Composite Role
Defines basic information about a composite role. Composite roles identify affiliations or job functions by which users can be grouped. A composite role is a business role comprehensible by managers. It provides a layer of abstraction above existing entitlements, technical roles and single roles.
Roles can be used to:
- Grant various types and levels of access.
- Restrict access to sensitive information assets by grouping entitlements in a form that is meaningful to the business.
- Grant the minimum privileges required by an individual to perform their job.
Roles can be requested manually, or they can be configured to be assigned automatically via a Composite Role Rule. To further control access, roles can be related via required, inherited, or permitted relationships.
Examples
The following example declares a new composite role.
Code attributes enclosed with <> need to be replaced with a custom value before entering the
script in the command line.
<CompositeRole Identifier="HR_Accounting" DisplayName_L1="HR:accounting" Category="HR" ApprovalWorkflowType="One" EntityType="Directory_User" Policy="Default"/>
Properties
| Property | Type | Description |
|---|---|---|
| ApprovalWorkflowType default value: 0 | ProvisioningPolicyApprovalWorkflow | Number of validations required to assign manually the composite role (from None to Three). The value ManualAssignmentNotAllowed is used when a manual assignment cannot be performed. |
| Category optional | Int64 | Identifier of the category that the role is part of. |
| CommentActivationOnApproveInReview default value: Inherited | CommentActivationWithInherited | Indicates if a comment is enabled when reviewing a request of the role and deciding to approve it. 0 - Disabled 1 - Optional 2 - Required 3 - Inherited: comment activation in the associated policy. |
| CommentActivationOnDeclineInReview default value: Inherited | CommentActivationWithInherited | Indicates if a comment is enabled when reviewing a request of the role and deciding to refuse it. 0 - Disabled 1 - Optional 2 - Required 3 - Inherited: comment activation in the associated policy. |
| CommentActivationOnDeleteGapInReconciliation default value: Inherited | CommentActivationWithInherited | Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to delete it. 0 - Disabled 1 - Optional 2 - Required 3 - Inherited: comment activation in the associated policy. |
| CommentActivationOnKeepGapInReconciliation default value: Inherited | CommentActivationWithInherited | Indicates if a comment is enabled when reviewing a non-conforming assignment of the role and deciding to keep it. 0 - Disabled 1 - Optional 2 - Required 3 - Inherited: comment activation in the associated policy. |
| Description_L1 optional | String | Detailed description of the single role in language 1 (up to 16). |
| DisplayName_L1 required | String | Display name of the composite role in language 1 (up to 16). |
| EntityType required | Int64 | Identifier of the entity type whose resources can receive the composite role. |
| GracePeriod optional | Int32 | Duration (in minutes) for which a lost automatic composite role is prolonged. The grace period is only applied if the loss of the entitlement is due to a change in the rules (rule deletion or criteria changes). A review will be required to validate or decline the entitlement prolongation. Inferred entitlements won't be lost unless the end of the grace period is reached or the prolongation is declined. If it is not defined, the value is inherited from the policy. |
| HideOnSimplifiedView default value: false | Boolean | true to show the role in a user's basket only in advanced view and not simplified view. This flag is applied only on automatic assignments. |
| Identifier required | String | Unique identifier of the composite role. |
| ImplicitApproval default value: 0 | Byte | Indicates if the validation steps of the composite role can be skipped. 0 - Inherited: implicit approval value in the associated policy. 1 - Explicit: all the workflow steps must be approved. 2 - Implicit: the workflow steps can be skipped if the requester has enough permissions. |
| ManualAssignmentEndDateLockedToContextMode default value: ExplicitNotContextBoundByDefault | ManualAssignmentEndDateLockedToContextModeRole | The values are: 0 - ExplicitNotContextBoundByDefault — By default, the assignment's end date will not be context bound in order to encourage the manual entry of an end date 1 - ExplicitContextBoundByDefault — By default, the assignment's end date will be context bound and therefore locked, but a manual date can be entered. 2 - Never — The assignment's end date will never be locked and needs to be specified manually 3 - Always — The assignment's end date is always locked according to the applicable context rule. |
| MaxDuration optional | Int32 | Duration (in minutes) after which the role will be automatically revoked, if no earlier end date is specified. It impacts only the roles which are manually assigned after the maximum duration is set. Pre-assigned roles are not impacted. If no duration is set on the role, the MaxDuration of the associated policy is applied. If the MaxDuration is set to 0 on the role, it prevents the associated policy from applying its MaxDuration to it. |
| Policy required | Int64 | Identifier of the policy that the role is part of. |
| ProlongationWithoutApproval default value: 0 | ProlongationWithoutApproval | Indicates whether the role can be extended without any validation. 0 - Inherited: gets the value from the policy. 1 - Enabled. 2 - Disabled. |
| R0 default value: false | Boolean | true to set the dimension 0 (up to 3V following the Base32 Parameter Names ) as a required parameter when assigning the role. |
| Tags optional | String | Tags of the roles targeted by the campaign filter. The tag separator is ¤. |