Automatic role request

Automatically assigned roles have a significant safety impact. When creating, editing, or deleting, it is necessary that the process is approved. For this purpose, an agenda for requests for change of automatic roles has been created.

Processes of defined by the role criticality is defined here. Only processes approve-role-by-guarantee and approve-role-by-guarantee-security supported approving for automatic roles.

If we want to an identity, which can administer automatic role requests, we set authorization policies as follows:

• Permission to all requests: Requests for automatic roles (IdmAutomaticRoleRequest) | Admin | BasePermissionEvaluator
• Permission to all requests rules: Requests for automatic roles (rules of the attributes) (IdmAutomaticRoleAttributeRuleRequest) | | AutomaticRoleRuleRequestByRequestEvaluator
• Permission to read all exists automatic role by attributes: Automatic roles (attributes) (IdmAutomaticRoleAttribute) | Read | BasePermissionEvaluator
• Permission to read all exists automatic role rules by attributes: Rules for automatic roles (attributes) (IdmAutomaticRoleAttributeRule) | Read | BasePermissionEvaluator
• Permission to read all exists automatic role by tree: Automatic roles (organization structure) (IdmRoleTreeNode) | Read | BasePermissionEvaluator

Policies can be configured by custom needs. This example enables all operations with requests.

If we want to an identity can approve automatic role request, we can use AutomaticRoleRequestByWfInvolvedIdentityEvaluator authorization policy evaluator. This evaluator grants permission to read requests (in WF task), which can be approved by logged identity. It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.