Manage Identities

Your tenant might contain data about employees, customers, and devices like cell phones or printers. Each has its own identity—​a unique combination of defining attributes. Identity Cloud stores these attributes in identity profiles.

You can specify roles and assignments in a user or device identity profile. Roles and assignments define the type and extent of access permissions you want a user or device to have. Identity Cloud uses roles and assignments to provision an identity profile with the permissions a user or device needs to access resources.

For quick takes, see "About roles and assignments" and "How provisioning works" on this page.

View identity resources

To view and manage user profiles, roles, and assignments in your tenant:
In the Admin UI, go to Identities > Manage.

  • Resources are grouped by realm. If you can’t find a particular resource, be sure that you’re looking in the correct realm.

  • To view a list of only tenant administrators, see View the admins list.

  • To view realm settings, see Realm settings.

Users

A user can be a customer, employee, vendor — a person — whose identity profile, is stored in your tenant. A user identity profile is also called a user profile.

Create a user profile

  1. In the Admin UI, go to Identities > Manage.

  2. On the Manage Identities page, click Users > + New User.

  3. In the New User page, enter user details.

    User details:
    • Username: Name to be displayed in Users list

    • Password: Created by user

    • First Name: User’s given name

    • Last Name: User’s surname

    • Email Address: Provided by user

  4. Click Create User.

Edit a user profile

  1. In the platform console, go to Identities > Manage.

  2. In the Users list, click a username.

  3. In the User profile, edit user details.

    User details:
    Details
    • Given name

    • Surname

    • Email address

    • Mailing address

    • Phone number

    Roles
    • Group name

    • Assignment (Static or Dynamic)

    Groups
    • Group name

    • Assignment

    Direct Reports
    • Username

    • Given name

    • Surname

    • Email address

    Buildings
    • Name

    • Mailing address

    • Contact email address

    Cars
    • Name

    • Make/model

    • License number

    • Contact email address

    Devices
    • Device name

    • Username

    • Given name

    • Surname

    • Contact email address

  4. When you’re satisfied with your changes, click Save.

More Options:

  • To reset a user’s password, click Password Reset.
    In the Reset Password dialog box, enter a new password. Then click Reset Password to save the new password.

  • To end a user’s session, click End Sessions.
    This clears the user’s open SSO sessions within the current realm, and revokes the session tokens. The user must reauthenticate to create a new SSO session. This is useful for testing and troubleshooting purposes.

For a deep dive into Identity Platform user identities, see "Managed Users"   in the ForgeRock IDM 7.0 Object Modeling Guide.

Roles

For a quick take, see Roles on this page.

Create an external role

  1. In the platform console, click go to Identities > Manage > External Roles.

  2. Click + New External Role.

  3. In the New External Role card, enter role details.

    External role details:
    • Role Name:

    • Role Description:

  4. Click Next.

  5. Choose one or more role assignments, then click Next.

  6. (Optional) Enable dynamic role assignment.

    Dynamic role conditions
    • Use the choosers to define a condition for automatically adding assigning a user to a role.

    • To add more conditions, click Add (+).

    • Click Advanced Editor to create a query-based condition.

    When you’re satisfied with your role conditions, click Next.

  7. (Optional) Enable a role time constraint.

    Role time constraints
    • Use the calendar and clock choosers to define when the role is in effect.

      • Specify the time zone to be used for the start date/time and end/date you specified. Choose a time zone relative to Greenwich Mean Time (GMT). GMT is the same as Universal Time Coordinated (UTC).

      • Click Time zones chart to calculate the offset time.

  8. Click Save Role.

  9. (Optional) To add a member to a role, in the Members list, click + Add Members.

    1. Use the chooser to select one or more users to add to the role members list.

    2. Click + Add members.

Edit an external role

  1. In the Admin UI, go to Identities > Manage > External Roles.

  2. In the external roles list, click the role name.

  3. In the External Role card, click Members.

    • To add a member, in the Members list, click + Add Members.

      1. Use the chooser to select one or more users to add to the role members list.

      2. Click +Add members.

    • To edit a member profile, in the Members list, find the member username.
      In the same row, click More () and choose Edit.

  4. When you’re satisfied with your changes, click Save.

Create an internal role

  1. In the platform console, go to Identities > Manage> Internal Roles.

  2. Click + New Internal Role.

  3. In the New Internal Role card, enter role details.

    Internal role details:
    • Role Name: Unique identifier to display in the Roles list.

    • Role Description: String that’s meaningful to your organization.
      Examples: Employee, Customers, Sales Department, Europe

  4. Click Next.

  5. Choose the type of identities (users or devices) you want to define permissions for, then click Add.

  6. In the Role Permissions card, enable the permissions you want to grant to this identity type (Users or Devices). You can grant permissions to view, create, update, or delete resources in your extranet.

