Managing approval for proposed roles with role-approver roles

Applies To: Forefront Identity Manager

By using role-approval roles, you can give users the authority to approve proposed-role activation requests by users who are linked to a proposed role that is linked to a particular organizational unit (orgunit). A role-approval role is a role whose Role Type attribute is set to Approver, Escalator, or Security Officer. When a role-approval role is linked to a proposed role, the users who are assigned (linked) to that role can approve user activation requests for proposed role that the role-approval role is linked to. For more information about how role-approval roles are used in creating a BHOLD FIM Integration approval framework, see Introduction to administering Microsoft BHOLD FIM Integration.

The following are the basic tasks for managing approval for proposed roles by using role-approval roles:

• Create a role-approval role and link it to an orgunit

• Link a user to a role-approval role

Create a role-approval role and link it to a proposed role

A role-approval role is a BHOLD role that has its Role Type attribute set to Approver, Escalator, or Security Officer. Unlike other roles, a role-approver role is not linked to permissions. Instead, BHOLD FIM Integration uses it to identify users who have particular responsibilities for approving role-activation requests. For more information about role-approval roles, see Understanding role-approval roles in Introduction to administering Microsoft BHOLD FIM Integration elsewhere in this guide.

To create a role-approval role and link it to a proposed role

1. In the BHOLD Core portal, in the left pane, click Roles.

2. On the Roles page, click Add.

3. On the Add role page, do the following, and then click OK:

   1. In Description, type a name for the role-approval role.

   2. In Role type, type one of the following:

      • Approver

      • Escalator

      • Security Officer

   3. Set other attributes as needed.

4. In the left pane, click Roles.

5. On the Roles page, click the proposed role that you want to link the role-approval role to.

6. On the Role/<role > page, expand Sub-roles, and then click Modify.

7. On the Role–sub-roles/<role> page, in Search string (Roles), type the name of the role that you created, click the Search button, next to the role, click Add, and then click Done.

Link a user to a role-approval role

To assign a user as a role-request approver for the proposed role, you must link the user to the role-approval role.

To link a user to a role-approval role

1. In the BHOLD Core portal, in the left pane, click Roles.

2. On the Roles page, click the role-approval role that you want to link the user to.

3. On the Role/<role> page, expand Users, and then click Modify.

4. On the User–users/<user> page, in Search string (Users), type the name of the user, click the Search button, next to the role click Add, and then click Done.

See also

• Microsoft BHOLD FIM Integration Operations Guide

  • Introduction to administering Microsoft BHOLD FIM Integration

  • Administering Microsoft BHOLD FIM Integration

    • Managing approval for BHOLD organizational units with role-approver roles

    • Managing approval for BHOLD organizational units with attributes

    • Managing approval for proposed roles with attributes

    • Managing BHOLD workflows in the FIM Portal