====== Role - Creating/editing ====== To create a new role, go to **Role** agenda and **Role management** tab, then click **Add**. A unique name for the role must be chosen within all the roles. The role can also be placed in one or more folders in the **catalogue of roles**. {{ :devel:adm:role_able.png?600 | Role list agenda}} A guarantee can be set for every role. Other processes can be related to the guarantee such as approval of assigning a role, change in time validity and its removal from user. See more in the section about role approval. {{ :devel:adm:role_new_role_form.png?700 | New role}} The following attributes can be set with every role: * **Code** – Required unique attribute. * **Name** – Required. The role name is displayed in the majority of GUI forms. * **Role type** – a descriptive attribute, it does not influence working with roles at the moment. * **Environment** - Environment where role will be stored and used. * **Password policy for validation** - The policy used to validate the strength and compliance of a password, ensuring it meets specific criteria for security. * **Password policy for generating** - The policy used to create or generate passwords, defining the rules and requirements for generating secure passwords. * **Priority level** * Determines the approval agent for assigning and removing a given role. * During provisioning (writing of data to the end system), a one-value attribute is filled with a role with higher priority * **Role authorizers** – a role guarantee is an identity responsible for managing the role, i.e. they can see them in the role list (Role tab) and are able to act as approvers of assigning/removing a role (depending on the configuration of the priority level) * **Role removal approval** – if this box is checked, then removing the role is approved according to the process set in the configuration of CzechIdM. The default selection of CzechIdM configuration for the approval process of removing roles is Approval by role authorizers. Therefore, by checking this box without further configuration, removing of the role from the user will be approved by the role authorizers. * **Can be requested** – if this box is checked role can be requested by users * **Description** – an additional description of the role. * **Inactive** – Inactive roles are displayed in grey colour in menus and users are forbidden to select them, i.e. they cannot be requested for, for instance. **Role authorizer:** Now can be set after role creation in section **Role authorisers**. After all the requested selections have been entered, click on Save and continue. This will bring you straight to the menu **Roles -> Role detail**, specifically to the detail of the newly created role. ===== Role configuration ===== * [[.:add_permissions|Configure role permissions]] * [[.:automatic_roles|Automatically assigned roles]] * [[.:role_change_configuration|Role change approval configuration]]