Using the BHOLD Model Generator wizard

  • Article

 

Applies To: Forefront Identity Manager

After you have created the necessary Microsoft BHOLD Model Generator input files and planned the settings you will use in each of the Model Generator settings, you are ready to use Model Generator to create and export your BHOLD role model. For information about input files, see Preparing Model Generator input files. For guidance on planning Model Generator stages, see Before you begin.

To start Model Generator, double-click the Microsoft BHOLD Suite—Model Generator shortcut on the desktop. If the shortcut is not available, you can type the following URL into the address bar of a web browser:

https://  <server> : <port> /BHOLD/Model%20Generator/

where <server> is the name of the test BHOLD Core server that you are using to prepare your role model for export to your production server and <port> is the name of the port used by the BHOLD Core web site.

As described in Before you begin, Model Generator has five stages. In the first stage, Model Generator imports the data in input files that you supply, creates objects in the role model in the BHOLD Core database, and then links those objects together to form a normalized role model. As part of the first stage, Model Generator creates personal roles linked to individual users.

After completing the first stage, you can perform each of the stages in any order, and you can skip any stage. When each stage completes, Model Generator saves a backup of the role model, allowing you to revert to the state of the role model at the completion of that stage. To revert an earlier stage, click the stage in the Restore Existing Backup list and then click Change Model Stage.

When you run the first stage, you have the option of retaining the existing role model as it exists in the BHOLD Core database, or you can choose to completely replace the existing model. The first time you run Model Generator, you should clear this check box to ensure that the BHOLD Core database is properly prepared to receive a new role model.

The following are tasks you can complete by using Model Generator:

  • Creating the initial role model

  • Creating proposed membership roles

  • Creating attribute-based roles

  • Creating proposed roles

  • Resolving supervisor roles without owners

  • Exporting the role model

Creating the initial role model

The first stage of Model Generator, the import files stage, is the most important of the five stages. In this stage, Model Generator imports data from the input files that you supply and then creates and links the organizational units (orgunits), users, applications, accounts, permissions, and roles that compose the role model. As a part of this process, Model Generator creates personal roles according to naming conventions that you specify. For more information about this stage, see Planning personal role names (import files stage) in Before you begin elsewhere in this guide.

To create the initial role model

  1. Open Model Generator by double-clicking the Microsoft BHOLD Suite—Model Generator shortcut on the desktop.

  2. On the import files page, depending on the number of input files you have prepared, click OU, user and target file or click OU, user, role, permission, application file.

  3. If you are creating a role model to verify that permissions are properly assigned to personal roles, in Load Purpose, click Audit. To create a complete role model that includes membership roles, attribute roles, and proposed roles, click Generic. If you clicked Audit, to log the results of the import files stage, in Log, select the System Logging check box.

  4. If you are importing comma separated–value (CSV) text files, in the List Separator (CSV Files) list, click the character that separates columns in the CSV files.

  5. In Files for each file that you are importing, click the Browse button and choose the file.

  6. To change the default naming convention for personal roles, do one or more of the following:

    • To not add a prefix to the role name, clear the Start role mane with check box.

      Important

      If you clear this check box, personal role names that are created in this stage will begin with a dash (-) character.

    • To change the default prefix, after Start role name with, type the prefix you want to use.

    • To not include the name of the user’s department (orgunit), clear the Add department name to role name check box.

    • To include a random number in the name, click Add random number.

    • To add the value of a user attribute to the name, click Add following attribute for role name uniqueness and then, in the list, click the user attribute.

      Important

      The user object in BHOLD Core must already include the attribute you want to use. You cannot use attributes that will be added when the import files stage runs.

    Note

    The names of personal roles that are created in this stage always include the default alias of the user that the role is linked to.

  7. Click Start.

  8. When File Import Successfully Completed appears, click Next.

Creating proposed membership roles

By default, in the file import stage, Model Generator creates and links membership roles to the organizational units (orgunits) specified in the orgunit input file. These membership roles are effective for all of the users in the orgunits. In the membership roles stage of Model Generator, you can create additional membership roles that are proposed roles that can then be activated for each user, as appropriate. For more information about this stage, see Planning membership roles in Before you begin elsewhere in this guide.

To create proposed membership roles

  1. If necessary, click the Next or Previous button to display the Membership roles page.

  2. To change the default creation threshold, change the values in the Threshold97**% for departments with a minimum set of10users** boxes.

  3. To filter specific classes of users from the threshold analysis, in Rules on excluded types, in the Users with list, click a user attribute, and then in the value= box, type an attribute value that matches the users you want to exclude from the analysis. You can select two attribute/value pairs.

  4. To change the default naming convention for the membership roles, in Naming conventions, do one or more of the following:

    • To not add a prefix to the role name, clear the Start role name with check box.

