Automatic role request

Automatically assigned roles have a significant safety impact. When creating, editing, or deleting, it is necessary that the process is approved to begin with. For this purpose, a special agenda is used for filing requests for change of automatic roles.

Processes of defined by the role criticality is defined here. Only processes approve-role-by-guarantee and approve-role-by-guarantee-security supported approving for automatic roles.

If we want to an identity, which can administer automatic role requests, we set authorization policies as follows:

• Permission to all requests: Requests for automatic roles (IdmAutomaticRoleRequest) | Admin | BasePermissionEvaluator
• Permission to all requests rules: Requests for automatic roles (rules of the attributes) (IdmAutomaticRoleAttributeRuleRequest) | | AutomaticRoleRuleRequestByRequestEvaluator
• Permission to read all exists automatic role by attributes: Automatic roles (attributes) (IdmAutomaticRoleAttribute) | Read | BasePermissionEvaluator
• Permission to read all exists automatic role rules by attributes: Rules for automatic roles (attributes) (IdmAutomaticRoleAttributeRule) | Read | BasePermissionEvaluator
• Permission to read all exists automatic role by tree: Automatic roles (organization structure) (IdmRoleTreeNode) | Read | BasePermissionEvaluator

Policies can be configured by custom needs. This example enables all operations with requests.

If you want an identity to be able to approve automatic role requests, you can use the IdmAutomaticRoleRequest|Read|AutomaticRoleRequestByWfInvolvedIdentityEvaluator authorization policy evaluator. This evaluator grants the user permission to read requests (in WF task), which can be approved by logged identity. It's a good idea to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.