My Roles
The My Roles interface displays the Roles that have been created by the authenticated user. Environments with large numbers of roles can be searched for and filtered dynamically by typing in the role name inside the search bar. Users who have not created a role will have a blank interface.
Role details can be viewed by clicking Details in the list view or, while in grid view, by hovering over the role tile and then clicking Details.
If the grid has Roles populated on the first login, the current user is listed as a role manager by either the Role Owner or another Role Membership Manager.
All data grid columns are sortable. To sort, click on the column header and adjust accordingly.
Column | Description |
|---|---|
Selector | Checkboxes are used to select multiple rows. A role can be selected by clicking on the checkbox, by clicking anywhere on the row, or by clicking the Select... drop-down box and clicking Select All. More than one Role can be selected at a time. Selecting one or more roles enables the role Clone, Sync, and Delete actions. |
Name | The given Role name. |
Description | An optional, short text description of the Role. |
Type | The Type of the Role. |
Create Date | The timestamp of when the Role was created. |
Status | Describes the current status of the Role. |
Import Roles
Roles can be imported by clicking Import.
Roles can be imported individually by selecting a role from the drop-down box or in bulk by checking the box to Import All Roles. The import process also allows to Sync After Import. Click Import.
A successful import closes the sidebar and displays a green success message.
Edit Role
The Details interface opens the Edit Role form and displays the role configuration information.
Clicking Edit Role enables the updating of the Details fields and enables the updating of Static and Dynamic Members. The text fields are predictive to facilitate locating the desired users or roles to be static or dynamic members.
Once the role fields and members are updated, click Save.
Create Role
All users can create a new role by clicking the Create Role button and completing the Add Role form.
The Details tab requires two fields: Name and Owners. Role creators can determine whether the role should also function as an Email distribution list and which, if any, users can be Membership Managers. The text boxes for owners and memberships managers is predictive to facilitate locating the desired users.
Role Owners and Membership Managers can modify the Static and Dynamic tabs.
The Static tab allows role users to determine whether users should always be included or excluded to the role.
The Dynamic tab allows users to configure a distinguished name (DN) or LDAP filter to calculate which users should always be included or excluded in a role.
When creating a Dynamic Role, the distinguished name for the Dynamic Include (or Exclude) Filter Base DN can be typed manually or obtained by clicking the magnifying glass and navigating the directory tree.
Similarly, the Dynamic Include (or Exclude) Filter can be typed manually or use the prompts to build a valid LDAP filter.
After updating the role membership criteria and the two required fields, click Save.
Role Membership Hierarchy
Members are included and excluded from a Role based on the following action hierarchy.
All members who fit the Dynamic Inclusion filter are added.
All members who fit the Dynamic Exclusion filter are removed.
All statically included members are added back to the list.
All statically excluded members are removed.
Thus, the purpose of a Dynamic Exclusion is to exclude subsets of users that match the Dynamic Inclusion filtering attribute but are not wanted in the Role membership list, and the purpose of a Static Exclusion is to override the status of a Role member added with Dynamic Inclusion but needs to be removed from the Role membership list.
Static Membership Limitations
RapidIdentity Portal currently imposes an upper limit of 500 with respect to the static membership size. Roles that include relatively long user DNs will exhaust the attribute in Active Directory, and the limit will occur at a value less than 500.
To facilitate scalability, one recommendation is to use Static Membership for exceptions and to use a dynamic role to create role membership. With this approach, the dynamic role would look for a specific attribute whose only purpose is to define membership for that role. This attribute would then be included in the Dynamic Include Filter. One possible attribute is idautoPersonAppRoles1.