    • To change the default prefix that is added to the role name, type the new prefix in Start role name with.

    • To not include the department (orgunit) name in the role name, clear the Add department name to role name check box.

    • To include the value of an orgunit attribute to the role name, click Add following attribute for role name uniqueness and then, in the list, click the attribute whose value you want to include in the role name.

    • To include a random number in the role name, click Add random number to role name.

    Important

    Due to a known issue, if you change any of the default naming convention settings, the membership roles that Model Generator creates will be designated as supervisor roles. After creating these roles, you should use the BHOLD Core portal to modify the attributes of each role and clear the Supervisor Role check box.

  5. Click Start.

  6. When Membership Roles Successfully Completed appears, click Next.

Creating attribute-based roles

If you use a five-file set of input files, you can specify attribute-based roles in the role input file. In addition, you can use the attribute roles stage of Model Generator to create attribute-based roles for the users in an organizational unit (orgunit). For more information about this stage, see Planning attribute roles in Before you begin elsewhere in this guide.

To create attribute-based roles

  1. If necessary, click the Next or Previous button to display the Attribute roles page.

  2. To change the default naming convention for the membership roles, in Naming conventions, do one or more of the following:

    • To not add a prefix to the role name, clear the Start role name with check box.

    • To change the default prefix that is added to the role name, type the new prefix in Start role name with.

  3. To change the default creation threshold, change the values in the Threshold97**% for departments with a minimum set of10users** boxes.

  4. To specify the attribute and value that the roles will be based on, in the User attribute to analyze list, click a user attribute, and then in the box below, type an attribute value that matches the users you want to create the roles for. You can use wildcard characters to match more than one value.

  5. To ensure that only one role will be created when wildcard characters match multiple attribute values, select the Create single role when using wildcards check box

  6. Click Start.

  7. When Attribute Roles Successfully Completed appears, click Next.

Creating proposed roles

If you use a five-file set of input files, you can specify proposed roles in the role input file. In addition, you can use the proposed roles stage of Model Generator to create proposed roles for the users in an organizational unit (orgunit) that replace the personal roles that are created in the import files stage. For more information about this stage, see Planning proposed roles in Before you begin elsewhere in this guide.

Warning

This stage can remove all personal roles that were created in the import files stage.

To create proposed roles

  1. If necessary, click the Next or Previous button to display the Proposed roles page.

  2. To change the default naming convention for the proposed roles, in Naming conventions, do one or more of the following:

    • To not add a prefix to the role name, clear the Start role name with check box.

    • To change the default prefix that is added to the role name, type the new prefix in Start role name with.

    • To not include the department (orgunit) name in the role name, clear the Add department name to role name check box.

    • To include a random number in the role name, click Add random number to role name.

    • To include the value of an orgunit attribute to the role name, click Add following attribute for role name uniqueness and then, in the list, click the attribute whose value you want to include in the role name.

  3. To change the default creation threshold, change the values in the Threshold30**% for departments with a minimum set of10users** boxes.

  4. Click Start.

  5. When Proposed Roles Successfully Completed appears, click Next.

Resolving supervisor roles without owners

It is essential that all supervisor (ownership) roles have users assigned as supervisors (owners). The ownership roles stage examines the supervisor roles in the role model that you are designing and, if any are found to be without owners, links users to those roles. For more information about this stage, see Planning ownership roles in Before you begin elsewhere in this guide.

To resolve supervisor roles without owners

  1. If necessary, click the Next or Previous button to display the Ownership roles page.

  2. To specify classes of users that will be designated as owners of supervisor roles, in the User attribute to analyze list, click a user attribute, and then in the With value box, type an attribute value that matches the users you want to exclude from the analysis. You can add a second value by typing a value in the or box. To add another value, click + and click the value in the list.

  3. Click Start.

  4. When Ownership Roles Successfully Completed appears, click Next.

Exporting the role model

You can use the BHOLD Core portal to review the results of your role model design. If it is satisfactory, you can export the design and data to an XML file. You can then copy the file to your production BHOLD Core server and use Model Loader to import the role model into your production BHOLD Core database. For more information on using Model Loader, see Importing the role model into the production BHOLD database elsewhere in this guide.

To export the role model

  1. If necessary, click the Next or Previous button to display the Export and initiate page.

  2. To remove specific types of role-model elements from the export, clear the corresponding check box in Export role generation results.

  3. Click Export DB.

  4. When Role Model Export Successfully Completed appears, click Close.

The role model export file is named MG_PC_Export.xml and is located in %ProgramFiles(x86)%\BHOLD\ModelGenerator\MG_PC.

Next step

After you finish designing your role model and have exported it to an XML file, you can copy the file to your production BHOLD Core server and import it into the BHOLD Core database. For more information, see Importing the role model into the production BHOLD database elsewhere in this guide.

See also