RapidIdentity Product Guide

Create a Role

Follow these steps to create a new role.

  1. From the Roles Module, click Add Role+.

    Add_Role.png

  2. The Add Role options open in the right sidebar.

    add_role_config_box.jpg

  3. Enter a Name for the role.

  4. Enter the Owner for the role. Multiple owners can be selected for a role.

  5. If the role will serve as a distribution list, click the Distribution List checkbox.

  6. Click Save.

  7. Edit Role options will open. Role settings can be modified at any time after the role has been created.

    edit_role.jpg
    Table 5. Create A Role - Detail Fields

    Field

    Description

    Name

    Provide a name for the role

    Description

    Optional description for the role

    Distribution List

    Check this box if this role will serve as a distribution list

    Note

    This option will only have an effect if RapidIdentity is using Active Directory as its main directory service

    Membership Managers Can Edit

    Allows Membership Managers to edit the Role details in addition to their permission of managing the Role membership criteria

    Note

    The function of this field does not change Membership Managers ability to add members to the role.

    Auto Synchronization Interval (Hours)

    Automatically sync the role based on hours

    Auto Synchronization Priority

    If auto-sync has been selected for more than one role, select the sync priority for this role

    Owners

    Select at least one owner for the role. Role Owners and Membership Managers can be added or removed



  8. Click Save.

Static Membership

The purpose of a Static Membership is to override the status of a Role member added with Dynamic Inclusion, but is to be removed from the Role membership list.

Static Membership Limitations

RapidIdentity Portal currently imposes an upper limit of 500 entries to the static membership size. Roles that include relatively long user Dynamic Names (DNs) will exhaust the attribute in Active Directory, and the limit will occur at a value less than 500.

To facilitate scalability, one recommendation is to use Static Membership for exceptions and to use a dynamic role to create role membership. With this approach, the dynamic role would look for a specific attribute whose only purpose is to define membership for that role. This attribute would then be included in the Dynamic Include Filter. One possible attribute is "idautoPersonAppRoles1."

  • Click the Members button to view the members in the role. Use the search bar at the top to locate a certain user.

    preview_members.jpg

  • To populate the inclusion or exclusion boxes, click the Edit Role button.

    static_tab.jpg

  • The Static Includes and the Static Excludes fields will become editable.

    add_static_exclusions.jpg

  1. Click the Static Includes or Excludes field and type to begin a search for a user.

    1. Viable search input includes First Name, Last Name, or Email address.

    2. As you type, the user list will appear in the drop-down. Click the user to add to the exclusion/inclusion list.

  2. Click the X to remove a user from the Includes or Excludes fields.

  3. To add additional users to Includes or Excludes, click +Add Another Static Include/Exclude.

Dynamic Membership

Dynamic Membership allows a Role owner to add members to a Role based on attributes in their user profile; the benefit is to create department Roles quickly. For example, a Role can be formed within the directory where only members with 'HR' listed as their department will be added. The filtering attribute is limited only by the information available in the base user profile.

The purpose of a Dynamic Exclusion is to exclude subsets of users that match the Dynamic Inclusion filtering attribute, but are not wanted in the Role membership list. In the previous example of a Role with all HR department members included, any user that is a member of the HR department, but works in building 250, can be excluded based on office location.

Membership Inclusion/Exclusion Hierarchy

Members will be included and excluded from a Role based on the following action hierarchy.

  1. All members who fit the Dynamic Inclusion filter will be added.

  2. All members who fit the Dynamic Exclusion filter will then be removed.

  3. All statically included members will be added back to the list.

  4. Finally, all statically excluded members will be removed.

Follow the steps to create dynamic memberships.

  1. From the role details, select the Dynamic tab.

    dynamic.jpg

  2. Click Edit Role.

  3. The click each field for the dynamic parameters. Enter the filter values and information for the filter DN (dynamic name).

    dynamic_role_parameters.jpg

  4. Click Save.

In this section: