Identity Governance detects users that hold all the permissions of a role, but it might not have assigned the role to the user. Primarily, fulfillers would assign technical roles to users based on access requests or business role authorizations. However, promoting detected roles to assigned roles gives administrators the ability to onboard any initial assignments.
After you assign the users to the role, Identity Governance creates a report you can download that contains information about the technical role assignment. The report lists the following for each user:
The name of the technical role assigned to the user
The role unique identifier
The user’s unique ID
The time the role was assigned
Any notes or issues associated with the user assignment, such as:
The user attributes did not uniquely identify a single user
The user was already assigned to the role
The role identified in a CSV file used for role assignment is not active
The role identified in a CSV file used for role assignment cannot be found or is deleted
Administrators can use the following methods to assign technical roles to detected users:
When you create a technical role, Identity Governance automatically detects users that have all permissions specified in the role. You can choose to assign the technical role to only some detected users.
To assign a technical role to specific detected users of a role:
Log in as a Customer, Global, or Technical Roles Administrator.
Under Catalog, select Roles.
Add # Users with all Permissions to the displayed columns.
Click the number of detected users for a role.
Select the users to assign.
Click Assign role to users.
Provide an Assignment comment.
Click Assign.
When you create a technical role, Identity Governance automatically detects users that have all permissions specified in the role. Administrators can assign a technical role to users with all permissions to the role. Identity Governance also allows administrators to perform that function for multiple technical roles.
To assign technical roles to users with all permissions of a role:
Log in as a Customer, Global, or Technical Roles Administrator.
Under Catalog, select Roles.
Select one or more roles from the list, then select Actions > Assign role to users.
Enter an Assignment comment.
From Assignment strategy, select Users with All Permissions.
(Optional) Click Preview to download a report that contains information about the technical role assignment.
NOTE:The Assignment Time column of the report will be empty, because the report is the result of a preview, not a role assignment.
Click Assign.
When you create a technical role, Identity Governance automatically detects users that have all permissions specified in the role. Administrators can create a search query to specify users to assign the technical role, including those who do not have all permissions for the role. For information about using the Expression Builder to create a search query, see Section 5.0, Using Advanced Filters for Searches. Identity Governance also allows administrators to use a search query to assign multiple technical roles to users that match the search query.
To assign technical roles to users matching a search query:
Log in as a Customer, Global, or Technical Roles Administrator.
Under Catalog, select Roles.
Select one or more roles from the list, then select Actions > Assign role to users.
Enter an Assignment comment.
From Assignment strategy, select Users matching query.
Click the filter icon and create a search query.
(Optional) Click Preview to download a report that contains information about the technical role assignment.
NOTE:The “Assignment Time” column of the report will be empty, because the report is the result of a preview, not a role assignment.
Click Assign.
When you create a technical role, Identity Governance automatically detects users that have all permissions specified in the role. Administrators can create a CSV file that lists specific users to assign the technical role, including those who do not have all permissions for the role. Identity Governance also provides administrators with two methods for using a CSV file to assign multiple technical roles to users listed in the file:
By selecting one or more roles from the list
By including the technical role names in the CSV file
You can use the Identity Governance user interface to create a CSV file you must then modify for use to assign technical roles.
To create a CSV file:
Log in as a Customer, Global, or Technical Roles Administrator.
Under Catalog, select Identities.
Use the advanced filter to create a list of users you want to assign the technical roles. For information about using the Expression Builder to create a search query, see Section 5.0, Using Advanced Filters for Searches.
Click Download all as CSV.
The heading names that appear in the CSV file you generated are the display names for the attributes, but technical role onboarding requires heading names to be attribute keys. Before you can assign technical roles from the CSV file, you must open the CSV file and change each heading name from the display name to the appropriate attribute key. To see a list of attributes and their attribute keys, click Data Administration > Identity Attributes.
In addition, if you plan to assign technical roles to users by including the technical role name in the CSV file, you must create a column in the file for the technical role names.
To include technical role names to the CSV file:
Open the CSV file you generated.
Create a technical roles column with the heading name technicalRole.
Specify the technical role names you want to assign to a user into the associated technical role column cell.
(Conditional) If you are assigning multiple technical roles to a user, separate the technical role names by commas.
One of two methods for assigning technical roles from a CSV file allows you to select roles in Identity Governance, then use a CSV file to assign those roles to users listed in the CSV file.
To assign technical roles to users from a CSV file by selecting roles from the list:
Log in as a Customer, Global, or Technical Roles Administrator.
Under Catalog, select Roles.
Select one or more roles from the list, then select Actions > Assign role to users.
Enter an Assignment comment.
From Assignment strategy, select Users from CSV.
Click Browse to find the CSV file that contains the users you want to assign the technical roles.
(Optional) Click Preview to download a report that contains information about the technical role assignment.
NOTE:The “Assignment Time” column of the report will be empty, because the report is the result of a preview, not a role assignment.
Click Assign.
NOTE:If a user listed in the CSV file already has the role assigned to them, the role is not reassigned. However, the report Identity Governance generates after role assignment will indicate that the role was already assigned to the user, and the assignment time will indicate the time the role was first assigned to the user.
One of two methods for assigning technical roles from a CSV file allows you to assign technical roles to users by including the technical role name in the CSV file. Before you use this method, be sure you modified the CSV file as described in Modifying a Generated CSV File.
To assign technical roles to users from a CSV file that includes the technical role name:
Log in as a Customer, Global, or Technical Roles Administrator.
Under Catalog, select Roles.
Click Actions > Assign roles to users.
Enter an Assignment comment.
Click Browse to find the CSV file that contains the users you want to assign the technical roles.
(Optional) Click Preview to download a report that contains information about the technical role assignment.
NOTE:The “Assignment Time” column of the report will be empty, because the report is the result of a preview, not a role assignment.
Click Assign.
NOTE:If a user listed in the CSV file already has the role assigned to them, the role is not reassigned. However, the report Identity Governance generates after role assignment will indicate that the role was already assigned to the user, and the assignment time will indicate the time the role was first assigned to the user.