Managing approval for BHOLD organizational units with role-approver roles

 

Applies To: Forefront Identity Manager

By using role-approval roles, you can give users the authority to approve proposed-role activation requests by other users who belong to a particular organizational unit (orgunit). A role-approval role is a role whose Role Type attribute is set to Approver, Escalator, or Security Officer. When a role-approval role is linked to an orgunit, the users who are assigned (linked) to that role can approve user activation requests for any proposed role linked to that organization. For more information about how role-approval roles are used in creating a BHOLD FIM Integration approval framework, see Introduction to administering Microsoft BHOLD FIM Integration.

The following are the basic tasks for managing approval for BHOLD orgunits by using role-approval roles:

  • Create a role-approval role and link it to an orgunit

  • Link a user to a role-approval role

A role-approval role is a BHOLD role that has its Role Type attribute set to Approver, Escalator, or Security Officer. Unlike other roles, a role-approver role is not linked to permissions. Instead, BHOLD FIM Integration uses it to identify users who have particular responsibilities for approving role-activation requests. For more information about role-approval roles, see Understanding role-approval roles in Introduction to administering Microsoft BHOLD FIM Integration elsewhere in this guide.

  1. In the BHOLD Core portal, in the left pane, click Roles.

  2. On the Roles page, click Add.

  3. On the Add role page, do the following, and then click OK:

    1. In Description, type a name for the role-approval role.

    2. In Role type, type one of the following:

      • Approver

      • Escalator

      • Security Officer

    3. Set other attributes as needed.

  4. In the left pane, click Organizational units.

  5. On the Organizational units page, click the orgunit you want to link the role-approval role to.

  6. On the Organizational unit/<orgunit> page, expand Roles, and then click Modify.

  7. On the Organizational unit–roles/<orgunit> page, in Search string (Roles), type the name of the role that you created, click the Search button, and then, next to the role, click Add.

  8. In the Relation type list, click Proposed, click Add, and then click Done.

Because the role-approval role was linked to the orgunit as a proposed role, if the user you want to designate as an approver for the orgunit belongs to the orgunit, the role must be activated for that user. Otherwise, the role can be directly linked to the user.

  1. In the BHOLD Core portal, in the left pane, click Users.

  2. On the Users page, click the user you want to link the role-approval role to.

  3. On the User/<user> page, expand Inherited roles, and then click Modify.

  4. If the role-approval role appears in the Inherited roles list, do the following:

    1. Click Modify.

    2. On the User–roles/<user> page, expand Inherited roles, next to the role-approval role, click Activate, click Add, and then click Done.

    If the role-approval role does not appear in the Inherited roles list, do the following:

    1. Expand Roles, and then click Modify.

    2. On the User–roles/<user> page, in Search string (Roles), type the name of the role-approval role, click the Search button, next to the role click Add, click Add again, and then click Done.

See also