How to configure Nested Roles in Identity Manager?

Document ID : KB000010920
Last Modified Date : 05/10/2018
Show Technical Document Details

You can include a provisioning role within another provisioning role. The included role is named a nested role.

For example, you could create an Employee provisioning role. The Employee role would provide accounts needed by all employees, such as email accounts. You include the Employee role in department-specific provisioning roles, such as a Finance role and a Sales role. The department provisioning roles would provide accounts related only to that department. This combination of roles provides the right accounts for each user.

CA Identity Manager 12.x\ 14.x

Before implementing Nested Roles, enable them in your environment.

Follow these steps:

  1. In the Management Console, select the environment.
  2. Click Role and Task Settings, Import.
  3. Select Nested Provisioning Roles Support.
  4. Click Finish and restart the environment.

To configure and search for Nested Roles, use the following steps while logged in to the CA Identity Manager Console as an admin user.  

This example the test user is called "AUser" and the Admin is called "imadmin".

Step 1.

  • Go to Roles and Tasks, Admin Tasks, Create Admin Task.
  • Create a Copy of an Admin Task based on "View Provisioning Role" 
  • Change the Name "View Dept 123 Provisioning Role"
  • Set Search Configuration as follows:
    Search Screen = Default Provisioning Role Nest Search.
    Set Search Options = All provisioning Roles.

Step 2.

  • Go to Roles and Tasks, Admin Roles, Create Admin Role. 
  • Enter a name (for example, "Provisioning Manager Dept 123") and ensure to select the enabled checkbox.
  • Set Tasks to include Roles and Tasks - "View Dept 123 Provisioning Role"
  • On the members tab add "AUser" to the list of Members. (that is, where (User ID = "Auser") and set the scope for ALL. Click "Administrators can add and remove members of this role".  Note:  In this scenario all the provisioning roles are set to begin "Dept 123" so you could use this as a limiting scope.  For example where (Name contains "Dept 123")
  • On the Administrators tab add "Imadmin" to the list of Members. (i.e. where (User ID = "Imadmin") and a Scope Rule of All.
  • On the owners tab add "imadmin" to the list of owners (i.e. where (User ID = "imadmin")

Step 3.

  • Goto Roles and Tasks, Provisioning Roles, Create Provisiong Role (For example: "Dept_123")
  • On the Administrators tab add "imadmin" to the list of admins (i.e. where (User ID = "imadmin") with the scope of ALL and click "Administrators can add and remove Administrators of this role".  
  • On the owners tab add "imadmin" to the list of owners (i.e. where (User ID = "imadmin")

Step 4.

  • Create a second Provisioning Role (Example: "Dept 123 AD Provisioning")
  • On the Templates tab Add an Active Directoty Account Template.
  • On the Administrators tab add "imadmin" to the list of administrators (i.e. where (User ID = "imadmin") with the scope of ALL
  • On the owners tab add "imadmin" to the list of owners (i.e. where (User ID = "imadmin")

Step 5.

  • Go to Roles and Tasks, Provisioning Roles, Modifiy Provisioning Role and modify the role created in Step 3 ("Dept_123") and add the Provisioning Role Created in Step 4 ("Dept 123 AD Provisioning").

Step 6.

  • Logon to the Identity Manager Console as Auser.
  • Navigate to Roles and Tasks, Provisioning Roles and you should see "View Dept 123 Provisioning Role".
  • Executing this search displays "Dept 123" and "Dept 123 AD Provisioning". 

Note: The "Where" filter has options for "Included Roles" and "Including Roles" to filter through the Provisioning Roles.  For example;

Executing the Search Where included Roles = Dept 123 AD Provisioning will return "Dept 123".

Additional Information:

Using the steps in the previous instructions lets you see the Nested Roles listed in the search screen. However, to display the Nested provisioning roles in the tabs as as part of a provisioning role the user must be an owner of the nested role. Where this is not practical, you can set the provisioning role to display regardless of the scope. To to this, use the following steps:

1.  Log in to the Identity Manager Console with an Administrator account and navigate to Roles and Tasks, Admin Tasks, Modify Admin Task. 

2.  Search for and select the Admin Task you created earlier "View Dept 123 Provisioning Role"

3.  Click "Tabs" and edit the "Provisioning Roles" Tab element to configure.

4.  Now tick the box "Show all members regardless of scope".

5. Click OK.

6. Click on "Tabs" and edit the "Provisioning Roles Indirect" Tab element to configure.

7.  Select the Show all members regardless of scope checkbox.

8. Click OK.

9. Click Submit.