A role in CzechIdM is an entity representing a set (1 or many) of permissions/privileges on the end system or in CzechIdM itself. Users acquire roles:

• automatically – according to the organizational placement
• manually – through assigning based on the user’s request in the CzechIdM self-service or by a CzechIdM administrator.

From the perspective of the identity manager, it does not matter whether the user acquires an account in a specific application, is placed in a group in LDAP, his indication is set to “can use VPN”, or a permission is set for him in the application. In all the cases, a role is assigned. A simplification carried out like this allows general rules to be applied for assigning all types of permissions (~roles) in the same way.

Roles are assigned to users via their contracts. If a contract is not valid (time validity) the roles on the contract are disabled. In other words the role lose its permissions in IdM and rights in connected systems.

Role permissions defines rights for administrator actions in CzechIdM. A permission for CzechIdM is not necessarily defined for every role. A permission is for example READ on USERS. User having a role with this specific permission can see read only detail of all identities in CzechIdM.

The level of criticality can be set for every role. Criticality denotes, who approves its assignment. Role can have criticality from 0 to 5.

The role can be linek to Tree structure (e.g. position in organizational structure). That role is assigned to and removed from a user based on adding/removing the user (via their contract) to/from the organizational tree structure. If contract is not valid yet, the roles are assigned, but are disabled until the contract starts.

• Creating a role
• Defining permissions for a role
• Creating an automatically assigned role

• Authorization policies
• Automatic roles