16.3.2.2 Viewing and Administering Roles

You can open the details of a role and edit the role attributes, modify the role inheritance and membership, and then publish roles to organization. To open the details of a role and modify it, perform one of the following:

In the Search Roles page, search and select the role that you want to open. From the Actions menu, select Open. Alternatively, click Open on the toolbar.
In the search results table of the Search Roles page, click the name of the role.

Note:

After modifications are made to the role, the modifications go through an approval process, if role workflows are configured. Only when the approvers approve, the role changes are reflected in Oracle Identity Manager.

The details of the role is displayed in a new page. The role display name is displayed at the top of the page. You can display the details of the role and modify role information in the following tabs of this page:

The Attributes Tab
The Hierarchy Tab
The Access Policy Tab
The Members Tab
The Organizations Tab
The History Tab

Note:

The Access Policy tab and History tabs are applicable only when Oracle Identity Manager uses DB identity store.
After you make changes in any one or more of the tabs in the role details page, click Apply to save the changes.
Depending upon the approval workflow configuration, a request might be generated for any change made to a role.

16.3.2.2.1 The Attributes Tab

The Attributes tab displays the role attributes. Except for the Role Namespace field (which is a read-only field), the rest of the fields in the Attributes tab are same as available in the Create Role page. The Role Namespace field displays the namespace to which the role is assigned.

Note:

Modifying the values of the Display Name attribute for default roles, for example OPERATORS, ALL USERS, and SELF OPERATORS, is not supported.

If you modify the attribute values in the Catalog Attributes section, then the modifications are also displayed in Detailed Information section of the corresponding catalog item in the request catalog. See "Requesting New Access" for more information about viewing the details of a role in the request catalog.

Catalog Attributes are not available when Oracle Identity Manager uses LDAP identity store and for default roles.

To modify the role attributes, change the values in the fields, and click Apply.

Note:

Roles with same names are allowed with different name spaces.

16.3.2.2.2 The Hierarchy Tab

The Hierarchy tab displays the role hierarchy information in the following sections:

Inherits From: This section displays the parent roles from which the open role is inherited. The base role has the same permissions and privileges on the members as the inherited roles. Only inherited roles can be added or removed from the base role, but the base role cannot be added or removed from the inherited role.
Inherited By: This section lists the child roles that are inherited by the open role. This is a read-only display of the roles.

In the Hierarchy tab, you can perform the following:

Adding a Parent Role to a Child Role
Removing a Parent Role from a Role
Displaying Summary Information for Parent/Child Roles

16.3.2.2.3 Adding a Parent Role to a Child Role

To add a parent role to a role:

Open the role.
Click the Hierarchy tab. In the Inherits From section, this tab lists the parent roles of the opened role and the opened role inherits the permissions from these parent roles.
Verify that Inherits From is active.
From the Actions menu, select Add. Alternatively, click Add on the toolbar. The Search Roles dialog box is displayed.
From the Search list, select a role attribute based on which you want to search for the role. Then, select an attribute by using the lookup icon. You can also include wildcard characters (*) in your search criterion. Then, click the search icon. A list of roles that matches your search criterion is displayed.
Select one or more roles that you want to add as parent roles. Then, click Add Selected to move the selected roles to the Selected Roles list.

Alternatively, you can click Add All to add all the roles in the Selected Roles list.
Click Select. The selected roles are added as parent roles to the opened role and the role hierarchy is displayed in the Inherits From section of the Hierarchy tab.
Select the inherited role that is added. A summary information of the selected role is displayed in a popup.

16.3.2.2.4 Removing a Parent Role from a Role

To remove a parent role from a role:

In the Inherits From section of the Hierarchy tab, select the role that you want to remove.
From the Actions menu, select Remove. Alternatively, click Remove on the toolbar. A message box is displayed asking for confirmation.
Click Remove. Pending action is filled with Remove. Repeat this if you want to remove more than one role. And click Undo if you do not want to remove the role that is already marked for removal.
Click Apply. If workflow is configured, then the inherited roles selected are removed from the Inherits From section of the Hierarchy tab after approval.

16.3.2.2.5 Displaying Summary Information for Parent/Child Roles

You can display read-only summary information of the parent roles from the Inherits From section of the Hierarchy tab. You can also display summary information of the child roles from the Inherited By section.

To display the summary information of a parent/child role:

To display the summary of the parent role, in the Inherits From section of the Hierarchy tab, click the Display Name of the role for which you want to display the summary information.

