You can include a provisioning role within another provisioning role. The included role is named a nested role.
For example, you could create an Employee provisioning role. The Employee role would provide accounts needed by all employees, such as email accounts. You include the Employee role in department-specific provisioning roles, such as a Finance role and a Sales role. The department provisioning roles would provide accounts related only to that department. This combination of roles provides the right accounts for each user.
Before implementing Nested Roles, enable them in your environment.
Follow these steps:
To configure and search for Nested Roles, use the following steps while logged in to the CA Identity Manager Console as an admin user.
This example the test user is called "AUser" and the Admin is called "imadmin".
Note: The "Where" filter has options for "Included Roles" and "Including Roles" to filter through the Provisioning Roles. For example;
Executing the Search Where included Roles = Dept 123 AD Provisioning will return "Dept 123".
Using the steps in the previous instructions lets you see the Nested Roles listed in the search screen. However, to display the Nested provisioning roles in the tabs as as part of a provisioning role the user must be an owner of the nested role. Where this is not practical, you can set the provisioning role to display regardless of the scope. To to this, use the following steps:
1. Log in to the Identity Manager Console with an Administrator account and navigate to Roles and Tasks, Admin Tasks, Modify Admin Task.
2. Search for and select the Admin Task you created earlier "View Dept 123 Provisioning Role"
3. Click "Tabs" and edit the "Provisioning Roles" Tab element to configure.
4. Now tick the box "Show all members regardless of scope".
5. Click OK.
6. Click on "Tabs" and edit the "Provisioning Roles Indirect" Tab element to configure.
7. Select the Show all members regardless of scope checkbox.
8. Click OK.
9. Click Submit.