Role :
# Role defines a set of tasks that the user can perform
# Role is a collection of entitlements
Default Role Types:-
- Organizational Role
- Business Role
- IT Role
- Entitlement Role (Deprecated now)
Organizational Role:-
- An organizational Role is a container to hold the other types of roles
- Organizes roles in IIQ, easier to navigate different roles
- No functional importance other than giving a nesting structure to the other types of roles
- Other roles are inherited which makes the organizational role is a parent
Business Role:-
- Automatically assigned.
- Business Roles are requested.
- It represents a job title or functions
- Business Roles are business-friendly role names i.e., Supervisor, Architect, Manager, Team Lead, Writer, Editor, Clerk, etc.,
- The business does not need to know the entitlements needed to get a Business Role
- Identities are associated with a Business Roles using "Assignment Logic" usually attributes or rules like department, job title, etc.,
IT Role:-
- IT Roles are not business-friendly names but IT department-friendly names
- It consists of entitlements from one or more applications (Defined groups of entitlements).
- Detected on identities.
Entitlement Role:-
- It represents a single entitlement on a single application
- It is deprecated in the new version of IIQ
- It is available only for backward compatibility but it's not recommended to create it now
How Roles are Associated to Identities:-
# Assigned Role i.e., Business Role
- Manually
- Assignment Rule
# Detected Role i.e., IT Role
- If all the entitlements of an IT Role are already assigned to an identity
- On refresh, IIQ will detect the IT Role the identity should have as it has already all the entitlements of that IT Role
# Assignment Rule
- Associates identity with Business Role
- Assignment logic can be written match list or filter or rule or script or population
# Required Roles
- The IT Roles required for this Business Role
# Permitted Roles
- The IT Roles which an identity can have but is not necessary to have
- Must be requested
- Not automatically provisioned
# Inherited Roles
- Select a parent role, this is just for view management and has no functional importance
# Provisioning Policy
- Role Provision policy takes precedence (with regards to value, rules, and scripts of fields ) over Application provision policy
- By default, the fields of the Role provision policy form and Application provision policy form are merged to create a combined form for LCM provisioning
- To use only Role provisioning policy form, pass "noApplicationTemplates" = true as an argument in step calls compileProvisiongProject method
Configuration of RBAC:-
1. Login to IIQ and navigate to Setup then click on Roles
2. Navigate to New Role then click on Role (Type ---> Organizational)
3. Provide the following details and click on submit (Type ---> Organizational)
4. Navigate to New Role then click on Role (Type ---> IT)
# Click on Modify Inheritance and select the TRAKK (Organizational Role) and click on Add then save
# Click on Add under Entitlements and select Application as PRISM and select groups under Add an Entitlement as Manager.
5. Navigate to New Role then click on Role (Type ---> IT)
# Click on Modify Inheritance and select the TRAKK (Organizational Role)and click on Add then save
# Click on Add under Entitlements and select Application as PRISM and select groups under Add an Entitlement as Super.
6. Navigate to New Role then click on Role (Type ---> Business )
# Select the Assignment Rule (Rule or Script or Match list or Filter or Population), Required Roles (IT Roles) and Inherited Roles (Organizational Role).
7. Navigate Setup and Tasks then search for Refresh Identity Cube then check the below options
- Processes assignment rule defined in the business role
- Detection defined through an IT Role profile
# Click on Save and Execute
No comments:
Post a Comment