A popup is displayed with the summary information of the parent role. It displays the role name, role display name, role description, role category, and the user who owns the role.
Close the popup.
To display the summary of the child role, in the Inherited By section of the Hierarchy tab, click the Display Name of the role for which you want to display the summary information.

A popup is displayed with the summary information of the child role. It displays the role name, role display name, role description, role category, and the user who owns the role.
Close the popup.

16.3.2.2.6 The Access Policy Tab

The Access Policy tab displays the access policies assigned for the role. In this tab, you can assign the access policies to the role or remove the access policies that are already assigned to the role.

In the Access Policies tab, you can perform the following:

Adding an Access Policy to a Role
Removing an Access Policy

Adding an Access Policy to a Role

To add access policies to a role:

From the Actions menu, select Add. Alternatively, click Add on the toolbar.
Select the desired search criteria and click the Search icon. Access Policies matching the search criteria are listed.
From the list of Access Policies, select the required Access Policy and click Add Selected or to add all the listed capabilities click Add All.
If you want to deselect any access policy from the Selected Policies list, then select the access policy from the Selected Policies list, and click Remove Selected. You can click Remove All to deselect all the selected access policies.
Click Select. The selected access policies are displayed in the Access Policy tab. Pending action is filled with Add. Repeat this if you want to add more policies. You can click Undo if you do not want to add the policy that is already marked with add.
Click Apply. The request is to be approved if it raises a workflow. Then the selected policies are added to the role.

Removing an Access Policy

To remove the access policy assigned to this role:

From the list of access policies assigned, select the access policy that you want to remove.
From the Actions menu, select Remove. Alternatively, click Remove on the toolbar.
Click Remove to confirm. The selected access policy is removed from the Access Policy tab. Pending action is filled with Remove. Repeat this if you want to remove more policies. You can click Undo if you do not want to remove the policy that is already marked with remove.
Click Apply. The request is to be approved if it raises a workflow. Then the selected policies are removed from the role.

16.3.2.2.7 The Members Tab

The Members tab displays the members assigned to the open role. This information is displayed in the following sections:

Direct Members: This section displays the members that are statically assigned to the open role.
Rule Based Members: This section displayed the members that are assigned to the open role via membership rules.
Indirect Members: This section displays the members that are indirectly inherited by the role.
All Members: This section displays all the members, direct and indirect, assigned to the open role.
Pending Members: This section displays all the members that are pending for this role, that is the role assignment date assigned with future start date.

In the Members tab, you can perform the following:

Assigning Members to a Role
Revoking Members from a Role
Adding, Modifying, and Deleting Membership Rules

16.3.2.2.8 Assigning Members to a Role

To assign members to a role:

Note:

When Oracle Identity Manager uses LDAP identity store, based on the Role Type selected in the Attributes tab, members can be assigned in any one of the following ways:

If Role Type is Static, then the Add Member option is available as a Static role can only have static user memberships.
If Role Type is Dynamic, then the Create Membership Rule option is available as a Dynamic role can only have dynamic user memberships.

In the Direct Members section of the Members tab, click Add. The Add Members dialog box is displayed.
From the Search list, specify a role attribute name. Enter a search parameter in the search field, and click the search icon. The roles that match the search criteria are displayed.
Select the role that you want to assign, and click Add Selected. The selected role is added to the Selected Users table.

To add all the roles to the Selected Users table, click Add All.
If you want to remove a role from the Selected Users table, then select the role and click Remove Selected. To remove all roles from the Selected Users table, click Remove All.
Click Select. Pending action is filled with Add. Repeat this if you want to add more users. You can click Undo if you do not want to add the user that is already marked with add.
Click Apply. The request is to be approved if it raises a workflow. Then the selected members are added to the role.

16.3.2.2.9 Revoking Members from a Role

To revoke members from a role:

In any section of the Members tab, select the member that you want to remove.
Click Remove on the toolbar. A message is displayed asking for confirmation.
Click Remove to confirm. Pending action is filled with Remove. Repeat this if you want to remove more users. You can click Undo if you do not want to remove the user that is already marked with remove.
Click Apply. The request is to be approved if it raises a workflow. Then the selected members are removed from the role.

16.3.2.2.10 Adding, Modifying, and Deleting Membership Rules

In the Members tab, you can add, modify, or delete the user membership rules by using the expression builder. The expression builder lets you specify a condition based on which users are dynamically assigned to roles. You can specify simple to complex condition expressions as the user membership rule. When you modify a user membership rule, the existing user memberships are evaluated, and then the existing role memberships that are not valid are revoked and new role memberships are granted.

