Creating role

There are several ways how to create tole in OpenIAM:

  • webconsole (user interface);
  • synchronization feature;
  • through the OpenIAM Rest API.

Below, the user interface (UI) case will be covered. The other methods for doing that are covered in respective sections of documentation.

Creating a role

To create a role using UI follow the steps below.

  1. Login to the webconsole and go to Access Control -> Role
  2. Go to Create new role form in the side menu.
  3. Select the role type from the dropdown. By default, OpenIAM provides two values: Access Role and Provision Role. These two values are simply used for classification and do not impact the behavior of the role in any way. The drop down also shows all role types created by the user. If you are creating a role that will impact user provisioning, then select the Provision role. You can use Access Role if you are focused on just SSO and authorization operations.
  4. Complete the role creation screen as described in the table below.
Field NameDescription
Password policySelect the password policy that should be effective for the systems to be associated with this role. In most cases, it is a Default Password Policy.
Role NameUnique name to identify this role.
DescriptionDetails describing this role. The description should be a meaningful and clear statement to assist end-users, access reviewers and others as they use the OpenIAM application.
Managed SystemIf this role will be used for provisioning, then the Managed System field value should be the system that account will be created in. If you need to manage more than one Managed System with this role, use the Role entitlements screen to add other values.
RiskValue of the risk field can be low or high. By default, this value does not impact behavior. Rules can be introduced to leverage this flag, which is often needed for access certification campaigns.
StatusValues are Active or Inactive. They can prevent a role from being used by making it Inactive.
Max. number of usersMaximum number of users that can be members of this role.
Default membership durationDefault period, when a user can be a member of this role. After this period, the user will be removed from this role.
Role parentRoles support inheritance. The Role parent is the immediate role from which entitlements should be inherited.
GUIDGUID which may relate to this role in another application. This is not an OpenIAM generated value.
Role ownerUser or group of people who own this role. This value is often used in request / approval and access certification tasks.
Role adminUser or group of people who administer this role. This value is often used in request / approval and access certification tasks.
Is VisibleFlag is used to hide objects from some groups of administrators who have access to the webconsole and SelfService portals. Here, the object becomes available for super security administrators only.
Participate in access certificationFlag is used to determine if this role should be excluded from access certification requests.
All users provisioned to this roleFlag which determines if this role should be granted by default to all users regardless of other criteria.
  1. Click Save. The role created.

Additional details on role creation, you can find in the document by this link.

Adding/deleting users from a role

Find the user you want to add to a specific role. Then, go to User Entitlements and click Add button.

In the menu opened, add the respective role as needed by completing the fields. In case filling the End Date field will automatically delete the user from a respective Role on the specified date.

Adding role to AD

If you need to create a role/group linked with AD, you need to select an appropriate managed system during role/group creation (or updating) as shown above.

As soon as you add a role/group to the user (on add or update operation discussed above) this user will be linked with the managed system (AD in this case).

This process is called RBAC (role based access model).

In order to verify that the used was added to a group or role:

  • Go to webconsole -> Edit user -> User entitlements.

Here, you can see if the user is explicitly linked with a role/group.

To see if the user is implicitly linked with the managed system resource:

  • Go to webconsole -> Edit user -> Identities.