Skip to main content
Skip table of contents

Role Request Policies

Definition

A Role Request Policy allows to define if a Role can be requested, for whom, by whom, and using which Workflow.
The configuration of a Role Request Policy is divided into 3 parts:

  • Classic properties of a configuration of a XML (version, encoding, kit DataSet...)

  • The Request Strategy that defines who can request an operation on the Role and for whom

  • The Workflow Strategies that define which:

    • Workflows to launch to validate the Role request (only one Workflow Strategy by type of Role operation)

    • Dimensions can be displayed

    • Dimensions can be updated

Configuration

You can access the Role Request Policy configuration :

  • by clicking on "Portal" → “Role Request Policy

  • by clicking on "System" → "Configurations" → "Business Model" and perform an import/export.

Properties

Properties name

Type

Mandatory

Description

Modifiable after creation

id

String

YES

The id is the unique identifier of the Role Request Policy. 

It is case sensitive and no special characters (except - or _) are allowed.

NO

name

String

YES

The Role Request Policy name.

The name may be different from the identifier.Must be at least 4 characters long.

YES

description

String

NO

Allows to describe the Role Request Policy. It is possible to modify this property after the creation of the Role Request Policy.

YES

priority

Integer

NO

Used to indicate the priority between several configured Role Request Policies on the same Role Publication type Id.

YES

rolePublicationTypeId

String

YES

Used to indicate the id of the Role Publication Type which refers to the Policy.

YES

requestStrategy

RoleRequestStrategy

YES

Used to indicate the Request Strategy.

YES

workflowStrategyForCreate

workflowStrategyForUpdate

workflowStrategyForDelete

RoleWorkflowStrategy

YES

Used to indicate the Workflow Strategy used for :

  • assign a Role to an Identity

  • update an assigned Role on an Identity

  • delete an assigned Role on an Identity

YES

Request Strategy Properties

Organizational Role Request Strategy

This request strategy is based on a managing right granted to a user on an Organization, giving the ability to request roles for Identities that are in the security Organization.

The following prerequisites are mandatory before configuring this request strategy:

  • Have configured a Right

  • Have configured an Attribute of type String and with a configured Choice Rule on a Role and/or Publication type.

Property name

Type

Mandatory

Description

Values (default value in bold)

Code

authorizationSource

Enum

YES

Indicates where to find the Attribute describing which managing right is expected from the requester.
When set to PUBLICATION or ROLE, the managing right is set on the Publication and Role respectively.
When set to POLICY, the managing right is set on the property <managingRightName>.

PUBLICATION, ROLE or POLICY

Source PUBLICATION

XML 
<requestStrategy xsi:type="ctdbum:OrganizationalRoleRequestStrategyType">
   <authorizationSource>PUBLICATION</authorizationSource>
   <managingRightAttribute>scopedright</managingRightAttribute>
   <allowSelfRequest>false</allowSelfRequest>
</requestStrategy>

Source ROLE

XML 
<requestStrategy xsi:type="ctdbum:OrganizationalRoleRequestStrategyType">
   <authorizationSource>ROLE</authorizationSource>
   <managingRightAttribute>scopedright</managingRightAttribute>
   <allowSelfRequest>false</allowSelfRequest>
</requestStrategy>

Source POLICY

XML 
<requestStrategy xsi:type="ctdbum:OrganizationalRoleRequestStrategyType">
   <authorizationSource>POLICY</authorizationSource>
   <managingRightName>adm.manager</managingRightName>
   <allowSelfRequest>false</allowSelfRequest>
</requestStrategy>

managingRightAttribute

String

YES , only if source is PUBLICATION or ROLE

Indicates the id of the Attribute (type String and with a configured Choice Rule) that contains the managing right that is expected from the requester.

This Attribute must be configured on the Publication or the Role features.

-

managingRightName

String

YES , only if POLICY

Indicates the right to be used as the managing right that is expected from the requester.

-

allowSelfRequest

Boolean

YES

Indicates whatever or not this strategy allows the requester to request a Role for himself if he/she matches the strategy criteria.

true, false

Object Relation Role Request Strategy

This request strategy is based on a managing right granted to a user on a Role or an object attribute linked to the Role, giving the ability to request roles for Identities.