To add a user membership rule:

In the Members tab, click Create Membership Rule. The Expression Builder is displayed.
In the left pane, verify that <ADD> is selected. This is the placeholder to specify a user attribute for the condition.
Under Select Operand Value, in the Attributes tab, select a user attribute, for example, Country.
Click Add to add the attribute to the condition in the left pane.
From the list of operators, select a comparator. In Build Expression, select a comparator from the list of operators. If the attribute is of type integer, then comparators, such as = (equals), > (greater than), >= (greater than equal to), < (less than), => (less than equal to), and IN, are displayed.

If the attribute is of type String, then comparators, such as = (equals), != (not equals), Contains, Starts with, Ends with, and IN, are displayed.
Under Select Operand Value, in the Literals tab, specify a value in the Value field, such as United States of America.

When a checkbox or lookup type UDF or default attribute is used in membership rule, then it must be treated as shown in the following example:
```
( ( ( Last Name = "Klein" ) AND ( First Name Contains "Robert" ) )
OR ( ( User Login Starts with "rob" ) AND ( Common Name Ends with "ein" ) )
OR ( ( Robert2UserUDF111DL != "Robert2UserUDF111DL" ) AND ( Robert2UserNumberDL >= 99999 )
AND ( RobertUserDateDL =< 2013-12-31 ) AND ( Robert2UserchkboxDL = "1" )
AND ( Robert2UserLookupDL IN ["RobertLookUpCode3","RobertLookUpCode9"] ) ) )
```
Here:
- Robert2UserchkboxDL is check box, which must be used in the rule as a string. Use "1" to check for True/yes/Selected/Checked, and use "0" to check for False/no/Unselected/unchecked.
- Robert2UserLookupDL is lookup type. In the default userprofile, "Robert2LookUpMean3" will be displayed. But you must use its code value "Robert2LookUpCode3" in the expression.
- For All type of Attributes, there is no way to check NULL or no value.
Note:
Checkbox fields are stored as strings in the backend. The data type for a checkbox field is a String and not Boolean. Therefore, all string operations will be displayed.
Click Add to add the specified value to the condition expression. The expression now means that users belonging to United States of America will be dynamically assigned to the open role.

Figure 16-2 shows the expression builder with the condition.

Figure 16-2 The Expression Builder

Description of "Figure 16-2 The Expression Builder"
If required, on the Preview Results tab, you can preview members to whom this rule will be applied.
Click Save. The expression builder closes, and the rule you defined has been saved.
Click Evaluate membership rule now to evaluates this rule against all users immediately, else you will have to run the Refresh Role Memberships scheduled job to evaluate rule. This is not applicable when Oracle Identity Manage uses LDAP identity store as evaluation happens at the runtime.

To modify a user membership rule:

In the Members tab, in the User Membership Rule section, click Edit Rule. The expression builder is displayed.
Specify a condition to dynamically assign members, as described in the steps for adding membership rule.
If required, on the Preview Results tab, you can preview members to whom the modified rule will be applied.
Click Save. The expression builder closes, and the rule you modified has been saved. You can then click the Apply, Apply and Evaluate, and Revert buttons, as required.

T o delete a user membership rule:

In the Members tab, in the User Membership Rule section, click Delete Rule. A dialog box asking to confirm whether you want to delete the membership rule is displayed.
Click Yes. The membership rule is deleted.

After adding, modifying, or deleting user membership rule, click Apply. The request is to be approved if it raises a workflow. Then the rule is added, edited, or removed from the role. Rule evaluation takes place immediately if the Evaluate membership rule now option is selected. Otherwise, it will be evaluated only when the Refresh Role Memberships scheduled job is ran.

16.3.2.2.11 The Organizations Tab

The Organizations tab allows you to assign and revoke organizations to and from the open role. By assigning an organization to the open role, you make the role available to the organization. This is called publishing the role entity to an organization.

All the organizations, to which the open role has been published, are displayed in the Organizations tab. For each organization, the include sub-orgs option is available for selection in the Hierarchy Aware column. Select this option if you want the open role to be available to the entire hierarchy of the organization. To make the open role available only to the organization and not its hierarchy, leave this option deselected.

