Automatic roles fall into several categories:

• assigned by organisational structure
• assigned by attribute
• assigned by an end system (based on membership)

These are roles assigned based on their placement in the organizational structure. Every identity in CzechIdM has an implicit relationship (~CR) that is tied to a component of the organizational structure.

Everyone permitted to edit a role can assign this role to a component of any organizational structure. The assigning/removing is subject to approval in the same way as if an ordinary user was assigned the given role. The approval of role assignment sets off a sort of "pre-approval" for all the users embedded in the organizational structure. From then on, assigning a role to a user does not require special approval (it has already been approved for the organizational unit in which a user is located).

Displaying of information about the roles linked to the organizational structure will occur at least in the following places:

• In the structure component detail, there is a list of roles which have been assigned to it
• For each role, a list of structure components (the whole path in the tree) for which this role is used for automatic assignment to a user is displayed.
• For each user, there is a list of assigned roles they have been granted automatically.

Automatic roles by attribute are similar to automatic roles by organizational structure. For automatic roles by attribute, one cannot update them and change the name attribute. When setting up an automatic role by attribute, you fill in the required fields:

  • name - name of the automatic role by attribute, and
  • role - role that will be assigned after pass rules.

If you mark a role as a concept – using a flag – this signals that the automatic role by attribute is not to be recalculated for users.

At the moment, individual rules for automatic roles by attribute can be linked only with AND operator. If you still want to read more on this topic, go to the devel section here.

(to be completed)