How to configure Nested Roles in Identity Manager?
search cancel

How to configure Nested Roles in Identity Manager?

book

Article ID: 10920

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On

Issue/Introduction

You can include a provisioning role within another provisioning role. The included role is named a nested role.

For example, you could create an Employee provisioning role. The Employee role would provide accounts needed by all employees, such as email accounts. You include the Employee role in department-specific provisioning roles, such as a Finance role and a Sales role. The department provisioning roles would provide accounts related only to that department. This combination of roles provides the right accounts for each user.



Environment

CA Identity Manager 12.x\ 14.x

Resolution

Before implementing Nested Roles, enable them in your environment.

Follow these steps:



  1. In the Management Console, select the environment.
  2. Click Role and Task Settings, Import.
  3. Select Nested Provisioning Roles Support.
  4. Click Finish and restart the environment.



To configure and search for Nested Roles, use the following steps while logged in to the CA Identity Manager Console as an admin user.  

This example the test user is called "AUser" and the Admin is called "imadmin".



Step 1.



  • Go to Roles and Tasks, Admin Tasks, Create Admin Task.
  • Create a Copy of an Admin Task based on "View Provisioning Role" 
  • Change the Name "View Dept 123 Provisioning Role"
  • Set Search Configuration as follows:
    Search Screen = Default Provisioning Role Nest Search.
    Set Search Options = All provisioning Roles.


Step 2.



  • Go to Roles and Tasks, Admin Roles, Create Admin Role. 
  • Enter a name (for example, "Provisioning Manager Dept 123") and ensure to select the enabled checkbox.
  • Set Tasks to include Roles and Tasks - "View Dept 123 Provisioning Role"
  • On the members tab add "AUser" to the list of Members. (that is, where (User ID = "Auser") and set the scope for ALL. Click "Administrators can add and remove members of this role".  Note:  In this scenario all the provisioning roles are set to begin "Dept 123" so you could use this as a limiting scope.  For example where (Name contains "Dept 123")
  • On the Administrators tab add "Imadmin" to the list of Members. (i.e. where (User ID = "Imadmin") and a Scope Rule of All.
  • On the owners tab add "imadmin" to the list of owners (i.e. where (User ID = "imadmin")


Step 3.



  • Goto Roles and Tasks, Provisioning Roles, Create Provisiong Role (For example: "Dept_123")
  • On the Administrators tab add "imadmin" to the list of admins (i.e. where (User ID = "imadmin") with the scope of ALL and click "Administrators can add and remove Administrators of this role".  
  • On the owners tab add "imadmin" to the list of owners (i.e. where (User ID = "imadmin")


Step 4.



  • Create a second Provisioning Role (Example: "Dept 123 AD Provisioning")
  • On the Templates tab Add an Active Directoty Account Template.
  • On the Administrators tab add "imadmin" to the list of administrators (i.e. where (User ID = "imadmin") with the scope of ALL
  • On the owners tab add "imadmin" to the list of owners (i.e. where (User ID = "imadmin")


Step 5.



  • Go to Roles and Tasks, Provisioning Roles, Modifiy Provisioning Role and modify the role created in Step 3 ("Dept_123") and add the Provisioning Role Created in Step 4 ("Dept 123 AD Provisioning").


Step 6.



  • Logon to the Identity Manager Console as Auser.
  • Navigate to Roles and Tasks, Provisioning Roles and you should see "View Dept 123 Provisioning Role".
  • Executing this search displays "Dept 123" and "Dept 123 AD Provisioning". 


Note: The "Where" filter has options for "Included Roles" and "Including Roles" to filter through the Provisioning Roles.  For example;



Executing the Search Where included Roles = Dept 123 AD Provisioning will return "Dept 123".

Additional Information

Using the steps in the previous instructions lets you see the Nested Roles listed in the search screen. However, to display the Nested provisioning roles in the tabs as as part of a provisioning role the user must be an owner of the nested role. Where this is not practical, you can set the provisioning role to display regardless of the scope. To to this, use the following steps:

1.  Log in to the Identity Manager Console with an Administrator account and navigate to Roles and Tasks, Admin Tasks, Modify Admin Task. 

2.  Search for and select the Admin Task you created earlier "View Dept 123 Provisioning Role"

3.  Click "Tabs" and edit the "Provisioning Roles" Tab element to configure.

4.  Now tick the box "Show all members regardless of scope".

5. Click OK.

6. Click on "Tabs" and edit the "Provisioning Roles Indirect" Tab element to configure.

7.  Select the Show all members regardless of scope checkbox.

8. Click OK.

9. Click Submit.

Powered by Wolken Software