Skip to main content
Skip table of contents

Role Type

Definition

A Role Type is used to define the different Roles or Super Roles which are managed by the Memority application.
A Role gives one or more rights that allow the user to access Features in the application or in an external application.
A Super Role gives one or more Roles and therefore the associated rights to Roles.
A Role or a Super Role are given to an Identity through the assignment of a Role.

Roles are configured to provide Rights. To achieve this, they provide two major functionalities:

  • They can be organized as a 2-levels hierarchy of Roles, with Super Roles that include Roles that include Rights.

  • They provide the mechanisms by which the granted Rights properties are set (when needed):

    • Target

    • Privilege

    • Dimensions

Configuration

Global information about common properties to any object types and associations with attributes are detailed in the Object Types page.

Specific properties

Property name

Type

Description

Values (default value in bold)

Modifiable after creation

superRole

Boolean

A Super Role defines a set of Roles that will be automatically assigned to an Identity when it is assigned.

The following conditions are expected to be valid:

  • The bound Role cannot be a Super Role itself.

  • The bound Role Dimensions must all be mapped on the Super Role.

  • The association constraints, as defined on the bound Role Type, must be respected.

ON, OFF

YES

rightsFilterRegex

Regex expression

Allows to filter rights selection in the right bindings widget by configuring a Regex.
Not available for super role.

-

YES

allowedSuperRoleTypes

Enum

Allows to choose Role Types that are allowed to include this Role Type.

-

YES

identityConstraints

Rules

Allows to configure rules to prevent the assignment of Roles to Identities.

If the constraint matches, a no-entry sign is displayed next to the Role(s) or Identity(ies) in the Role Assignment Widget and the Bulk Role Assignment Widget.

Identity constraints does not work on Role Assignment Policies.

Example in Groovy script:

GROOVY 
if (DIMENSION.targetRole.id == "VO4739") {
  def thisId = OBJECT.id
  def user = FIND.identity().withAttributesProjection("id").matching(expr { hasRoleMatching(role.eq("WB0219")) & status.eq('NORMAL') & id.eq(thisId)})

  if(!user){
    return ValidationRuleResult.invalid("Default message", "ui.errors.identityconstraint.invalid.msg")
  }
  else {
    return ValidationRuleResult.valid()
  }
}
else {
  return ValidationRuleResult.valid()
}

-

YES

commentMandatoryRule

Rules

Allows to configure mandatory rules for comment during a role assignment request.

If the comment is mandatory, the comment icon will be red when the requester clicks on the "Assign" button.

Example in Groovy script:

CODE 
return true

-

YES

commentValidationRule

Rules

Allows to configure validation rules for comment during a role assignment request.

If a validation rule is configured, it is advisable to define a validation error message in the Groovy script.

Example in Groovy script:

CODE 
String value = (String) VALUE

if (value?.length() >= 3) { 
    return ValidationRuleResult.valid()
} else {
    return ValidationRuleResult.invalid(
    "Invalid comment on RA: must be upper than 3 characters")
}

-

YES

enabledFromMandatoryRule

enabledUntilMandatoryRule

Rules

Allows to configure mandatory rules for start/end dates during a role assignment request.

If the start/end dates are mandatory, a red star is displayed next to the validity field.

Example in Groovy script:

CODE 
if (DIMENSION.sourceRole.sensitivity) {
	return true
} else {
	return false
}

-

YES

enabledFromInitRule

enabledUntilInitRule

Rules

Allows to configure initialization rule for start/end dates during a role assignment request.

If an initialization rule is configurable, the field will be pre-filled but modifiable.

Example in Groovy script:

CODE 
import java.time.temporal.ChronoUnit
return Instant.now().truncatedTo(ChronoUnit.DAYS)

-

YES

enabledFromValidationRule

enabledUntilValidationRule

Rules

Allows to configure validation rules for start/end dates during a role assignment request.

If a validation rule is configured, it is advisable to define a validation error message in the Groovy script.

Example in Groovy script:

CODE 
import java.time.temporal.ChronoUnit
Integer delay = 3
if (Instant.now().truncatedTo(ChronoUnit.DAYS).plus(delay, ChronoUnit.DAYS).isBefore(DIMENSION.sourceEnabledFrom.truncatedTo(ChronoUnit.DAYS))) {
		return ValidationRuleResult.invalid(
		"Invalid enabledFrom on RA: must not be more than " + delay + 
		" days from now")
	} else {
		return ValidationRuleResult.valid()
	}

-

YES

Read next

  • Features

    Design screens and business features to manage objects.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close