The following prerequisite are mandatory before configuring this request strategy:

  • Have configured a Right

  • Have configured an Attribute of type String and with a configured Choice Rule on a Role and/or Publication type if the authorization source is PUBLICATION or ROLE.

  • Have configured an Attribute of type Object Reference on a Role Type

Property name

Type

Mandatory

Description

Values (default value in bold)

Code

authorizationSource

Enum

YES

Indicates where to find the Attribute describing which managing right is expected from the requester.
When set to PUBLICATION or ROLE, the managing right is set on the Publication and Role respectively.
When set to POLICY, the managing right is set on the property <managingRightName>.

PUBLICATION, ROLE or POLICY

Source PUBLICATION

XML 
<requestStrategy xsi:type="ctdbum:ObjectRelationRoleRequestStrategyType">
   <authorizationSource>PUBLICATION</authorizationSource>
   <managingRightAttribute>scopedright</managingRightAttribute>
   <allowSelfRequest>false</allowSelfRequest>
   <objectAttribute>application</objectAttribute>
</requestStrategy>

Source ROLE

XML 
<requestStrategy xsi:type="ctdbum:ObjectRelationRoleRequestStrategyType">
   <authorizationSource>ROLE</authorizationSource>
   <managingRightAttribute>scopedright</managingRightAttribute>
   <allowSelfRequest>false</allowSelfRequest>
   <objectAttribute>application</objectAttribute>
</requestStrategy>

Source POLICY

XML 
<requestStrategy xsi:type="ctdbum:ObjectRelationRoleRequestStrategyType">
   <authorizationSource>POLICY</authorizationSource>
   <managingRightName>adm.manager</managingRightName>
   <allowSelfRequest>false</allowSelfRequest>
</requestStrategy>

managingRightAttribute

String

YES , only if source is PUBLICATION or ROLE

Indicates the id of the Attribute (type String and with a configured Choice Rule) that contains the managing right that is expected from the requester.

This Attribute must be configured on the Publication or the Role features.

-

managingRightName

String

YES , only if POLICY

Indicates the right to be used as the managing right that is expected from the requester.

-

objectAttribute

String

NO

Indicates the id of the Attribute of the Object on which the requester is expected to have a right. This Attribute is configured on the Role.

If the property is not valued, the right must be given to the requester on the Role itself.

-

allowSelfRequest

Boolean

YES

Indicates whatever or not this strategy allows the requester to request a Role for himself if he/she matches the strategy criteria.

true, false

Self Service Role Request Strategy

This request strategy is based on a boolean Attribute which authorize or not the self-request of a Role.

The following prerequisite are mandatory before configuring this request strategy:

  • Have configured an Attribute of type Boolean on a Role and/or Publication Type if the authorization source is PUBLICATION or ROLE.

  • Have configured a self feature with the Role Assignment Widget.

Property name

Type

Mandatory

Description

Values (default value in bold)

Code

authorizationSource

Enum

YES

Indicates where to find the Attribute describing whether self-requests are available to the requester.

When set to PUBLICATION or ROLE, the Attribute is set on the Publication and Role respectively.

When set to POLICY, all Roles published are automatically available for self-requests (provided that these Roles are attached to the Role Publication Type that is configured in the Role Request Policy).

PUBLICATION, ROLE or POLICY

Source PUBLICATION

XML 
<requestStrategy xsi:type="ctdbum:SelfServiceRoleRequestStrategyType">
   <authorizationSource>PUBLICATION</authorizationSource>
   <selfRequestAttribute>authorizeselfrequests</selfRequestAttribute>
</requestStrategy>

Source ROLE

XML 
<requestStrategy xsi:type="ctdbum:SelfServiceRoleRequestStrategyType">
   <authorizationSource>ROLE</authorizationSource>
   <selfRequestAttribute>authorizeselfrequests</selfRequestAttribute>
</requestStrategy>

Source POLICY

XML 
<requestStrategy xsi:type="ctdbum:SelfServiceRoleRequestStrategyType">
   <authorizationSource>POLICY</authorizationSource>
</requestStrategy>

selfRequestAttribute

String

YES , if source is set to PUBLICATION or ROLE

Indicates the id of the boolean Attribute which indicates wherever or not the Role can be requested by the requester himself.

