Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
tutorial:adm:automatic_roles_by_attribute [2018/01/05 13:48]
poulm typographic correction
tutorial:adm:automatic_roles_by_attribute [2018/12/27 15:12] (current)
kotisovam
Line 1: Line 1:
 +====== Automatic roles - adding roles by attribute value ======
  
 +If you want to add a role to all users that work on the 3th floor, you can use **Automatic roles by attribute**.
 +
 +<note tip>​Basics of roles and automatic roles can be found in [[devel:​documentation:​roles|documentation]].
 +</​note>​
 +From CzechIdM 7.7 onwards, there is a new main menu item **Settings -> automatic roles**. ​
 +{{ :​tutorial:​adm:​autorole_by_organizations.png | Automatic roles list}}
 +
 +There are two tabs:
 +  * **Automatic roles from organizational structure**
 +  * **Automatic roles based on the attribute**
 +
 +The first one shows the list of the automatic roles that a user gets via his/her placement in the organization'​s structure - say, all employees working in the IT Department.
 +
 +The second one shows the automatic roles that users get by means of **Rules**.
 +
 +{{ :​tutorial:​adm:​automatic_roles_by_attribute_list.png | Roles by attributes list}}
 +
 +===== Rules for automatic roles =====
 +
 +Rules are conditions that are evaluated on users and their contracts. If all the rules/​conditions are TRUE, then the user gets the given role.
 +
 +e.g. A rule can be set such that a user's contract has an attribute "​floor"​ with value "​3"​.
 +
 +To create a new automatic role by an attribute, go to **Settings -> automatic roles -> Automatic roles based on the attribute**. Next, click on the green "​Add"​ button. In the form, fill in the name of a new automatic role by attribute e.g. "​Employees - 3th floor printing"​.
 +
 +{{ :​tutorial:​adm:​autorole_new.png | New automatic role definition}}
 +
 +Then select the Role - real CzechIdM entity e.g. "ldap files" that will be assigned if the user matches the Rules. ​
 +
 +The basic setup for the automatic role is done now, click Save and continue.
 +
 +We have specified what role shall be assigned, now we need the conditions - Rules.
 +{{ :​tutorial:​adm:​autorole_rules_list.png | Rules list}}
 +
 +Click on the green "​new"​ button above the Rule table - the table may be empty. ​
 +
 +{{ :​tutorial:​adm:​autorole_new_rule.png |}}
 +
 +Provided that the users' contracts have EAV attribute "​Floor"​ defined, the Rule can look like this:
 +
 +  * **Type of checked attribute = Extended attribute of contract**
 +  * **Form attribute = Floor**
 +  * **Comparison type = EQUALS**
 +  * **Value = 3**
 +
 +When you click on the "save and continue"​ button, you will be asked if the Automatic role should be applied now. 
 +
 +{{ :​tutorial:​adm:​autorole_popup.png | popup}}
 +
 +  * **Yes** - Automatic role is evaluated for all users. Those matching the rule get the said role. Calculation is started as a long running task and its progress can be verified in the Settings -> Task scheduler -> All tasks.
 +    * Moreover, if an identity or its concept is saved - say after some manual editing done by the admin or during automatic synchronization -, the rules for automatic roles by attributes are recalculated for the respective user.
 +  * **No** - automatic role is saved as a concept. ​
 +
 +===== Concepts of automatic roles =====
 +
 +Automatic roles saved as concepts are not evaluated until the concepts are completed (Green button "​Recalculate"​). If any user is saved in gui or e.g. during synchronization,​ automatic roles concepts are skipped.
 +
 +{{ :​tutorial:​adm:​autorole_datail_concept.png | Concept of automatic role by attributes}}