CompositeRole
Defines basic information about a composite role. Composite roles identify affiliations or job functions by which users can be grouped. A composite role is a business role comprehensible by managers. It provides a layer of abstraction above existing entitlements, technical roles and single roles.
Roles can be used to:
- Grant various types and levels of access.
- Restrict access to sensitive information assets by grouping entitlements in a form that is meaningful to the business.
- Grant the minimum privileges required by an individual to perform his/her job.
Roles can be requested manually, or they can be configured to be assigned automatically via a Composite Role Rule. To further control access, roles can be related via required, inherited, or permitted relationships.
Examples
The following example declares a new composite role.
<CompositeRole Identifier="HR_Accounting" DisplayName_L1="HR:accounting" Category="HR" ApprovalWorkflowType="One" EntityType="Directory_User" Policy="Default"/>
Properties
| Property | Details |
|---|---|
| ApprovalWorkflowType default value: 0 | Type ProvisioningPolicyApprovalWorkflow Description Number of validations required to assign manually the composite role (from None to Three). The value ManualAssignmentNotAllowed is used when a manual assignment cannot be performed. |
| Category optional | Type Int64 Description Identifier of the category that the role is part of. |
| CommentActivationOnApproveInReview default value: Inherited | Type CommentActivationWithInherited Description Indicates if a comment is enabled when reviewing a request of the role and deciding to approve it. 0 - Disabled 1 - Optional 2 - Required 3 - Inherited: comment activation in the associated policy. |
| CommentActivationOnDeclineInReview default value: Inherited | Type CommentActivationWithInherited Description Indicates if a comment is enabled when reviewing a request of the role and deciding to refuse it. 0 - Disabled 1 - Optional 2 - Required 3 - Inherited: comment activation in the associated policy. |
| CommentActivationOnDeleteGapInReconciliation default value: Inherited | Type CommentActivationWithInherited Description Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to delete it. 0 - Disabled 1 - Optional 2 - Required 3 - Inherited: comment activation in the associated policy. |
| CommentActivationOnKeepGapInReconciliation default value: Inherited | Type CommentActivationWithInherited Description Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to keep it. 0 - Disabled 1 - Optional 2 - Required 3 - Inherited: comment activation in the associated policy. |
| Description_L1 optional | Type String Description Detailed description of the single role in language 1 (up to 16). |
| DisplayName_L1 required | Type String Description Display name of the composite role in language 1 (up to 16). |
| EntityType required | Type Int64 Description Identifier of the entity type whose resources can receive the composite role. |
| GracePeriod optional | Type Int32 Description Duration (in minutes) for which a lost automatic composite role is prolonged. The grace period is only applied if the loss of the entitlement is due to a change in the rules (rule deletion or criteria changes). A review will be required to validate or decline the entitlement prolongation. Inferred entitlements won't be lost unless the end of the grace period is reached or the prolongation is declined. If it is not defined, the value is inherited from the policy. |
| HideOnSimplifiedView default value: false | Type Boolean Description true to show the role in a user's basket only in advanced view and not simplified view. This flag is applied only on automatic assignments. |
| Identifier required | Type String Description Unique identifier of the composite role. |
| ImplicitApproval default value: 0 | Type Byte Description Indicates if the validation steps of the composite role can be skipped. 0 - Inherited: implicit approval value in the associated policy. 1 - Explicit: all the workflow steps must be approved. 2 - Implicit: the workflow steps can be skipped if the requester has enough permissions. |
| MaxDuration optional | Type Int32 Description Duration (in minutes) after which the role will be automatically revoked, if no earlier end date is specified. It impacts only the roles which are manually assigned after the maximum duration is set. Pre-assigned roles are not impacted. If no duration is set on the role, the MaxDuration of the associated policy is applied. If the MaxDuration is set to 0 on the role, it prevents the associated policy from applying its MaxDuration to it. |
| Policy required | Type Int64 Description Identifier of the policy that the role is part of. |
| ProlongationWithoutApproval default value: 0 | Type ProlongationWithoutApproval Description Indicates whether the role can be extended without any validation. 0 - Inherited: gets the value from the policy. 1 - Enabled. 2 - Disabled. |
| R0 default value: false | Type Boolean Description true to set the dimension 0 (up to 3V following the base32hex convention) as a required parameter when assigning the role. |
| Tags optional | Type String Description Tags of the roles targeted by the campaign filter. The tag separator is �. |