This Attribute must be configured on the Publication or the Role features.

If the Attribute value is set to true, the self-request is available, otherwise it is not.

Workflow Strategy Properties

This part describes what type of Workflow strategies are used to launch a Workflow after the assignment, modification or deletion request of a Role on an Identity.
There are four Workflow Strategies that apply to the assignment, modification or deletion of a Role Assignment.
It is possible to choose different Workflow Strategies for each actions.

None Role Workflow Strategy

This Workflow strategy allows to assign, update and/or delete a Role Assignment on an Identity without launching a Workflow.
The action will be directly applied to the Identity.

Property name

Type

Mandatory

Description

Code

readOnlyDimensionTags

-

NO

Allows to indicate the tag(s) of the dimensions that will be displayed.

If no tag is defined, by default all the tagged dimensions will be displayed in the Role dashboard.

Assignment

XML 
<workflowStrategyForCreate xsi:type="ctdbum:NoneRoleWorkflowStrategyType">
    <readOnlyDimensionTags/>
    <readWriteDimensionTags>
        <tag>request</tag>
    </readWriteDimensionTags>
</workflowStrategyForCreate>

Modification

XML 
<workflowStrategyForUpdate xsi:type="ctdbum:NoneRoleWorkflowStrategyType">
    <readOnlyDimensionTags/>
    <readWriteDimensionTags>
        <tag>request</tag>
    </readWriteDimensionTags>
</workflowStrategyForUpdate>

Deletion

XML 
<workflowStrategyForDelete xsi:type="ctdbum:NoneRoleWorkflowStrategyType">
    <readOnlyDimensionTags/>
    <readWriteDimensionTags>
        <tag>request</tag>
    </readWriteDimensionTags>
</workflowStrategyForDelete>

readWriteDimensionTags

-

NO

Allows to indicate the tag(s) of the dimensions that will be editable.

Fixed Role Workflow Strategy

This Workflow strategy allows to indicate an id of Worfklow(s) (previously configured) that will be launched for the assignment, the modification or the deletion of a Role on an Identity.

Property name

Type

Mandatory

Description

Code

workflowId

String

YES

Indicates id of the Workflow that will be launched when assigning, updating or deleting a Role on an Identity.

The Workflow may be different when assigning, updating or deleting a Role on an Identity.

Assignment

XML 
<workflowStrategyForCreate xsi:type="ctdbum:FixedRoleWorkflowStrategyType">
    <readOnlyDimensionTags/>
    <readWriteDimensionTags/>
    <workflowId>WF_RA_1</workflowId>
</workflowStrategyForCreate>

Modification

XML 
<workflowStrategyForUpdate xsi:type="ctdbum:FixedRoleWorkflowStrategyType">
    <readOnlyDimensionTags/>
    <readWriteDimensionTags/>
    <workflowId>WF_RA_1</workflowId>
</workflowStrategyForUpdate>

Deletion

XML 
<workflowStrategyForDelete xsi:type="ctdbum:FixedRoleWorkflowStrategyType">
    <readOnlyDimensionTags/>
    <readWriteDimensionTags/>
    <workflowId>WF_RA_1</workflowId>
</workflowStrategyForDelete>

readOnlyDimensionTags

-

NO

Allows to indicate the tag(s) of the dimensions that will be displayed.

If no tag is defined, by default all the tagged dimensions will be displayed in the Role dashboard.

readWriteDimensionTags

-

NO

Allows to indicate the tag(s) of the dimensions that will be editable.

Script Role Workflow Strategy

This Workflow strategy allows to configure a Groovy script which describes which Workflow(s) (previously configured) will be launched for the assignment, the modification or the deletion of a Role on an Identity.

Property name

Type

Mandatory

Description

Code

readOnlyDimensionTags

-

NO

Allows to indicate the tag(s) of the dimensions that will be displayed.

If no tag is defined, by default all the tagged dimensions will be displayed in the Role dashboard.

