Create an Access Request Process That Assigns a Provisioning Role

Document ID : KB000072632
Last Modified Date : 17/07/2018
Show Technical Document Details
Introduction:
Step by step guide to creating an Access Module including a user search.
Instructions:
Create a New User in CA Identity Manager
To begin, create a new user in CA Identity Manager that you can assign permissions to in CA Identity Portal.
1. On the Virtual Appliance dashboard, click the link for the CA Identity Manager User Console.
2. Log in to the CA Identity Manager User Console with the imadmin credentials.
3. In the Tasks menu, expand Users.
4. Expand Manage Users and click Create User.
5. Select Create a new user and click OK.
6. Create the new user and click Submit

Create a New Admin Task in CA Identity Manager
-Create a copy of the Modify User admin task and rename the new admin task to [PORTAL]Assign Permission No Approval.

7. In the Tasks menu, expand Roles and Tasks.
8. Expand Admin Tasks and click Create Admin Task.
9. Select Create a copy of an admin task.
10. Search for the Modify User task and select it in the Search Results.
11. On the Create Admin Task form:
a. In the Name field, replace Modify User with [PORTAL] Assign Permission No Approval.
b. In the Tag field, replace ModifyUser with PORTALAssignPermissionNoApproval.
12. Select Enable Web Services.
13. Click Submit.

Create a New Admin Role in CA Identity Manager
Create a new admin role called [PORTAL] All Users to allow users execute the new admin task.
14.. In the Tasks menu, expand Roles and Tasks.
15.. Expand Admin Roles and click Create Admin Role.
16. Call the Role [PORTAL] All Users and make sure Enabled is checked.
17. On the Tasks tab, add the [PORTAL] Assign Permission No Approval admin task to the new admin role.
18. On the Members tab, define a Member Policy so that all users can be members of this admin role. Include a scope rule that lets members of this admin role manage all users.
19. Define an Owner Rule so that only users who are members of the System Manager admin role can be owners of the new admin role.
20. To save the new admin role, click Submit.

Create a New Portal Task
Create a portal task that maps to the new [PORTAL] Assign Permission No Approval admin task.

21.  Go to the Identity Portal Admin UI.
Before you create the portal task, you need to restart the CA Identity Manager (CA IM) connector to expose the Identity Manager admin task to CA Identity Portal. (In the Admin UI, click the Setup tab. To restart the CAIM connector, click Restart for that connector.)
22. To start creating the new portal task, click the Elements tab.
23. In the left pane, under Backend, click Tasks.
24. Click + Create.
25. Create the new portal task with the following values:
Connector: CAIM
Name: PORTALAssignPermissionNoApproval
The Tag field should automatically populate with TASK_CAIM_PORTALAssignPermissionNoApproval
additionOperation: directChange
removalOperation: directChange

26. Click Create.

Create a New Portal Form for User Data Input
27. In the left pane, under Backend, click Forms.
28. Click + Create.
29. In the Name field, type AssignPermission.
The Form Tag field should automatically populate with FORM_AssignPermission.
30. Click the Task tab and select the PORTALAssignPermissionNoApproval task.
31. Click Create.

Create an Execution Plan
Next, you will create an execution plan that defines the target permission rules.
32. In the left pane, under Backend, click Execution Plans.
33. Click + Create.
34. On the Details tab, complete the fields as follows:
Title: AssignPermission
Tag should automatically populate with EP_AssignPermission
Connector: CAIM

35. Click the Rules tab and click + Add Rule.
36. Complete the fields as follows:
Note: Do not forget to select the checkbox next to Add form and Remove form and assign the AssignPermission form to both
Name:AssignPermission
Priority:1
Mode:AccessRights
Rule Expression: true
Add Form = AssignPermission
Remove Form = AssignPermission

37. Click Create.

Create a New Target Permission
You need to create a new target permission that will map to the CA Identity Manager provisioning role.
38. In the left pane, under Backend, click Target Permissions.
39. Click + Create.
40. On the Details tab, do the following:
a. In the Connector list, select CAIM.
b. In the Select target permission name list, select a provisioning role 
c. In the Mod Type list, select ADD.
41. Click the Execution Plan tab.
42. Select the AssignPermission execution plan and click Create.  
43. Click the Modules tab.
44. Click the Access module.
45. Click the Access Rights tab.
46. Click + Add application group.
47. Name the new application group UserDirectory
48. Click + Add application to create a new application in the application group.
49. Name the new application directoryserver.local.
50. Click + Add permission.
51. Name the new permission Base Level Access.
52. Click the Edit (pencil) icon beside Target Permission.
53. Select the Provisioning Role target permission.
54. Click Save.

Create a User Search
55. In the Access module configuration, click the Search tab.
56. Click + Create search.
57. On the Details tab, do the following:
a. In the Name field, type User.
b. In the Connector list, select CAIM.
58. Click the Attributes tab.
59. Select the following attributes and click Create:
 FirstName
 LastName
 LoginId
 Title
 UserId
60. Select the User search you just created and click Save.
61. Go to the CA Identity Portal user console.
62. Log in using the imadmin credentials.
63. Click the Access module.
64. Click User Search and then search for the user you created in step 6 above.
65. Select the user 
66. Click the Applications tab.
67. Under User Directory, click directoryserver.local.
68. Click the plus sign (+) next to Base Level Access to add the access to the Cart.
69. Click Check Out and then click Submit.
70. In the CA Identity Manager User Console, go to View Submitted Tasks and verify the [PORTAL]Assign Permission No Approval admin task was triggered and completed.
71. In the CA Identity Manager User Console, view the user that you created in step 6 above and verify they are now a member of the provisioning role.