Role assignment attributes

We can define role assignment attributes. The attributes can be associated with a person-role relationship. Optional role assignment attributes tasks are:

• Define role assignment attributes when creating or modifying a static role.
• Associate a custom label with each assignment attribute.
• Specifying assignment attribute values when adding user members to the role. For example, a static role named Clerk has an assignment attribute defined as CreditLimit. When adding user members to this role, you can specify the CreditLimit value for each user as part of the role assignment.
• Specifying assignment attribute values to the existing user members of the role.

1. Only static roles support assignment attributes.

2. Only the string type and text widget of assignment attributes are supported.

ACI capabilities for role assignment attributes

Both the default and new ACIs supports attribute-level permissions for role assignment attributes like other attributes in the role definition. We can now modify or create ACIs. We can set attribute-level permissions for granting or denying usage of these role assignment attributes within the role definition. Only authorized users can read or write assignment attributes. Additionally, you can:

• Set ACIs to read or write assignment attribute values when adding a user to the role.
• Set assignment attribute values to the existing user members.

ACI works the same way as it does for other entities. There is no ACI on specific role assignment attributes. The following attributes are available:

• erRoleAssignmentKey is on the role that dictates the permission to define role assignment attributes on the role and an attribute.
• erRoleAssignments is on the person that dictates the permission to assign values for the assignment attributes.

To view the role assignment attribute value on a person form, the logged in user must have read permissions on erRoles, erRoleAssignmentKey and erRoleAssignments..

To edit the role assignment attribute value on a person form, the logged in user must have read permissions on erRoles, erRoleAssignmentKey and write permissions on erRoleAssignments.

We cannot define ACI on the assignment attribute that you defined on the role.

JavaScript capabilities for role assignment attributes

We can access these capabilities for role assignment attributes within the JavaScript interface:

• The role assignment attributes of the role schema. For example, you can access a role object inside an entitlement workflow.
• The role assignment attributes and their values for users in role membership. For example, you can access a person object within a JavaScript provisioning policy entitlement.

JavaScript APIs include.

• Person
  • Person.getAllAssignmentAttributes()
  • Person.getRoleAssignmentData()
  • Person.getRoleAssignmentData(String roleAssignedDN)
  • Person.removeRoleAssignmentData()
  • Person.updateRoleAssignmentData()
  • Person.getRemovedRoles()
  • Person.isInRole()
  • Person.removeRole()
• Role
  • Role.getAssignmentAttributes()
  • Role.getAllAssignmentAttributes()
  • Role.setAssignmentAttributes()
• RoleAssignmentAttribute
  • RoleAssignmentAttribute.getName()
  • RoleAssignmentAttribute.getRoleName()
  • RoleAssignmentAttribute.getRoleDN()
• RoleAssignmentObject
  • RoleAssignmentObject.getAssignedRoleDN()
  • RoleAssignmentObject.getDefinedRoleDN()
  • RoleAssignmentObject.addProperty()
  • RoleAssignmentObject.getChanges()
  • RoleAssignmentObject.getProperty()
  • RoleAssignmentObject.getPropertyNames()
  • RoleAssignmentObject.removeProperty()
  • RoleAssignmentObject.setProperty()

See the reference pages in the IBM Security Identity Manager Reference Guide.

Role assignment attributes and the Self Service or the Identity Service Center user interface

For more information about adding or modifying role assignment attributes for a user profile in the Identity Service Center user interface, see Modifying role assignment attributes for your personal profile.

• Define assignment attributes when creating a role
  
• Define assignment attributes for an existing role
  
• Setting assignment attribute values to the user members of a role
  
• Configure access catalog information for a role
  

Parent topic: Role administration

• Role assignment attribute tables
• Person
• Role
• RoleAssignmentAttribute
• RoleAssignmentObject