  7. To grant attribute-based or filter-based permissions, click Advanced.

    Attribute-Based Permissions

    By default, each identity with this role in its profile has Read-only access your resources.
    For each identity attribute in this list, you can:

    • Add additional write access by choosing Read/Write

    • Restrict access completely by choosing None.

    Filter-Based Permissions

    You are giving permission to any identity with this role in its profile that also meets the conditions you specify here. The permissions you give here overrides the view, create, update, or delete options you enabled for this role.

    1. Use the slider to enable Filter-based Permissions.

    2. Use the choosers to specify additional conditions for granting permission.

    3. (Optional) Click Advanced Editor to create a query-based condition.

    4. Click Next.

  8. (Optional) Enable a role time constraint for this role.

    Role time constraints
    • Use the calendar and clock choosers to define when the role is in effect.

      • Specify the time zone to be used for the start date/time and end/date you specified.

        Choose a time zone relative to Greenwich Mean Time (GMT). GMT is the same as Universal Time Coordinated (UTC).

      • Click Time zones chart to calculate the offset time.

  9. Click Save Role.

  10. To add a member, in the Members list, click +Add Members.

    1. Use the chooser to select one or more identities to add to the role members list.

    2. Click Add members.

Edit an internal role

  1. In the Admin UI, go to Identities > Manage > External Roles.

  2. In the internal roles list, click the role name.

  3. In the Internal Role card, click Members.

    • To add a member, in the Members list, click +Add Members.

      1. Use the chooser to select one or more users to add to the role members list.

      2. Click + Add members.

    • To edit a member profile, in the Members list, find the member username.
      In the same row, click More (), and choose Edit.

    • When you’re satisfied with your changes, click Save.

For a deep dive into roles, see "Roles"   in the ForgeRock IDM 7.0 Object Modeling Guide.

Assignments

For a quick take, see Assignments on this page.

Create an assignment

  1. In the platform console, go to Identities > Manage > Assignments.

  2. Click +New Assignment.

  3. In the New Assignment card, choose the source-target mapping you want to use for synchronizing identity data stores.

    Tell me more

    The first column lists your tenant data stores. The second column lists available target data stores.For more information, see "Assignments" on this page.

  4. Click Next.

  5. In the Assignment Details card, enter Assignment details.

    Assignment details:
    • Assignment: Name to be displayed in Assignments list

    • Assignment Description: The permission this assignment provides.
      For example, Allows access to Reporting App.

  6. Click Next.

  7. To provision an attribute in the target data store, click Add an attribute. Then enter attribute details.

    Attribute details:

    Create an attribute-value pair for provisioning the target user account.

    1. From the Attribute menu, choose an identity attribute in your tenant.

    2. In the Value field, enter a value for the attribute you just chose. This attribute-value pair will be synced with user accounts in the target data store.

    3. Click Assignment Operations (settings).
      Define how Identity Cloud will sync assignment attributes on the target data store:

      • The On Assignment menu defines what Identity Cloud will do with a new assignment attribute.

        • The Merge with target option adds a new attribute value to an existing attribute in the target user account.

        • The Replace target option removes the existing attribute-value pair in the target user account, and replaces it with the attribute-value you’ve defined.

      • The On Unassignment menu defines what Identity Cloud will do with an existing assignment attribute.

        • The Remove from target option deletes the specified attribute-value pair from the target user account.

        • The No operation option preserves the attribute-value pair in your tenant identities and in the target user accounts.

      • To add more assignment attributes, click Add (+)

      • To remove an assignment attribute, click Delete (-).

  8. Click Save Assignment.

Edit an assignment

  1. In the Admin UI, go to Identities > Manage > Assignments.

  2. In the Assignments list, click the assignment name.

  3. Click Details to edit assignment details.

    Assignment details:
    • Mapping: The source and target data stores to be synced for this assignment. The first column lists your identity platform data store. The second column lists a data store that contains user accounts outside your tenant. See "Assignments" on this page.

    • Assignment Details: Edit the name or description to suit your needs.

  4. To provision an attribute in the target data store, click Add an attribute. Then enter attribute details.

    Attribute details:

    Create an attribute-value pair for provisioning the target user account.

    1. From the Attribute menu, choose an identity attribute in your tenant.

    2. In the Value field, enter a value for the attribute you just chose. This attribute-value pair will be synced with user accounts in the target data store.

    3. Click Assignment Operations (settings).
      Define how Identity Cloud will sync assignment attributes on the target data store:

      • The On Assignment menu defines what Identity Cloud will do with a new assignment attribute.

        • "Merge with target" adds a new attribute value to an existing attribute in the target user account.

        • "Replace target" removes the existing attribute-value pair in the target user account, and replaces it with the attribute-value you’ve defined.

