Before you begin
Applies To: Forefront Identity Manager
Preparing a set of input files for Microsoft BHOLD Model Generator is a crucial first step toward using the BHOLD Model Generator module and the BHOLD Model Loader utility to design and deploy your BHOLD role model. Before you do so, however, you need to understand and plan for the stages of the Model Generator wizard so you can take full advantage of its capabilities in filling out your role model.
As noted in Model Generator overview, the Model Generator wizard has five stages:
Import files
Membership roles
Attribute roles
Proposed roles
Ownership roles
As the Model Generator wizard steps you through these stages, the wizard backs up the role model at the end of each stage, allowing you to revert to an earlier stage, if necessary. Also, it is not necessary for you to complete each stage of the wizard. Instead, you can skip past a stage, and you can return to a stage that you didn’t complete earlier.
This topic describes each stage in detail and provides guidance for choosing the information you will be required to provide at each stage. It consists of the following sections:
Planning personal role names (import files stage)
Planning membership roles
Planning attribute roles
Planning proposed roles
Planning ownership roles
Planning personal role names (import files stage)
The import files stage is the most important of all the stages and the one in which Model Generator creates the essential outlines of your BHOLD role model. In this stage, Model Generator imports the information you have recorded in your set of input files, creates objects in the BHOLD Core database, and then links those objects to form your initial role model. Model Generator creates organizational units (orgunits), users, applications, accounts, permissions, and roles, and then links them to form a cohesive normalized role model. Orgunits are linked to each other hierarchically, users are linked to orgunits and application accounts, permissions are linked to roles, and roles are linked to orgunits and individual users.
One type of role that Model Generator creates is the personal role, that is, a role that is linked to a single user, allowing the BHOLD administrator the ability to directly control permissions assigned to each user. To make it easier to identify these personal roles, Model Generator can add a prefix to the role name. By using this prefix exclusively for personal roles, you can ensure that it is easy to locate a user’s personal role so it can be managed. By default, the prefix for personal roles is PR (which is separated from the rest of the name by a dash), but you can change that to a more meaningful prefix if you wish.
Normally you can rely on the uniqueness of user’s names (the Description attribute) to ensure that each personal role is linked to the correct user. In cases where more than one user has the same name in BHOLD, however, you can add other information to ensure that personal role names are unique:
You can add the name of the user’s department (orgunit).
You can add the value of a user attribute to the name of the personal role.
You can add a random number to the name of the personal role.
Of course, only the last option is truly guaranteed to ensure that the personal role names will be unique because it is possible for two users with the same name to share an orgunit or attribute.
Planning membership roles
During the import files stage, Model Generator creates membership roles, that is, roles that apply to all the users in a particular organizational unit (orgunit). These membership roles are linked to their respective orgunits as effective roles, that is, they apply to all members of the orgunit automatically. In the membership roles stage of the Model Generator, you can create additional membership roles that are linked to the orgunits as proposed roles, which are roles that must be activated separately for each user. In addition, you can specify a naming prefix as well as criteria that ensure that the names are unique and that control when a proposed membership role is created. Model Generator does not create a new membership role if a role with the same name already exists.
Note
The default naming conventions for the membership role stage are the same naming conventions that Model Generator uses when it creates membership roles in the import files stage.
Important
Due to a known issue, if you change any of the default naming convention settings, the membership roles that Model Generator creates will be designated as supervisor roles. After creating these roles, you should use the BHOLD Core portal to modify the attributes of each role and clear the Supervisor Role check box.
To limit the number of membership roles that are created, you can specify a threshold that consists of two elements:
The percentage of users in a department (orgunit) that share the same permission. The default is 97%
The minimum number of users in the orgunit. The default is 10.
If both limits are met or exceeded, Model Generator creates a membership role that is linked to the shared permission and links it to the orgunit. Note that, although the role potentially applies to all users to the orgunit, it is linked to the orgunit as a proposed role and so must be activated for each user.
You can also exclude users from the analysis based on attribute values. For example, you can select Job_Title as the attribute and Manager as the value to prevent managers from being included in the threshold analysis.
Planning attribute roles
In the role input file, you can specify attribute-based roles. If you are using a three-file set, or if are using a five-file set and you want to create attribute-based roles in addition to any specified in the role input file, you can do so in the attribute roles stage of Model Generator. To create an attribute-based role in this stage, you select the user attribute you want to use and specify the value that must be matched to create the attribute-based role. You can run the attribute roles stage more than once to create attribute-based roles that use different attribute/value pairs. You can use wildcard characters to match multiple values. If you use this method, you can specify that only one role is created even if multiple values are matched.
As with other roles, you can specify an identifying prefix for the attribute role; the default is AR.
To limit the number of attribute-based roles that are created, you can specify a threshold that consists of two elements:
The percentage of users in a department (orgunit) that share the same permission and attribute value. The default is 97%
The minimum number of users in the orgunit. The default is 10.
If both limits are met or exceeded, Model Generator creates an attribute role that is linked to the shared permission and links it to the users that have the attribute value.
Important
Depending on how permissions are shared among the users that have the matched attribute, an attribute-based role created by Model Generator may contain unexpected combinations of permissions. After completing the attribute roles stage, review the attribute-based roles created by Model Generator to verify that the roles are suitable for your organization’s requirements.
Planning proposed roles
The import files stage of Model Generator automatically creates a personal role for each user. The proposed roles stage allows you to remove those personal roles and replace them with proposed roles that are linked to organizational units (orgunits) instead. Then the BHOLD administrator can link permissions to one role instead of multiple user roles and activate the role for appropriate users. Similar to preceding stages, in the proposed role stage, you can specify a role-name prefix, add random numbers or orgunit attributes to produce unique role names, and specify a creation threshold. For information about using threshold values, see Planning membership roles earlier in this topic.
Note
The default naming prefix for proposed roles is PR, the same that was the default for personal roles. Because it is possible that the proposed roles stage might be unable to remove all personal roles, you should consider using a different naming prefix to make it easier to identify any remaining personal roles.
For example, in an orgunit containing 10 users, if five of the users share the same permission and the default threshold settings are used, Model Generator creates a proposed role linked to that permission and links the role to the orgunit.
Important
Depending on how permissions are shared among the users in an orgunit, a proposed role created by Model Generator may contain unexpected combinations of permissions. After completing the proposed roles stage, review the proposed roles created by Model Generator to verify that the roles are suitable for your organization’s requirements.
Planning ownership roles
Model Generator creates supervisor roles (also known as ownership roles) during the import files stage and links them to the appropriate objects in the BHOLD role model. Ordinarily, these supervisor roles are linked to users who then have the ability to manage the objects that the supervisor roles are linked to. In some cases, however, Model Generator is unable to properly link a supervisor role to a user. In these cases, you can use the ownership roles stage to select criteria that can be used to link users to supervisor roles. You can specify multiple user attribute/value pairs to designate the users to be linked to the supervisor roles. For example, you can specify that if a user has Job_Title set to Manager or Team Leader, the user can be linked to a supervisor role.
Next step
When you have completed planning how you will use each of the Model Generator stages and the information you will provide at each stage, you are ready to run the Model Generator wizard to create your role model. See Using the BHOLD Model Generator wizard for guidance on how to work with the wizard.