IDHub Role creation is done through the "Create Role" wizard in the Manage Catalog Page of Admin Console. It requires completion of a set of forms for:
- Basic Role details - Provide basic information for new role definition.
- Role Conditions - Develop a query and associate with the role for role assignment under specific conditions.
- Role Mapping - Map the role to various applications and entitlements. These are provisioned to the user once the role is approved and role conditions are met.
Add Basic Role Details
Enter information for the following fields:
- Role Name* - Provide a brief descriptive role name. The field takes alphanumeric text with no special characters allowed (max 50 characters).
- Search keywords - Provide a brief keyword that will help to search and filter for the role in the catalog. You can add multiple items separated by commas.
- Description* - Describe the role. This field takes alphanumeric text with special characters ( max 255 characters)
- Role owner* - Provide a role owner name. On name entry, IDHub auto assists with suggested existing user names and does not allow names other than what is in IDHub.
- IDM* - This will list a drop-down with all IDM systems that the current instance of IDHub is connected to. Currently, "IDHub" is the only instance option.
- Approval Workflow* - The approval workflow for the role needs to be selected. This is the workflow when the role is requested from the IDHub catalog.
- Risk Level* - The risk level of the role needs to be identified. A value between 1(low) - 3(high) is selected.
- Select Requestable if this role can be requested from the catalog else it displays only in Manage Catalog for admin but not in Search Catalog for end users.
Add Role Condition(s)
What is the Role condition?
A role condition assists with determining various scenarios in the system about when a specific role needs to be assigned to a user. When a Role is created, a condition can be associated with that role using the role condition query. Multiple conditions can be combined using AND, OR to form the query.
Some examples of how role condition criteria can be defined and processed for an assignment are:
- Birthright roles - When a new user is on-boarded into IDHub, they are associated with to be a specific category of user. This category associates the user to specific roles for which a role condition can be processed that give access to specific organizational resources
- Depending on user type or location of the user (us-east, us-west, us-central, Europe, Asia) only specific roles are available for request.
- Associate segregation of duty violations. When a user changes department or currently has a specific role, the user is not allowed certain other Roles.
Any/all attributes associated with a user can be used to build a role condition.
IDHub Role condition can be created using the following methods:
The basic method defines a condition as a combination of 3 things - User Attribute + operator + value. Multiple conditions can be stringed together using AND, OR functions.
Values from the database
1. If the below conditions are true then assign the role ABC-Employee to a newly onboarded IDHub user that gives the user basic access to all birthright assignments replacing manual assignments.
Condition 1 - userType equals Employee
Function - AND
Condition 2 - Status equals ACTIVE
2. If the below conditions are true then assign the role ABC-HQ, to the recently relocated or newly onboarded user at this location that gives the user access to all doors in ABC HQ.
Condition 1 - Location equals "US-New York"
Condition 2- userType equals "Employee" OR userType equals "Contractor"
When the user clicks on Advanced, data entered in basic is converted into a query form that the user can edit as needed.
Role Mapping to Applications and Entitlements:
This wizard form allows role to application-entitlements mapping. Application and entitlements can be selected via a search and added to a list of resources mapped to the role while in creation. The resources can also be removed from the list as required.
The role creation can be paused at any time and can be saved as a draft for review and completion at a later time. The wizard also provides ease of navigation and options to move "'Previous' or 'Next' at any time.
The role creation can be submitted with justification for approval. Once submitted, a success message for the submitted role is displayed and the user is navigated back to the Manage Catalog page.
In this section
Need more help?
Folks at IDHub are ready to support you.