Assignment

XML 
<workflowStrategyForCreate xsi:type="ctdbum:ScriptRoleWorkflowStrategyType">
    <readOnlyDimensionTags/>
    <readWriteDimensionTags/>
    <ruleDefinition>
        <script><![CDATA[
        import java.time.temporal.ChronoUnit
        if (ROLE_ASSIGNMENT?.changes?.enabledFrom != null && Instant.now().truncatedTo(ChronoUnit.DAYS).plus(3, ChronoUnit.DAYS).isBefore(ROLE_ASSIGNMENT?.changes.enabledFrom?.value?.truncatedTo(ChronoUnit.DAYS))) {
          return "WF_RA_1"
        }else if (ROLE_REQUEST.role.type == "adminRole"){
          return "WF_RA_2"
        }
        return null]]></script>
    </ruleDefinition>
</workflowStrategyForCreate>

Modification

XML 
<workflowStrategyForUpdate xsi:type="ctdbum:ScriptRoleWorkflowStrategyType">
    <readOnlyDimensionTags/>
    <readWriteDimensionTags/>
    <ruleDefinition>
        <script><![CDATA[
        import java.time.temporal.ChronoUnit
        if (ROLE_ASSIGNMENT?.changes?.enabledFrom != null && Instant.now().truncatedTo(ChronoUnit.DAYS).plus(3, ChronoUnit.DAYS).isBefore(ROLE_ASSIGNMENT?.changes.enabledFrom?.value?.truncatedTo(ChronoUnit.DAYS))) {
          return "WF_RA_1"
        }
        return null]]></script>
    </ruleDefinition>
</workflowStrategyForUpdate>

Deletion

XML 
<workflowStrategyForDelete xsi:type="ctdbum:ScriptRoleWorkflowStrategyType">
    <readOnlyDimensionTags/>
    <readWriteDimensionTags/>
    <ruleDefinition>
        <script><![CDATA[
        import java.time.temporal.ChronoUnit
        if (ROLE_ASSIGNMENT?.changes?.enabledFrom != null && Instant.now().truncatedTo(ChronoUnit.DAYS).plus(3, ChronoUnit.DAYS).isBefore(ROLE_ASSIGNMENT?.changes.enabledFrom?.value?.truncatedTo(ChronoUnit.DAYS))) {
          return "WF_RA_1"
        }
        return null]]></script>
    </ruleDefinition>
</workflowStrategyForDelete>

readWriteDimensionTags

-

NO

Allows to indicate the tag(s) of the dimensions that will be editable.

ruleDefinition

RuleDefinition

YES

This script returns the workflow id that will be launched when assigning, updating or deleting a Role on an Identity.

The Workflow may be different when assigning, updating or deleting a Role on an Identity.

This script is executed at the same time as the evaluation of the Role Request Policies, but the Role Request Policies are evaluated in multiple situations in which the ROLE_ASSIGNMENT Context is not relevant or unnecessary (the build of the dimensions screen, the search of an object reference...).

For this reason, the ROLE_ASSIGNMENT Context may be null and its presence should always be checked before use.

Available context

  • ROLE_REQUEST

  • ROLE_ASSIGNMENT

    • ROLE_ASSIGNMENT?.changes?.enabledUntil?.value

The script returning the workflow id is executed at the same time as the evaluation of the RoleRequest Policies, but the RoleRequest Policies are evaluated in multiple situations in which the ROLE_ASSIGNMENT Context is not relevant or unnecessary (the build of the dimensions screen, the search of an object reference...)

For this reason, the ROLE_ASSIGNMENT Context may be null in scripts and its presence should always be checked before use.

Mapped Role Workflow Strategy

This Workflow strategy allows to map the value of an Attribute of either the Requester, Requestee, Role or Publication to a specific Worfklow(s) (previously configured) that will be launched for the assignment, the modification or the deletion of a Role on an Identity.

Property name

Type

Mandatory

Description

Code

readOnlyDimensionTags

-

NO

Allows to indicate the tag(s) of the dimensions that will be displayed.

If no tag is defined, by default all the tagged dimensions will be displayed in the Role dashboard.