      • The On Unassignment menu defines what Identity Cloud will do with an existing assignment attribute.

        • The Remove from target option deletes the specified attribute-value pair from the target user account.

        • The No operation option preserves the attribute-value pair in your tenant identities and in the target user accounts.

      • To add more assignment attributes, click Add (+)

      • To remove an assignment attribute, click Delete (-).

    4. Click Save.

  5. (Optional)To use a script to customize an assignment, click + Add an event script.

    Tell me more
    1. On the Add Event Script card, choose the event to trigger your script.

    2. Provide your script to Identity Cloud in one of these ways:

      • Enter your script in the text box, and indicate the script Type: JavaScript or Groovy.

      • Enable Upload File, and specify the script filename.

    3. (Optional) Use the Variables fields to define variables in your script.
      Enable JSON to enter your variables using the JSON format.

    4. Click Save.

  6. Click Roles to view roles linked to this assignment:

    1. To add a new role, click +New Role.

    2. To edit an existing role, click More ().

  7. When you’re satisfied with your changes, click Save.

For a deep dive into roles and assignments, see "Use Assignments to Provision Users"   in the ForgeRock IDM 7.0 Object Modeling Guide.

About roles and assignments

You could use Identity Cloud to set up roles and assignments to create a fine-grained entitlements structure. But, it’s likely your company has already created that structure for you. Identity architects and top-level administrators typically use the native AM and IDM consoles to put complex entitlements in place.

Once your entitlements structure is in place, you can use the Admin UI to:

  • Add new user profiles, device profiles, or roles to your identity platform

  • Add assignments to roles

  • Make changes to existing user profiles, device profiles, roles, or assignments

  • Provision identities with role-based permissions

Roles

Roles define privileges for user and device identities. Roles let you automatically update privileges in numerous identity profiles. All role members receive the same permissions you’ve defined for the role. When you change the privileges for that role, you change the permissions for all role members.

When you add a role to an identity profile, the user or device becomes a member of the role. A user or device can belong to many roles.

A role won’t work until you link it to at least one assignment. During the authorization process, Identity Cloud evaluates permissions based on:

  • Roles a user or device belongs to

  • Assignments attached to their roles

binaandsam2

Internal roles

Internal roles, also called authorization roles, control access to your identity platform. Use internal roles to authorize administrators to manage your tenant or identities contained in it.

External roles

External roles, also called provisioning roles, give users and devices the permissions they need to access apps and services. Use external roles to let employees access intranet applications. You can also use external roles to let your customers and their end users access web services and mobile apps in your tenant.

Assignments

Create an assignment when you want to give a user or device permission to access a resource they need to do a job. A resource might be any of these: an application or service; data contained in a document or a database; a device such as a printer or cell phone.

An assignment won’t work without a role. A role-assignment relationship is not fully formed until you do two things:

  1. Link an assignment to a role.
    Identity Cloud grants the permissions defined in the assignment to all members of the linked role.

  2. Map your tenant assignment to an attribute stored in an external system.
    An external system can be, for example, an intranet Reporting App with its own database of user accounts.

map2app2

In this illustration, Bina’s Accountant II role links to three assignments. During data store sync, Identity Cloud provisions her Reporting App user account based on assignment-attribute mappings:

  • Assignment: Reporting App maps to UserName.
    The mapping adds Bina’s Name to the UserName attribute in the Reporting App.
    This gives Bina access to the app itself.

  • Assignments: Operations Reports maps to Reports: Operations.
    The mapping adds Operations to the Reports attribute in the Reporting App.
    This gives Bina access to Operations reports in the Reporting App.

  • Assignments: Sales Reports maps to Reports: Sales.
    The mapping adds Sales to the Reports attribute in the Reporting App.
    This gives Bina access to Sales reports.

You can create any number of assignments in your tenant. You can link an assignment to one or more external roles. You cannot link assignments to internal roles.

How provisioning works

When you add a user or device to a role, Identity Cloud updates the user or device profile with the role information. The update gives, or provisions, the user or device with the permissions that come with the role and its assignments.

Here’s a simple entitlement schema example:


Roles

Accountant-I
Accountant-II

Accountant-I Assignments

Reporting App
Operations Reports

Accountant-II Assignments

Reporting App
Operations Reports
Sales Reports


Sam and Bina are co-workers. Their identity profiles are provisioned with permissions based on the entitlements schema example.

  • Sam is a member of the Accountant I role.
    The Accountant I role assignments give Sam permission to use the Reporting app to access only Operations Reports.

  • Bina is a member of the Accountant II role.
    The Accountant II role assignments give Bina permission to use the Reporting app to access both Operations Reports and Sales Reports.

For a deep dive, see these sections in the ForgeRock IDM 7.0 Object Modeling Guide :