Types of roles existing in OpenIAM
OpenIAM provides a flexible and powerful role-based access control (RBAC) model that enables organizations to manage user access in a structured, scalable, and auditable way. Roles in OpenIAM serve as logical groupings of permissions, entitlements, and policies that can be assigned to users based on their responsibilities, job functions, or organizational placement.
This document describes the different types of roles available in OpenIAM and explains their purpose, structure, and usage within the system. Understanding the distinctions between role types is essential for designing an effective access model, ensuring proper segregation of duties, and supporting compliance requirements.
| Name of role | Description | Non-public API access | Non-public menu access |
|---|---|---|---|
| Active Directory Members | The role is used to provision users to Active Directory using AD PowerShell connector | N/A | N/A |
| End User | Default End User role. | N/A | Webconsole > Access Control > Role->Select > Menus > SelfService > My Groups |
| Help Desk | Default Help Desk role | N/A | Webconsole > Access Control > Role->Select > Menus > Selfservice > My Groups and Report Viewer |
| Human Resource | Default Human Resource role | N/A | N/A |
| Manager | Default Manager role | N/A | Webconsole > Access Control > Role->Select > Menus > Selfservice > Request History, New User, New User - No Approver, and all sub-menus under View Direct Reports |
| Global UAR Administrator | Default Global UAR Administrator role. This role can be assigned to a user when they are required to participate in an access certification process. | N/A | N/A |
| Security Admin | Default Security Admin role | N/A | N/A |
| Security Admin_IDM | Default Security Admin_IDM role | N/A | N/A |
| Security Manager | Default Security Manager role | N/A | N/A |
| Super Security Admin | Default Super Security Admin role | Only this role has access to all non-public API endpoints | Webconsole > Access Control > Role->Select > Menus > Selfservice (all sub-menus), Request History, Request Administration, and all sub-menus under IDM menus |
| One Time Password Reset | Admin can perform bulk password reset in SelfService for role members. After the password is successfully reset, the user is disentitled from the role. | N/A | N/A |
| Office 365 Member | The role is used to provision users to Office 365 (Azure AD). | N/A | N/A |
The access and privileges assigned to a role are determined by configuring the menus and resources (URI patterns) under Role Entitlements.
Menus define the structure and navigation of the user interface. Resources (URI patterns), on the other hand, control the actual functional permissions, such as performing actions like creating a new user, modifying records, etc.
There are public and non-public menus in OpenIAM. Public menus are visible to all users, whereas non-public menus can only be seen by users with explicit or implicit access. More on menus can be found in here.
The uses will define roles through Webconsole > Administration > System Configuration > System tab. The role may be granted access to see all objects (ignoring "is visible" flag), hence the field will have the respective details. The role can see:
- All Users
- All Roles
- All Groups
- All Organizations
- All Applications
- All Policies
- All Resources Even objects marked as "not visible".
The role can also be defined by the customer under Webconsole > Administration > System Configuration > System Audit Log > "Roles which members are allowed to purge audit data". Here, the users can authorize role's members to perform audit log purge operations in accordance with the configured system policies. More on creating and managing role in OpenIAM can be found in this document.