Assignment

XML 
<workflowStrategyForCreate xsi:type="ctdbum:MappedRoleWorfklowStrategyType">
    <readOnlyDimensionTags/>
    <readWriteDimensionTags/>
    <rolePublicationType>role_publication_type_1</rolePublicationType>
    <mappingKeySource>REQUESTEE</mappingKeySource>
    <mappingKeyAttribute>country</mappingKeyAttribute>
    <mapping>
        <entry>
            <key>France</key>
            <value>WF_RA_1</value>
        </entry>
    </mapping>
    <defaultWorkflowId>WF_RA_2</defaultWorkflowId>
</workflowStrategyForCreate>

Modification

XML 
<workflowStrategyForUpdate xsi:type="ctdbum:MappedRoleWorfklowStrategyType">
    <readOnlyDimensionTags/>
    <readWriteDimensionTags/>
    <rolePublicationType>role_publication_type_1</rolePublicationType>
    <mappingKeySource>REQUESTEE</mappingKeySource>
    <mappingKeyAttribute>country</mappingKeyAttribute>
    <mapping>
        <entry>
            <key>France</key>
            <value>WF_RA_1</value>
        </entry>
    </mapping>
    <defaultWorkflowId>WF_RA_2</defaultWorkflowId>
</workflowStrategyForUpdate>

Deletion

XML 
<workflowStrategyForDelete xsi:type="ctdbum:MappedRoleWorfklowStrategyType">
    <readOnlyDimensionTags/>
    <readWriteDimensionTags/>
    <rolePublicationType>role_publication_type_1</rolePublicationType>
    <mappingKeySource>REQUESTEE</mappingKeySource>
    <mappingKeyAttribute>country</mappingKeyAttribute>
    <mapping>
        <entry>
            <key>France</key>
            <value>WF_RA_1</value>
        </entry>
    </mapping>
    <defaultWorkflowId>WF_RA_2</defaultWorkflowId>
</workflowStrategyForDelete>

readWriteDimensionTags

-

NO

Allows to indicate the tag(s) of the dimensions that will be editable.

rolePublicationType

String

YES

Used to indicate the id of the Role Publication Type which refers to the Policy.

mappingKeySource

Enum

YES

Used to indicate where to find the Attribute that will be used to map Workflow(s).
The source can be: REQUESTER, REQUESTEE, PUBLICATION or ROLE.

mappingKeyAttribute

String

YES

Used to indicate the id of the Attribute which is used to perform the mapping.

This Attribute must be configured on the Identity, Publication or the Role features.

mapping

-

NO

Used to indicate the mapping between attribute values and worfklow.

defaultWorkflowId

String

NO

Used to indicate the id of default Workflow that will be launched if no mapping matches.

The default Workflow may not be valued.

readOnlyDimensionTags or readWriteDimensionTags properties

Property name

Type

Mandatory

Description

tag

String

NO

Id of the configured tag in the dimension.

mapping properties

Property name

Type

Mandatory

Description

entry

String

NO

Id of the configured tag in the dimension.

entry properties

Each entry will have the following configuration:

Property name

Type

Mandatory

Description

key

String

YES

Used to indicate the value of the Attribute used to perform the mapping.

value

String

YES

Used to indicate the id of Workflow that will be launched if the mapping matches.

