Managing approval for proposed roles with attributes
Updated: July 1, 2013
Applies To: Forefront Identity Manager
By using attributes of a role object in BHOLD Core, you can give users the authority to approve activation of a proposed role by other users. The names of these attributes indicate the function of the approver, that is, (primary) approver, escalator, or security officer. More than one approver of each type can be specified for a proposed role by adding a number to the attribute name (for example, approver2). Because these attributes are not defined in BHOLD Core by default, you must add them to the role object type in BHOLD Core before you can use them to specify role-activation approvers. For more information about how proposed-role attributes are used in creating a BHOLD FIM Integration approval framework, see Introduction to administering Microsoft BHOLD FIM Integration.
The following are the basic tasks for managing approval for proposed roles by using attributes:
BHOLD FIM Integration recognizes attributes that follow a predefined naming system to identify users who act as role approvers for a proposed role. The following are the three attribute names that BHOLD FIM Integration uses to create role-approval workflows:
where <n> is an optional number that you can use to differentiate multiple approvers of the same type. For example, if you want to specify three escalation approvers for each proposed role, you would add attributes named escalator1, escalator2, and escalator3 to the role object type. For more information about using role attributes to specify role approvers, see Understanding object attributes for role approvers in Introduction to administering Microsoft BHOLD FIM Integration elsewhere in this guide.
In the BHOLD Core portal, in the left pane, click Attribute types.
On the Attribute types page, click Add.
On the Add attribute type page, in Identity, type
securityOfficer. If you will be specifying more than one of the approver type, add a sequential number.
In Maximum length, type
In English, type the name of the attribute as you want it to appear in the BHOLD Core portal (for example,
Approver 1for an attribute named approver1), and then click OK.
Repeat the previous four steps to add more attributes as needed.
In the left pane, click Attribute type sets.
On the Attribute type sets page, click Add.
On the Add attribute type set page, in Description, type a name for the set (such as
ApproverTypes), in English, type a name to appear in the BHOLD Core portal (such as
Role approvers, and then click OK.
On the Attribute type set/<set> page, expand Attribute types, and then click Modify.
In the Attribute type list, click the role-approval attribute type you want to add to the type set, in Order, type a number indicating position of the attribute in the attribute list in the BHOLD Core portal, and then click Add.
Repeat the preceding step to add the remaining role-approval attribute types to the attribute type set, and then click Done.
In the left pane, click Object types.
On the Object types page, click Role.
On the Object type/Role page, expand Attribute type sets, and then click Modify.
On the Link attribute type set/Role page, in Order, type a number indicating the position of the new attribute type set in the sequence of attribute type sets displayed in the BHOLD Core portal, in the Attribute type set list, click the attribute type set that you created, click Add, and then click Done.
After you add the role-approver attribute types to the role object type, you can use those attributes to specify the role approvers for specific proposed roles.
In the BHOLD Core portal, in the left pane, click Roles.
On the Roles page, click the proposed role that you want to modify.
On the Role/<role> page, click Modify.
On the Modify role attributes/<role> page, in the boxes next to the role-approver types that you added, type the default alias of the users that you want to perform those functions, and then click OK.