tutorial:adm:automatic_roles_by_attribute

Automatic roles - adding roles by attribute value

If you want to add a role to all users that work on the 3th floor, you can use Automatic roles by attribute.

Basics of roles and automatic roles can be found in documentation.

From CzechIdM 7.7 onwards, there is a new main menu item Settings → automatic roles. Automatic roles list

There are two tabs:

  • Automatic roles from organizational structure
  • Automatic roles based on the attribute

The first one shows the list of the automatic roles that a user gets via his/her placement in the organization's structure - say, all employees working in the IT Department.

The second one shows the automatic roles that users get by means of Rules.

Roles by attributes list

Rules for automatic roles

Rules are conditions that are evaluated on users and their contracts. If all the rules/conditions are TRUE, then the user gets the given role.

e.g. A rule can be set such that a user's contract has an attribute "floor" with value "3".

To create a new automatic role by an attribute, go to Settings → automatic roles → Automatic roles based on the attribute. Next, click on the green "Add" button. In the form, fill in the name of a new automatic role by attribute e.g. "Employees - 3th floor printing".

New automatic role definition

Then select the Role - real CzechIdM entity e.g. "ldap files" that will be assigned if the user matches the Rules.

The basic setup for the automatic role is done now, click Save and continue.

We have specified what role shall be assigned, now we need the conditions - Rules. Rules list

Click on the green "new" button above the Rule table - the table may be empty.

Provided that the users' contracts have EAV attribute "Floor" defined, the Rule can look like this:

  • Type of checked attribute = Extended attribute of contract
  • Form attribute = Floor
  • Comparison type = EQUALS
  • Value = 3
If you want to compare attribute value with text, your attribute must be in "SHORTTEXT" format because "TEXT" format is not supported.

When you click on the "save and continue" button, you will be asked if the Automatic role should be applied now.

popup

  • Yes - Automatic role is evaluated for all users. Those matching the rule get the said role. Calculation is started as a long running task and its progress can be verified in the Settings → Task scheduler → All tasks.
    • Moreover, if an identity or its concept is saved - say after some manual editing done by the admin or during automatic synchronization -, the rules for automatic roles by attributes are recalculated for the respective user.
  • No - automatic role is saved as a concept.

Concepts of automatic roles

Automatic roles saved as concepts are not evaluated until the concepts are completed (Green button "Recalculate"). If any user is saved in gui or e.g. during synchronization, automatic roles concepts are skipped.

Concept of automatic role by attributes