Roles in the organization tree
We can use roles to plan a job title or responsibility, and we can use roles to grant access to accounts and attributes.
Both a static role and a dynamic role can be associated with a business unit in the organization tree. The association can be used to support delegated administration for a role or role assignment. An access control item can specify which user is allowed to create, modify, or delete a role. The specification is based on the association of the role in the organization tree.
- A static role can be located anywhere in the tree. Any user in the same organization can be manually attached to the role.
For a static role, an access control item can specify who is allowed to add or remove users from the role-based association. The specification is for the organization tree of the role and user.
- A dynamic role defines membership based on an LDAP filter and has a scope relative to its position in the tree. Placement of dynamic roles within an organization tree can have performance
implications. See the IBM Security Identity Manager Performance and Tuning Guide.The scope of a dynamic role can be:
- Single
- Applies to users in the local business unit
- Subtree
- Applies to the local business unit and all subbusiness units
For example, suppose that an organization has a depth of containers for the user population, similar to Figure 1.
Figure 1. Example roles 
Suppose that we configure dynamic roles similar to this list.
- role_A for DivisionA
- role_A1 for department A1
- role_A1_1 for branch 1 in department A1
Each of these dynamic roles might have a scope of subtree and an LDAP filter such as (objectclass=*). A user in ou=A1branch1 receives all three roles: role_A, role_A1, and role_A1_1. To ensure that a discrete dynamic role applies to users based on their location in the tree, we might need to take one of the following actions:
- Place the users in the leaf nodes (containers)
- Make the LDAP filter specific to the location
- Specify the role scope as single.
Parent topic: Role planning