2 replies Latest Post - ‏2013-10-27T14:39:00Z by flames
412 Posts

Pinned topic Role assignment attributes - sanity check

‏2013-10-25T16:03:02Z |


I've just stumbled upon role assignment attributes, and I thought all my christmases has come at once. Except they haven't.

What I had hoped this would give me would be a way of adding an attribute AND an attribute value to a role, and then when assigning that role I can perform logic in the provisioning policy.

As an example, create a role called "Financial Control - Basic" and add attribute to that role called "Credit Limit". Set the value of that attribute to 100,000. Set a second role called "Financial Control - Approved" and set the Credit Limit attribute to 1000,000.

What this would give me is a way of deriving information from a role that is needed to provision a valid, fully formed account where that information can not be determined from anywhere else within ISIM ( either the owning identity or the account form )

But no, these attributes are set per identity. So whenever an identity is added as a role member, you manually enter the value for each attribute.

I know there are other ways of determining this information, but this would have been a really light touch way and easily referenced way of adding value to an existing service while using standard ISIM functionality. I can't see any value in how this has been implemented.


  • mark99
    26 Posts

    Re: Role assignment attributes - sanity check

    ‏2013-10-25T18:17:59Z  in response to flames

    hi Nial


    As I understand it if you have 2 distinct roles you can make 2 provisiong policies and hard code the credit limit.

    The way it it set up now can help in other scenario's:

    - you can a for instance set a date when the user has to be remove from the roll

    - you can set a variable credit limit that is set by the approver when the user is added.

    True you can put this kind of information on the person object but if you talk about hundreds of roles in the system then the peronsen object becomes overload with these  attributes


    Mark Vinkx


    • flames
      412 Posts

      Re: Role assignment attributes - sanity check

      ‏2013-10-27T14:39:00Z  in response to mark99

      Hi Mark

      Good points, and I agree with you. I was just grumbling because this didn't work how I wanted it to. At some point I'll have a requirement where role attributes fit perfectly and I'll be full of praise :)