Managing category-based access

Applies To: Forefront Identity Manager

In most cases, an individual’s role in an organization is reflected, not just by the individual’s place in the organizational hierarchy, but also by the ways that the individual is categorized. For example, an employee will often have a specific job title, an employment status, a seniority level, and so on. While it is possible to assign permissions to individuals according to these categories by placing users in organizational units (orgunits), this would typically result in such a tangle of orgunits that managing them would be extremely difficult. Instead, you can use attributes to indicate the categories that an individual occupies and then link roles to the categories to provide category-based access control.

In all but very small organizations, manually managing category-based access would be prohibitively labor intensive and error prone. That’s because each time a user is placed in a different role-linked category (that is, the user’s attribute is changed), the user must be added to the new attribute-based role and removed from any attribute-based roles that no longer apply. BHOLD Core automates this process, however, by creating new attribute-based roles as needed and assigning those roles when a user is added or a role-linked attribute is changed.

The following are the basic tasks for managing category-based access:

• Defining attribute-based roles

• Managing a user attribute for an attribute-based role

• Assigning a value to a user attribute

• Linking permissions to an attribute-based role

• Removing an unused attribute-based role

Defining attribute-based roles

You instruct BHOLD Core which user attributes it is to use when creating and managing attribute-based roles by listing the attributes, along with a naming prefix for each one, in a Windows registry value. The registry value consists of one or more attribute name and prefix pairs. The attribute name and the prefix are separated by a comma, and pairs are separated by semicolons, using this syntax:

<role_name> , <prefix>[;<role_name>,<prefix>]…

For example, if you want BHOLD Core to create roles for the attributes JobTitle and WorkArea, and when BHOLD Core creates those roles, you want it to prefix the names with JT- and WA- (so you can identify the type of role), the registry value would consist of the following:

JobTitle,JT-;WorkArea,WA-

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

To edit the registry to define attribute-based roles

1. On the computer running BHOLD Core, click Start, type regedit, and then press the Enter key.

2. In Registry Editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\bhold\b1core.

3. In the right pane, right-click b1ManagedAttributeRoles, and then click Modify.

4. In the Edit String dialog box, type one or more attribute name/prefix pairs, and then click OK.

5. Close Registry Editor.

6. Click Start, point to Administrative Tools, and then click Services.

7. In Services, right-click B1Service, and then click Restart.

8. Verify that B1Service successfully restarts, and then close Services.

Managing a user attribute for an attribute-based role

You use can use attributes of the user object in BHOLD to categorize users so you can assign roles to users based on those categories. For example, you can create roles corresponding to job titles and assign those roles to users based on an attribute that stores each user’s job title. By default, the user object in the BHOLD database has a few attributes that are mainly useful for distinguishing one user from another. BHOLD also provides a set of attributes that you can add to the user object as your needs require. You can also create your own attributes if the default BHOLD attribute set does not meet your needs.

Managing user attributes consists of the following activities:

• Adding an attribute to the user object

• Creating a user attribute

Adding an attribute to the user object

As noted earlier, the BHOLD Core database provides a set of useful attributes that you can use to sort users into categories that you can assign roles to. After you add an attribute to the user object, you can then modify the database record for each user to record values for the attribute.

To add an attribute to the user object

1. In the BHOLD Core portal, in the left pane under Attribute def, click Object types.

2. On the Object types page, click Attribute type sets.

3. On the Attribute type sets page, click Extra User Attributes.

4. On the Attribute type set/Extra User Attributes page, expand Attribute types, and then click Modify.

5. On the Attribute types of attribute type set/Extra User Attributes page, do the following, and then click Add:,

   • In the Attribute type list, click the attribute type you want to add to the user object.

   • In Order, type a number representing the location of this attribute in the list of user attributes. Attributes with lower order numbers appear higher in the list. You can use this value to place related attributes next to each other, for example.

   • Select the Mandatory check box if you want to require a value for this attribute for all new users.

6. Click Done.

Creating a user attribute

If you need an attribute type that isn’t in the default set of user attributes in BHOLD Core, you can create an attribute type yourself and add it to the Common User Attributes attribute type set. After you add the attribute to the user object, you can then modify the database record for each user to record values for the attribute.