Examples

Role Request Policy Object - Script Workflow
CODE 
<ctdbum:RoleRequestPolicy id="objectStrategy-roleRequestStrategy" xmlns:ctdbum="http://www.memority.com/citadel/bum/1_0">
  <name>objectStrategy-roleRequestStrategy</name>
  <description>Strategy used when the administrator target is about resources.</description>
  <priority>1</priority>
  <rolePublicationTypeId>commonPublication</rolePublicationTypeId>
  <requestStrategy xsi:type="ctdbum:ObjectRelationRoleRequestStrategyType" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <authorizationSource>ROLE</authorizationSource>
    <managingRightAttribute>roleRequester</managingRightAttribute>
    <allowSelfRequest>false</allowSelfRequest>
    <objectAttribute>roleApplication</objectAttribute>
  </requestStrategy>
  <workflowStrategyForCreate xsi:type="ctdbum:ScriptRoleWorkflowStrategyType" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <readOnlyDimensionTags />
    <readWriteDimensionTags>
      <tag>INIT</tag>
    </readWriteDimensionTags>
    <ruleDefinition>
      <script><![CDATA[
                return (ROLE_REQUEST.role.roleWorkflow) ?: null
                ]]></script>
    </ruleDefinition>
  </workflowStrategyForCreate>
  <workflowStrategyForUpdate xsi:type="ctdbum:ScriptRoleWorkflowStrategyType" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <readOnlyDimensionTags />
    <readWriteDimensionTags>
      <tag>INIT</tag>
    </readWriteDimensionTags>
    <ruleDefinition>
      <script><![CDATA[return (ROLE_REQUEST.role.roleWorkflow) ?: null]]></script>
    </ruleDefinition>
  </workflowStrategyForUpdate>
  <workflowStrategyForDelete xsi:type="ctdbum:NoneRoleWorkflowStrategyType" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <readOnlyDimensionTags>
      <tag>INIT</tag>
    </readOnlyDimensionTags>
    <readWriteDimensionTags />
  </workflowStrategyForDelete>
</ctdbum:RoleRequestPolicy>
Role Request Policy Object - Script Workflow
CODE 
<ctdbum:RoleRequestPolicy id="orgaRolePolicy" xmlns:ctdbum="http://www.memority.com/citadel/bum/1_0">
   <name>Request Policy with Organization Management Strategy - Default</name>
  <description>Request with for Organization Management Strategy - Default</description>
  <priority>-1</priority>
  <rolePublicationTypeId>commonPublication</rolePublicationTypeId>
  <requestStrategy xsi:type="ctdbum:OrganizationalRoleRequestStrategyType" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <authorizationSource>POLICY</authorizationSource>
    <managingRightName>adm.admin-features</managingRightName>
    <allowSelfRequest>false</allowSelfRequest>
  </requestStrategy>
  <workflowStrategyForCreate xsi:type="ctdbum:NoneRoleWorkflowStrategyType" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <readOnlyDimensionTags />
    <readWriteDimensionTags>
      <tag>INIT</tag>
    </readWriteDimensionTags>
  </workflowStrategyForCreate>
  <workflowStrategyForUpdate xsi:type="ctdbum:NoneRoleWorkflowStrategyType" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <readOnlyDimensionTags />
    <readWriteDimensionTags>
      <tag>INIT</tag>
    </readWriteDimensionTags>
  </workflowStrategyForUpdate>
  <workflowStrategyForDelete xsi:type="ctdbum:NoneRoleWorkflowStrategyType" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <readOnlyDimensionTags>
      <tag>INIT</tag>
    </readOnlyDimensionTags>
    <readWriteDimensionTags />
  </workflowStrategyForDelete>
</ctdbum:RoleRequestPolicy>

Read Next

Business Policies — A Business Policy allows to configure how to trigger actions on Object Types through a Feature with an optional configured Workflow.
Object Policies — An Object Policy is an Identity Management Service Policy allowing to execute arbitrary actions on Managed Objects, either on a scheduled basis, or in reaction to an Object Operation.
Deduplication Policies — A Deduplication Policy describes how duplicates should be searched for when creating a managed object.
Feature Access Policies — A Feature Access Policy is composed of a right which encompasses several Features.
Manual Provisioning Policies — A Manual Provisioning Policy allows to define that manual provisioning or deprovisioning Workflow is launched when the Role assignment status changes.
Object Lifecycle Policies — An Object Lifecycle Policy allows to configure rules, on all Object Types, that will alter an Object attribute directly when certain lifecycle events occur.
Password Policies — A Password Policy determines how passwords should be composed and which rules apply to their lifecycle.
Role Request Policies — A Role Request Policy allows to define if a Role can be requested, for whom, by whom, and using which Workflow.
Workflow Administration Policies — A Workflow Administration Policy is composed of a right which encompasses several Features.
Memority MFA Account Policies — A Memority MFA Policy allows to configure how multi factor authentication should be applied to a population of user

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close