Role - Creating/editing

To create a new role, go to Role agenda and Role management tab, then click Add. A unique name for the role must be chosen within all the roles. The role can also be placed in one or more folders in the catalogue of roles.

 Role list agenda

A guarantee can be set for every role. Other processes can be related to the guarantee such as approval of assigning a role, change in time validity and its removal from user. See more in the section about role approval.

 New role

The following attributes can be set with every role:

  • Role name – a required unique attribute. The role name is displayed in the majority of GUI forms.
  • Role type – a descriptive attribute, it does not influence working with roles at the moment.
  • Priority level
    • Determines the approval agent for assigning and removing a given role.
    • During provisioning (writing of data to the end system), a one-value attribute is filled with a role with higher priority
  • Priority – read only, a numerical representation of the priority level.
  • Catalogue folder – every role can be placed in the role catalogue, which is meant for organizing them.
  • Role authorizers – a role guarantee is an identity responsible for managing the role, i.e. they can see them in the role list (Role tab) and are able to act as approvers of assigning/removing a role (depending on the configuration of the priority level)
    • Role authorizer type (since 10.3.0) - Authorize type can be set on the authorizer details (by identity or by role). Selection is possible from the code list, which must be predefined in the agenda Code lists. This codebook must have the code guarantee-type. For the authorizer type to be visible, at least one value must be defined in the codebook. This fields are not use in IdM now (no bussines logic is implemented)! Are designed for specific using in a projects (for example in approval WF).
  • Role removal approval – if this box is checked, then removing the role is approved according to the process set in the configuration of CzechIdM. The default selection of CzechIdM configuration for the approval process of removing roles is Approval by role authorizers. Therefore, by checking this box without further configuration, removing of the role from the user will be approved by the role authorizers.
  • Description – an additional description of the role.
  • Inactive – Inactive roles are displayed in grey colour in menus and users are forbidden to select them, i.e. they cannot be requested for, for instance.
Role authorizer type: Selection is possible from the code list, which must be predefined in the agenda Code lists. This codebook must have the code guarantee-type. For the authorizer type to be visible, at least one value must be defined in the codebook.
Role authorizer type: If you need to find guarantors for a given role, but only for a given type, you can use the IdmIdentityFilter.setGuaranteeType("type") filter. Filtering by guarantor type will only work if the filter contains the required role IdmIdentityFilter.setGuaranteesForRole(roleId).

After all the requested selections have been entered, click on Save and continue. This will bring you straight to the menu Roles → Role detail, specifically to the detail of the newly created role.

How to create role - Czech language