Role Assignment Rules
Note
It is not possible to assign IDM Identity Managers or Manager Delegates via rule.
Provided the users system has been configured for Automatic Role Assignment, this option will appear allowing the Administrator to configure automatic role assignment rules for not just IDM but for CONNECT and GUEST too.
Clicking the option takes the user to Role Assignment Rules list that displays all existing Rules in the system. The following buttons are also displayed:
Reconcile all rules: Applies all rules immediately.
Refresh: Refreshes the list of Rules.
New: Allows the user to create a new rule.
Reconcile at: Dropdown list of hourly intervals from 12 AM to 11 PM that allows user to define a time that the rules should be re-applied. Default is 12 AM.
Edit: Allows existing Rule to be edited.
Delete: Allows existing rule to be deleted.
Adding A Rule
Clicking the New button takes the user to Create Rule page. The following fields (all mandatory) are presented:
Name: Give the rule a meaningful name.
Application: Select from the dropdown list which application the role that you want to create the rule for applies to. Selecting an application will display:
Role: A dropdown list of all roles contained within that application. Selecting a Role will display:
The parameter (if any) that applies to that role. User can then select one or more Buildings, Reports or Access Groups as appropriate.
Identity Field: Use the dropdown list to select a field from the IDM Identities page that you want to use as a condition for your rule. Selecting a field will then display:
Operator: Dropdown list of Operators that you want to apply to your Condition. List will vary dependent on the field chosen so, for example, Date or Number fields have a much wider choice than Text fields.
Value: The value that applies to your Condition. For example, you might want your rule to apply only if Identity Category = Contractor.
Use the ADD button at the bottom right of the screen to add multiple conditions. At any point you can check how many Identities match your condition(s) by clicking the Calculate button next to Estimated affected identities in the upper right of the screen.
Once your Rule is complete, click the Save button and the Rule will appear on the list.
Applying A Rule
A newly created Rule will be applied daily at the time specified in Reconcile at: dropdown list on the Rules page. However, it can be applied immediately by clicking Reconcile all rules button on the Rules page.
If an Identity was assigned the role by the new Rule (i.e. they had not already been assigned the exact same role via the Edit Roles button in IDM or via the Roles Configuration tab in CONNECT and GUEST) then the role in Role Manager tab will display a Managed by Rule icon.
Editing A Rule
An existing Rule can be edited by changing the Conditions that apply to the Rule. You cannot change the Role that the Rule applies to. So, for example, you could change the Condition from Identity Category = Contractor to Identity Category = Vendor.
When the edits to the rule have been reconciled (either at the specified daily time, or immediately) then Identities with Identity Category = Contractor will lose the Role (provided they had not already been assigned the exact same role via Edit Roles or Roles Configuration) and Identities with Identity Category = Vendor will gain the Role and will display a Managed by Rule icon in Role Manager (unless they had already been assigned the exact same role).
Deleting A Rule
An existing Rule can be deleted. IDM will display a warning message: Deleting this rule will result in identities losing the permissions assigned. Do you want to continue?
Once rules have been reconciled (either at the specified daily time, or immediately) then Identities that matched the conditions in the newly deleted rule will lose the Role (provided they had not already been assigned the exact same role via Edit Roles or Roles Configuration).