In the Organizations tab, you can perform the following:

Publishing Roles to an Organization
Revoking Roles From an Organization

16.3.2.2.12 Publishing Roles to an Organization

To publish roles to an organization:

In the Role details page, click the Organizations tab. This tab displays the organizations that are assigned to the open role.
From the Actions menu, select Add. Alternatively, click Add on the toolbar. The Add Organizations dialog box is displayed.
Search for the organizations you want to add. The organizations are displayed in the Organization Results section.
Select the organizations that you want to add, and click Add Selected. The selected organizations are added to the Selected Organizations section.
For each selected organization, the Hierarchy option is selected by default. If you want to publish the role to the suborganizations of the selected organization, then leave the Hierarchy option selected.

To publish the role to the selected organization only, deselect the Hierarchy option.
Click Select. Pending action is filled with Add. Repeat this if you want to add more organizations. You can click Undo if you do not want to add the organization that is already marked with add.

Note:
The role is auto published to the organization of the logged-in user and to the organizations on which the logged-in user has admin roles capabilities.

16.3.2.2.13 Revoking Roles From an Organization

To revoke a role from an organization:

In the Organizations tab, select the organization from which you want to revoke the role.
To revoke the role from sub organizations of the currently selected organization, select the Hierarchy Aware option, and then click Apply. A message is displayed. Click Revoke.
From the Actions menu, select Remove. Alternatively, click Remove on the toolbar. A message is displayed asking for confirmation.
Click Remove. Pending action is filled with Remove. Repeat this if you want to remove more organizations. You can click Undo if you do not want to remove the organizations that are already marked with remove.
Click Apply. The request is to be approved if it raises a workflow. Then the selected organizations are added or removed from the role.

16.3.2.2.14 The History Tab

The History tab is displayed only when Identity Audit is enabled in the Oracle Identity Manager deployment.

This tab displays all data about the open role that have been modified within a specified date range. Using this tab, the role administrator can track any changes to the role definition. The role administrator can enter a date range, and view the modifications that have been done within that date range to the role attributes, role hierarchy, access policies, role memberships, organizations, membership rules, and role certifications. By default, the history for the last seven days is displayed in this tab.

In the History tab, you can perform the following:

Searching Role History
Viewing Role History

16.3.2.2.15 Searching Role History

To search for role history:

Open the role.
Click the History tab.
In the Search History section, enter a date range in the two date fields. You can also click the calendar icons and select the dates.
Click Search. The role history within specified date range is populated in the subtabs of the History tab. For example, all role attribute modifications are listed in the Attributes subtab.

You can click Reset to reset the date ranges mentioned.

If you do not specify any values in the date fields and click Search, then all modifications made to the role from its creation till date are displayed in the subtabs.

Note:
all data shown in History is ready only, and nothing can be modified.

16.3.2.2.16 Viewing Role History

To view role history:

Search for role history by specifying a date range, as described in "Searching Role History".
Click the Attributes tab. The modifications made to the role attributes within the specified date range are displayed in a table. The columns in the table provide information about the attributes modified, the new value of the attributes, the old value of the attributes before modification, the date on which the attribute is modified, and the user who updated the attribute.
Click the Hierarchy tab. This tab displays the modifications made in the role hierarchy of the open role in a tabular format. The columns in the table provide information about the Display Name of the parent that have been added/removed, the change action (add/modify/delete), the user who modified the role hierarchy, and the dates on which the modification have been done.
Click the Access Policy tab. This tab displays the modification made to the access policies associated with the open role in a tabular format. The columns in the table provide information about the policy names that have been added/removed, the user who modified the access policies, the change action, and the dates on which the access policies were modified.
Click the Organizations tab. This tab displays the modifications made to the organization assignment of the open role in a tabular format. The columns in the tab provide information about the organization name that have been added or removed or updated, the change action, the user who modified the organization assignment, and the dates on which the modification have been done.
Click the Role Membership tab. This tab displays the modification made to the role membership of the open role in a tabular format. The columns in the table provide information about the user names that have been added or removed, the change action, the user who modified the role membership, and the dates on which the modification have been made.
Click the Membership Rules tab. This tab displays the modifications made to the membership rules in a tabular format. The columns in the table provide information about the rule name that have been modified, the change action (add/update/remove), the user who modified the rule, and the dates on which the modification have been done.
Click the Certification tab. This tab displays the certifications performed for the open role in a tabular format. The columns in the table provide information about the certification name that have been modified, the user who certified, and the dates on which the last certification have been made.