Role assignment - changing roles of users manually

There are several ways in CzechIdM of how to change roles of users. This chapter describes the manual process of role assignment change

  • by the administrator – Users menu → User detail (magnifying glass symbol) → Roles. Click the button Manage authorizations.
  • by a user itself – Profile → Roles. Click the button Manage authorizations.
  • by the privileged user - e.g. user's manager – Profile → Subordinates → User detail (magnifying glass symbol) → Roles. Click the button Manage authorizations.

All of them lead to the same GUI form. We will describe further in next chapter.

Approval process is managed by CzechIdM configurable standard approval workflow.

A user or an authorized administrator can change users’ roles via so-called role assignment change request. The request can be accessed via detail of the user for whom the change is requested. In the tab Role, there is a form displaying:

  • Assigned roles – roles which are currently assigned to the user
  • Concepts of requests for authorization change – If the request is not finished (sent), the request is saved as concept there.
  • Requests for authorization change - currently processed requests
  • Roles pending approval - list of roles awaiting approval via all requests

 Current roles list

Then, there is the button Manage authorizations which is used to start the process of Changing user roles. After clicking on the button, the empty request is open.  Role change request - user summary

There, new roles are inserted using the button Add.

The following boxes can be filled in a new role selection window:

  • Role - New roles for the current query are selected here using fulltext searching.
  • Contracted position – Selection of a user's contracted position, to which the new role will be assigned
  • Valid from - Roles with future starting date of validity will become valid on the given day, i.e. if roles assigned an account in LDAP, the account is created on the starting day of validity set in this attribute.
  • Valid to - Roles with expired validity are processed in the following way
    • The user loses all the permissions resulting from the role on the expiry day, i.e. if a role assigned an account on an managed LDAP system, the account will be deleted there on the expiry day set in this attribute. The role itself is not removed from the user's contracted position, it is set invalid instead.
    • At the closest running of a scheduled task which removes roles after validity expiry date, the role is physically taken from the user (or rather from the user’s contracted position) in CzechIdM.

The role selection is confirmed by clicking the button Set. Roles can be added to one request in the described way repeatedly, if different jobs or validities need to be set for different roles, for example.  Add roles to request

Assigning of a role can be edited by clicking on the orange square with the pencil symbol (the same form as for adding, see below). Automatic roles cannot be removed or their validity configured, they are assigned/removed automatically. Roles from the selection are removed by clicking on the red cross in the line with the role.

 Role change request - roles summary

After the form has been filled in, it is necessary to click the button Submit a request, which sends the form to be realized in the process Change role request. If the form is closed using the button Back (next to the button Submit a request), the form is saved as a concept.

The process then continues with approval. Individual steps of approval are described here. The changes are applied to the user only after the approval in the last step of the approval workflow.

When the request has been created, the current list of roles which the user requests and their approval status can be seen in the user’s detail → Roles.

How to request for a role - czech language