Automatic roles - adding roles by attribute value
If you want to add a role to all users that work on the 3th floor, you can use Automatic roles by attribute.
From CzechIdM 7.7 onwards, there is a new main menu item Settings → automatic roles.
There are two tabs:
- Automatic roles from organizational structure
- Automatic roles based on the attribute
The first one shows the list of the automatic roles that a user gets via his/her placement in the organization's structure - say, all employees working in the IT Department.
The second one shows the automatic roles that users get by means of Rules.
Rules for automatic roles
Rules are conditions that are evaluated on users and their contracts. If all the rules/conditions are TRUE, then the user gets the given role.
e.g. A rule can be set such that a user's contract has an attribute "floor" with value "3".
To create a new automatic role by an attribute, go to Settings → automatic roles → Automatic roles based on the attribute. Next, click on the green "Add" button. In the form, fill in the name of a new automatic role by attribute e.g. "Employees - 3th floor printing".
Then select the Role - real CzechIdM entity e.g. "ldap files" that will be assigned if the user matches the Rules.
The basic setup for the automatic role is done now, click Save and continue.
We have specified what role shall be assigned, now we need the conditions - Rules.
Click on the green "new" button above the Rule table - the table may be empty.
Provided that the users' contracts have EAV attribute "Floor" defined, the Rule can look like this:
- Type of checked attribute = Extended attribute of contract
- Form attribute = Floor
- Comparison type = EQUALS
- Value = 3
When you click on the "save and continue" button, you will be asked if the Automatic role should be applied now.
- Yes - Automatic role is evaluated for all users. Those matching the rule get the said role. Calculation is started as a long running task and its progress can be verified in the Settings → Task scheduler → All tasks.
- Moreover, if an identity or its concept is saved - say after some manual editing done by the admin or during automatic synchronization -, the rules for automatic roles by attributes are recalculated for the respective user.
- No - automatic role is saved as a concept.