Capability Roles

One of the lesser known options within IdentityIQ is assigning Capabilities usings Roles.

Within most installations of IdentityIQ capabilities are manually assigned to either directly to Identities or using a workgroup. This works great for small and medium environments. As with only a few capabilities used is quite easy to proof who is allowed to have and has a particular capability.

Using Capability Roles, where capabilities are are assigned to identities using roles, it is possible to leverage the access rights within IdentityIQ exactly the same as the access rights within applications managed by IdentityIQ. Think of:

• Access Request for capabilities
• Access Reviews (Certification) of capabilities
• Automatic Assignment (Birthright) of capabilities
• Reporting

It would be handy to have the ‘Auditor’-capability automatic assigned to employees from the Auditor department (of have job/function of Auditor) of the organisation.

Creation of Capability Role Type

IdentityIQ has the Out-of-the-Box functionality to allow capabilities to be assigned using roles. Using this a Capability Role can be created.

• Go to the ‘gear’ → ‘Global Settings’
• Click on ‘Role Configuration’
• Below ‘Role Types’, click on ‘New Type’
• Set the check-boxes as you would for a Business Roles or even tighter as shown below.

image987×697 21.8 KB

• Make sure the option Do not allow the Granting of IdentityIQ User Rights is not enabled.

Create a Capability Role

To create a capability role is similar to the creation of any other role type. Here the steps to create an Auditor-role:

• Goto ‘Setup’ → ‘Roles’
• Click ‘New Role’
• Fill in for this example:
  
  

  image944×438 15.5 KB
• And at the bottom:
  
  

  image1223×384 14.3 KB
• Click on Submit

Assignment of a Capability Role

The assignment of a capability role depends on the options set during the creation of the capability role type. For instance assign the role based on the Identity Attribute department where the department name is Auditors

There are many ways to Rome and this is 1 way to assign capabilities to idenities

– Remold

I’ve only had success with this using the loopback connector as if you change the capabilities add/remove on a particular role it won’t update existing users permissions.

Hi @Remold ,

This is great way of managing the access across IIQ thanks for detailed steps. I have implemented this by leveraging loopback connector.

I my current project we are adding user to an AD group based on role request, once AD group is added with the member we are populating members of AD group to workgroup assigned with respective capability. I believe the step you suggested is better suited if we want to assign capability directly, but in our case we needed to maintain AD group for any user having access to IIQ.

Hi @phodgdon,

Changes to roles are only updated on the identities when Role Change Propagation is enabled (Gear → Global Settings → IdentityIQ Configuration → Roles → ‘Allow propagation of role changes’).
The changes to roles, when already assigned, will than be adjusted with the ‘Propagate Roles Changes’-task. So the changed capabilities will be set on the identities with this role

– Remold

Right I’ve just had issues with that being set and having your roles in the SSB and running into failures deploying bundles. The loopback also helped solve this.

Importing roles (Bundles) does not generate a RoleChangeEvent, so the Propage Role Changes task will not update the capabilities to the assigned identities.

Luckily there are multiple ways to Rome

– Remold