Manage Internal Roles

The IGA supports the ability to manage (create, edit, and delete) internal user roles. Internal user roles are the set of default roles that determines how the user can access the IGA system.

Default Internal Roles

By default, the set of internal roles are as follows:

Internal Roles
Internal Role	Description
access-request-admin	Role for access request administrators.
glossary-admin	Role for glossary administrators.
governance-administrator	Role for governance administrators.
openidm-admin	IDM administrator role, excluded from the reauthorization required policy definition by default.
openidm-authorized	Default role for any user who authenticates with a username and password.
openidm-cert	Default role for any user who authenticates with mutual SSL authentication. This role only applies to mutual authentication. The shared secret (certificate) must be adequately protected. This role is excluded from the reauthorization required policy definition by default.
openidm-reg	Default role assigned to users who access IDM with the default anonymous account. This role is excluded from the reauthorization required policy definition by default.
openidm-tasks-manager	Role for users who can be assigned to workflow tasks.
platform-provisioning	Role for platform provisioning access. You can remove this role if you are not running AM and IDM together as a platform.

Add a New Internal Role

Log in to the IGA UI.
Click Manage, and then click Roles.
Click Next.
- Name. Enter a name for the role. This is a required field.
- Description. Optional. Enter a description for the role.
Click Next.
On the Internal Role Permissions modal, select the Internal Role identity object, and then click Add. The internal role assigns View privileges automatically.
1. Click Create, Update, or Delete.
2. Click Show advanced to edit the attribute permissions.
3. For each attribute permission, edit the permissions on each attribute by click the down arrow. Options are: Read, Read/Write, or None.
4. To filter internal roles, click Administer only a subset of Internal Roles by applying a filter.
5. Click Any and select either Any or All to apply the conditions to the user.
6. Click Username and select any user property for the rule.
7. Click contains and select contains|does not contain|is|is not|is present|is not present|starts with|does not start with|.
8. Enter the property for the condition.
9. If you want to add more filters, click +, and repeat the previous steps.
10. Click Next.
On the Dynamic Internal role Assignment modal, configure a rule to assign a user to a role based on the presence of specific attributes:
1. Click A conditional filter for this role.
2. Click Any and select either Any or All to apply the conditions to the user.
3. Click Username and select any user property for the rule.
4. Click contains and select contains|does not contain|is|is not|is present|is not present|starts with|does not start with|.
5. Enter the property for the condition.
6. If you want to add more filters, click +, and repeat the previous steps.
7. Click Next.
On the Time Constraint modal, click Set a start and end date during which this role will be active.
1. For Start, select the date and time to begin the time period where the role is active.
2. For End, select the date and time to end the time period where the role is active.
3. For Time Zone Offset, enter the GMT offset. If you are not sure, click Time Zone Charts.
Click Save.

Edit Role Details

On the Roles page, review the Details. If you need to make changes, edit the entries.
Click Save.

Privileges

On the Roles page, review the privileges for your new internal role. If you need to make changes, edit the entries.
To add additional privileges, click Add Privileges. You will see similar fields as when you create the new interal role. See Add a New Internal Role.
Click Save.

Members

On the Internal Roles page, click Members.
Click Add Members.
On the Add Role Members modal, select or enter the members to whom you should assign.
For Time Constraint, enable Assign role only during a selected time period if you want to have the role assigned for a specific timeframe.
1. For Start, select the date and time to begin the time period where the role is active.
2. For End, select the date and time to end the time period where the role is active.
3. For Time Zone Offset, enter the GMT offset. If you are not sure, click Time Zone Charts.
Click Save.

Settings

For Condition, click Set up to enter conditional filters for this role.
On the Condition modal, enable A conditional filter for this role to enter conditional rules.
1. Click Any and select either Any or All to apply the conditions to the user.
2. Click Username and select any user property for the rule.
3. Click contains and select contains|does not contain|is|is not|is present|is not present|starts with|does not start with|.
4. Enter the property for the condition.
5. If you want to add more filters, click +, and repeat the previous steps.
6. Click Save.
For Temporal Constraints, click Set up to enter time constraints for the role.
1. For Start, select the date and time to begin the time period where the role is active.
2. For End, select the date and time to end the time period where the role is active.
3. For Time Zone Offset, enter the GMT offset. If you are not sure, click Time Zone Charts.
4. Click Save.

Raw JSON

On the Internal Role page, click Raw JSON. The summary of your role’s inputted information appears in raw JSON, so that you can export it to your other applications.
Click Copy JSON. The JSON is copied to your clipboard.

Delete Role

On the Internal Role page, scroll down any of the roles page, and click Delete Role.

Once you click Delete Role, you cannot undo the command.

IGA 2021.11.0