Topic
  • 2 replies
  • Latest Post - ‏2013-10-27T14:39:00Z by flames
flames
flames
417 Posts

Pinned topic Role assignment attributes - sanity check

‏2013-10-25T16:03:02Z |

All

I've just stumbled upon role assignment attributes, and I thought all my christmases has come at once. Except they haven't.

What I had hoped this would give me would be a way of adding an attribute AND an attribute value to a role, and then when assigning that role I can perform logic in the provisioning policy.

As an example, create a role called "Financial Control - Basic" and add attribute to that role called "Credit Limit". Set the value of that attribute to 100,000. Set a second role called "Financial Control - Approved" and set the Credit Limit attribute to 1000,000.

What this would give me is a way of deriving information from a role that is needed to provision a valid, fully formed account where that information can not be determined from anywhere else within ISIM ( either the owning identity or the account form )

But no, these attributes are set per identity. So whenever an identity is added as a role member, you manually enter the value for each attribute.

I know there are other ways of determining this information, but this would have been a really light touch way and easily referenced way of adding value to an existing service while using standard ISIM functionality. I can't see any value in how this has been implemented.

Niall

  • mark99
    mark99
    26 Posts

    Re: Role assignment attributes - sanity check

    ‏2013-10-25T18:17:59Z  

    hi Nial

     

    As I understand it if you have 2 distinct roles you can make 2 provisiong policies and hard code the credit limit.

    The way it it set up now can help in other scenario's:

    - you can a for instance set a date when the user has to be remove from the roll

    - you can set a variable credit limit that is set by the approver when the user is added.

    True you can put this kind of information on the person object but if you talk about hundreds of roles in the system then the peronsen object becomes overload with these  attributes

    Greetings

    Mark Vinkx

     

  • flames
    flames
    417 Posts

    Re: Role assignment attributes - sanity check

    ‏2013-10-27T14:39:00Z  
    • mark99
    • ‏2013-10-25T18:17:59Z

    hi Nial

     

    As I understand it if you have 2 distinct roles you can make 2 provisiong policies and hard code the credit limit.

    The way it it set up now can help in other scenario's:

    - you can a for instance set a date when the user has to be remove from the roll

    - you can set a variable credit limit that is set by the approver when the user is added.

    True you can put this kind of information on the person object but if you talk about hundreds of roles in the system then the peronsen object becomes overload with these  attributes

    Greetings

    Mark Vinkx

     

    Hi Mark


    Good points, and I agree with you. I was just grumbling because this didn't work how I wanted it to. At some point I'll have a requirement where role attributes fit perfectly and I'll be full of praise :)