Roles and assignments
Identity architects usually build the entitlements structure, and may also use the native AM and IDM consoles to put more complex entitlements in place.
Once your entitlements structure is in place, you can use the Identity Cloud admin UI to:
Add new user profiles, device profiles, or roles
Add assignments to roles
Make changes to existing user profiles, device profiles, roles, or assignments
Provision identities with role-based permissions
Roles define privileges for user and device identities. Roles let you automatically update privileges in numerous identity profiles. All role members receive the same permissions you’ve defined for the role. When you change the privileges for that role, you change the permissions for all role members.
When you add a role to an identity profile, the user or device becomes a member of the role. A user or device can belong to many roles.
A role won’t work until you link it to at least one assignment. During the authorization process, Identity Cloud evaluates permissions based on:
Roles a user or device belongs to
Assignments attached to their roles
Internal roles, also called authorization roles, control access to your identity platform. You use internal roles to authorize administrators to manage your tenant or identities contained in it.
External roles, also called provisioning roles, give users and devices the permissions they need to access apps and services. You use external roles to let employees access intranet applications. You can also use external roles to let your customers and their end users access web services and mobile apps in your tenant.
You create an assignment when you want to give a user or device permission to access a resource they need to do a job. A resource might be any application or service, data contained in a document or a database, or a device such as a printer or cell phone.
An assignment won’t work without a role. A role-assignment relationship is not fully formed until you do two things:
Link an assignment to a role. Identity Cloud grants the permissions defined in the assignment to all members of the linked role.
Map your tenant assignment to an attribute stored in an external system. An external system can be, for example, an intranet Reporting App with its own database of user accounts.
In this illustration, Bina’s Accountant II role links to three assignments. During data store sync, Identity Cloud provisions her Reporting App user account based on assignment-attribute mappings:
|Mapping From Assignment Attribute
|Mapping To Reporting App
|Description and Provisioning Outcome
Assignments: Reporting App
The mapping sets the value of Bina’s Name ("Bina Raman") in the UserName attribute in the Reporting App.
Assignments: Operations Reports
The mapping adds the value "Operations" to the Reports attribute in the Reporting App.
Assignments: Sales Reports
The mapping adds the value "Sales" to the Reports attribute in the Reporting App.
When you add a user or device to a role, Identity Cloud updates the user or device profile with the role information. The update gives, or provisions, the user or device with the permissions that come with the role and its assignments.
Here’s a simple entitlement schema example:
- Accountant-I Assignments
- Accountant-II Assignments
Sam and Bina are co-workers. Their identity profiles are provisioned with permissions based on the entitlements schema example.
Sam is a member of the Accountant I role.
The Accountant I role assignments give Sam permission to use the Reporting app to access only Operations Reports.
Bina is a member of the Accountant II role.
The Accountant II role assignments give Bina permission to use the Reporting app to access both Operations Reports and Sales Reports.