Create role

Create a new role

The steps below describe how to create a new role using the Webconsole (admin interface). You can also bulk upload new roles using the synchronization feature or through the OpenIAM Rest API.

To create a new role:

  • Login to the Webconsole and go to Access Control -> Role
  • Goto Create new role from the side menu. You will see the screen below.

Create role - type

  • From the screen shown above, select the role type from the drown down. By default, OpenIAM provides two values OTB: Access Role and Provision Role. These two values are simply used for classification and do not impact the behavior of the role in anyway. If you create new role types, you will see them hear as well. If you are creating a role that will impact user provisioning, then select Provision role. You can use Access Role if you are focused on just SSO and authorization operations.
  • Complete the role creation screen as described in the table below.
Field NameDescription
Password policySelect the password policy that should be in effect for the systems which are going to be associated with this role. In most cases, this should be your Default Password Policy.
Role NameUnique name to identify this role.
DescriptionDetails which describe this role. This should be statement which is meaningful to end-users, access reviewers and auditors if the system will be used for access certification.
Managed SystemIf this role will be used for provisioning, then the managed system value should be the system that account will be created in. If you need to manage more than one managed system with this role, then use the Role entitlements screen to add the other values.
RiskValue to indicate if this risk is low or high. By default, this value does not impact behavior. Rules can be introduced to leverage this flag is often the case with access certification campaigns.
StatusValues are Active or In-active. They can prevent a role from being used by making it In-active.
Max number of userMaximum number of users that can be a member of this role.
Default membership durationDefault time period for which a user can be a member of this role. After this period, the user will be removed from this role.
Role parentRoles support inheritance. The Role parent is the immediate role from which entitlements should be inherited.
GUIDGUID which may relate to this role in another application. This is not an OpenIAM generated value.
Role ownerUser or group of people who own this role. This value is often used in request / approval and access certification tasks.
Role adminUser or group of people who are the administrators this role. This value is often used in request / approval and access certification tasks.
Is VisibleFlag which can be used to hide this role from the service catalog.
Participate in access certificationFlag which be used to determine if this role should be excluded from access certification requests.
All users provisioned to this roleFlag which determines if this role should be granted by default to all users regardless of other criteria.

Create role - details