To create a user attribute

1. In the BHOLD Core portal, in the left pane under Attribute def, click Attribute types.

2. On the Attribute types page, click Add.

3. On the Add attribute type page, enter the following information, and then click OK:

   Field	Description	Required?
   Identity	The name of the attribute as it appears in the BHOLD Core portal. The name can contain only upper- and lowercase letters, numbers, and the underscore (_) character.	Yes
   Data type	The format of the value that is stored in the attribute.	Yes
   Maximum length	The maximum number of characters allowed for an attribute value	Yes
   List of values	Whether the attribute can be	Yes
   Default value	The value that BHOLD Core assigns when no other value is specified	No
   German	The name of the attribute to be displayed when German is the display language	No
   English	The name of the attribute to be displayed when English is the display language	No
   Dutch	The name of the attribute to be displayed when Dutch is the display language	No
   Active Directory	Not used	No
   NTFS	Not used	No

4. In the left pane, click Attribute type sets.

5. On the Attribute type sets page, click Common User Attributes.

6. On the Attribute type set/Common User Attributes page, expand Attribute types, and then click Modify.

7. On the Attribute types of attribute type set/Common User Attributes page, in the Attribute type list, click the attribute that you created.

8. In Order, type a number that indicates where you want the attribute to appear in the list of user attributes. Lower numbers indicate that the attribute should appear earlier in the list.

9. Select the Mandatory check box if you want the attribute to be required in all user records.

10. Click Add, and then click Done.

Assigning a value to a user attribute

When BHOLD Core is configured to manage attribute-based roles for a user attribute, the process of assigning a value to the attribute for a particular user is the trigger that causes BHOLD Core to create the attribute-based role (if necessary) and to add the user to the role. BHOLD Core does not create an attribute-based role until a new value is assigned to the associated attribute for a user. For example, if BHOLD Core is configured to create attribute-based roles by using values in the JobTitle attribute (and using JT- as the naming prefix), the first time the JobTitle attribute is set to Manager for any user, BHOLD Core creates the role JT-Manager and adds the user to that role. Then, whenever another user is assigned Manager as the value of the JobTitle attribute, BHOLD Core adds that user to the JT-Manager role.

Because attribute-based roles are not created until they are initially assigned, you can link permissions to an attribute-based role only after it is initially assigned to a user. For more information. For more information, see Linking permissions to an attribute-based role in this guide.

Linking permissions to an attribute-based role

The purpose of a role is to bring together users who should share a particular set of rights in an application. In the BHOLD role model, these rights are represented as permissions, and these permissions are assigned to users by linking them to roles that are, in turn, linked to the users who are to receive the permissions.

For information about creating and managing permissions, see Managing permissions in this guide.

To link permissions to a role

1. In the BHOLD Core portal, in the left pane, click Roles.

2. On the Roles page, click the role to which you want to assign a permission.

   Tip

   If the desired parent role is not listed, in the Attribute type list, click Description, in Search string, type the role name, and then click the Search button.

3. On the Role/<role> page, expand Permissions, and then click Modify.

4. On the Role–permissions/<role> page, in the Application list, click the application that the permission belongs to, in Search string (Permission), type the name of the permission, and then click the search button.

   Tip

   To display all the permissions for an application, leave Search string (Permissions) empty when you click the Search button.

5. In the Unlinked Permissions list, click Add next to the permission you want to link to the role.

6. Repeat steps 4 and 5 until you have finished linking the desired permissions to the role, and then click Done.

Removing an unused attribute-based role

When a particular value is no longer assigned to an attribute that is linked to a role, BHOLD Core does not delete the corresponding attribute-based role. When you cease assigning a particular value to a user attribute, you should evaluate whether the corresponding attribute-based role is still needed. For example, BHOLD Core is configured to assign attribute-based roles for an attribute named JobTitle and you change the names of the job titles used in your organization. In this case, you should remove the attribute-based roles that BHOLD Core created to match the previous set of job titles if they are no longer used.

To remove an unused attribute-based role

1. In the BHOLD Core portal, in the left pane, click Roles.

2. On the Roles page, click the role you want to remove.

   Tip

   If the desired role is not listed, in the Attribute type list, click Description, in Search string, type the role name, and then click the Search button.

3. On the Role/<role> page, verify that Users is followed by (0), and then click Remove.

See also

• Microsoft BHOLD Core Operations Guide

  • Introduction to administering Microsoft BHOLD Core

  • Administering Microsoft BHOLD Core

    • Managing roles

    • Managing BHOLD objects and attributes