in Regular Expression, type the regular expression you want to compare to the user attribute.

      Important

      Regular expressions are limited to a maximum of 2000 characters.

    • To evaluate whether the value of the attribute matches or occurs before or after a date, click Date, in Date, type the date you want to compare with the user attribute, and then in Operator, click the type of comparison you want to perform.

  5. Repeat the preceding step to add more ABA policies to the role.

  6. When you have finished adding ABA policies to the role, click Close.

Determining the impact of an ABA policy of a role

After creating an attribute-based authorization (ABA) policy, you can verify that the policy matches the correct users by examining the results of applying the policy.

To determine the impact of a role ABA policy

  1. In the BHOLD Core portal, in the left pane, click Roles.

  2. On the Roles page, click the role for which you want to check an ABA policy.

  3. On the Role/<role> page, expand Policies, and then click the policy you want to check.

  4. In the Update Policy dialog box, click Show impact.

Managing an ABA policy of a role

You can modify the type, operator, and parameters of an existing attribute-based authorization policy. You can also deactivate a policy so that it will not be evaluated to assign the role to a user, and you can remove the policy.

To manage an ABA policy

  1. In the BHOLD Core portal, in the left pane, click Roles.

  2. On the Roles page, click the role for which you want to check an ABA policy.

  3. On the Role/<role> page, expand Policies, and then click the policy you want to manage.

  4. In the Update Policy dialog box, do one of the following:

    • To modify the policy, change the user attribute, policy type, values, and operator as required, and then click OK.

    • To deactivate the policy, click Deactivate.

    • To remove the policy from the role, click Remove, and then click OK.

  5. In the Policy dialog box, click Close.

Managing an automatically created role

When BHOLD automatically creates a role for a user or organizational unit (orgunit), it bases the name of the role on the description attribute of the user or orgunit. If that description subsequently changes, the role continues to be assigned to the user or orgunit, but the role name itself doesn’t change. This can lead to confusion when trying to understand the relationship between the role and the user or orgunit for which it was created. Even more problematic, if a new user or orgunit with the previous name is added to BHOLD, rather than creating a role with a duplicate name, BHOLD assigns the role to the new user or orgunit.

For example, if an orgunit named Sales is added to BHOLD, by default BHOLD automatically creates a membership role named MR-Sales and links it to the Sales orgunit. Later, the Description (name) attribute of the Sales orgunit is changed to Marketing. The MR-Sales role continues to be assigned to the Marketing orgunit. However, if another orgunit named Sales is added, BHOLD assigns the MR-Sales role to the new Sales orgunit, so that both the Marketing and the Sales orgunits are assigned the MR-Sales role.

For this reason, after changing the Description attribute of a user or orgunit, you should also make a corresponding change to the Description attribute to the personal or membership role to ensure that the names match and that the role will not be inappropriately assigned to a new user or orgunit.

To change the Description attribute of a user and its personal role

  1. In the BHOLD Core portal, in the left pane, click Users.

  2. On the Users page, in Search string, type the name (description) of the user that you want to change, and then click the Search button.

    Tip

    If you are not sure of the spelling, you can use wildcard characters in the search string to match unknown parts of the target string.

  3. In the search results list, click the user that you want to change.

  4. On the User/<user> page, click Modify.

  5. On the Edit user attributes/<user> page, in Description, type the new name for the user, and then click OK.

  6. On the User/<user> page, expand Roles, and then click the user’s personal (PR-) role.

  7. On the Role/<role> page, click Modify.

  8. On the Modify role attributes/<role> page, in Description, replace the user’s previous name (description) with the new name, and then click OK.

To change the Description attribute of an orgunit and its membership role

  1. In the BHOLD Core portal, in the left pane, click Organizational units.

  2. On the Organizational units page, in Search string, type the name (description) of the orgunit you want to change, and then click the Search button.

    Tip

    If you are not sure of the spelling, you can use wildcard characters in the search string to match unknown parts of the target string.

  3. On the Organizational unit/<orgunit> page, click Modify.

  4. On the Edit organizational unit attributes/<orgunit> page, in Description, type the new name for the orgunit, and then click OK.

  5. On the Organizational unit/<orgunit> page, expand Roles, and then click the orgunit’s membership (MR-) role.

  6. On the Role/<role> page, click Modify.

  7. On the Modify role attributes/<role> page, in Description, replace the orgunit’s previous name (description) with the new name, and then click OK.

When you remove a user or orgunit from BHOLD, you should also remove any personal or membership roles that were created for the user or orgunit, to prevent the BHOLD database from becoming cluttered with obsolete roles and to avoid the possibility of the role from being inappropriately assigned to a new user or orgunit. See the next section for information on how to remove a role from BHOLD.

Removing a role

BHOLD does not automatically remove roles, even when they are no longer assigned to a user or organizational unit (orgunit). Consequently, there is a potential for obsolete roles to persist in the BHOLD database when they are no longer needed. An accumulation of unassigned roles can make it harder to manage BHOLD and increases the risk of a role (and its associated permissions) being assigned to the wrong user or orgunit. For this reason, you should periodically review the roles in BHOLD and remove the ones that are no longer useful.

To remove a role

  1. In the BHOLD Core portal, in the left pane, click Roles.

  2. On the Roles page, click the role you want to remove.

  3. On the Role/<role> page, click Remove, and then, on the Remove role/<role> page, click OK

See also