IAM Business Accelerator for Privileged Identity - Automatically remove users from a role

Solution to automatically remove users from a role


Access and entitlements to an organization's resources can be controlled through organizational roles. Role membership assignments to the user could be permanent(long term) or temporary. In case of temporary role membership assignment, this solution provides a way to automatically remove users from the role.



IBM Security Privileged Identity Manager helps to protect, manage and track these privileged IDs. Its key capabilities include:

  • Centralized administration, secure access, and storage of privileged shared account credentials.

  • Role-based access control for shared accounts.

  • Life cycle management of shared accounts ownership.

  • Single sign-on through automated check-out and check-in of shared credentials.

  • Auditing of shared credentials access events.

  • Integration with the broader Identity and Access Management Governance portfolio.

Refer to “Addressing Privileged Identity Scenarios with IBM Security Privileged Identity Manager White Paper” for details.

Access to shared IDs is controlled through roles and policies. The Shared Access policy dictates which sets of shared IDs are accessible to members of which roles.

Organizations can define these roles and policies at different levels of granularity. For example, the IBM Security Identity Manager administrator can:

  • Start with a single Shared Access policy that entitles a single role, such as allPrivilegedUusers, with rights to all available Shared IDs.

  • Gradually evolve into a set of separate policies with different combinations of Roles and Service Types or Service instances, as shared IDs get rolled out to more services.

  • Delegate management of these policies to respective resource owners.

After the administrator defines the policies, privileged users assigned to respective roles can check-out and check-in shared IDs to which they are entitled.

There can be few roles in the organization which provides access to privileged ids in case of an emergency (unplanned absences). To maintain business compliance, people should be assigned to these roles only to handle the emergency situations and should be removed (manually or automatically) after they are done.


Limitation of using in built functionality

IBM Security Privileged Identity Manager does not provide a way to assign roles on a temporary basis, which can be automatically unassigned after a certain period.

This document provides a solution to make role membership removal process automatic.


Proposed Solution

This document provides a solution using IBM Security Identity Manager life cycle rule based solution.

This solution make use of life cycle rule which, when scheduled or triggered by authorized user, checks for the configured role, find the members of the role and remove them.

The solution consists of following steps:

  1. Create a custom non-static workflow operation.

  2. Create a life cycle rule to filter the users of specific role, an emergency role in this example.

  3. Schedule the periodic execution of the life cycle rule.

See section “Step by step deployment” for details on each step.

Advantages of the Solution

  1. The solution makes use of IBM Security Identity Manager's built in and supported capabilities like, life cycle rules, scheduling etc.

  2. The custom life cycle rule can be easily extended or changed to support multiple emergency role case.

  3. The process of emergency role assignment check can be automated by scheduling the life cycle rule to run periodically

  4. Multiple life cycle rules with this same operations can be created for different emergency role with different schedules.


Limitations of the Solution

  1. The life cycle rule can only handle one role at a time, so it has to be configured once for each role.

  2. The life cycle rule configuration requires erGlobalId of the role, instead of the role name.

  3. The life cycle rule does not take into consideration the time when role was assigned to the user.

  4. The membership removal action is not audited and is not available in any out of the box reports. Although, custom reports can be generated through the common reporting tool based on Business Intelligence and Reporting Tools (BIRT).

Step by step deployment

1. Create a custom non-static workflow operation

  1. Login to IBM Security Identity Manager Administrative Console

  2. Go to Configure System → Manage Operations.

  3. Select 'Entity Type Level' as operation level, 'Person' as entity type and click 'Add'.

  4. Provide 'emergencyRoleRemove' as operation name and click 'Continue'.

  5. Create following structure in designer.

    The javascript node removes the defined emergency role from the person entity and then passes the updated person entity to person modify opertaion node. This is based on the in built person modify extension which updates person entity in the identity management system.

  6. Click on 'Properties' button and select 'Operation Type' as 'Non-static' and click 'Ok' and Add 'RoleName' in relevant data.

  7. Open javascript node to provide details.

  8. Add 'accountSuspend' string in relevant data.

  9. Open operation node to provide details.

You should able to see 'roleRemoval' listed in available operations for entity type 'Person'.



2. Create a life cycle rule

  1. Login to IBM Security Identity Manager Administrative Console

  2. Go to Configure System → Manage Life Cycle Rules.

  3. Select 'Entity Type Level' as operation level, 'Person' as entity type and click 'Add'.

    General Tab:

    Event Tab: Provide filter very carefully. Recommend to test with ldapsearch command.

    Note: See the following example to find Search filter for the life cycle role requires erglobalid for a role, which can be obtained by doing a search in your LDAP for the role. For IBM Directory Server, you can use following command:

    >> ./idsldapsearch -h <ldapServer_hostname> -p <ldapServer_portnumber> -b <ldap_suffix> errolename='emergencyRole'


    Set the search filter to (erroles=erglobalid=1657696561861946905*)

  4. Click 'Ok' to create.


    System is now ready for testing.

Testing the Solution

  1. Create 2 roles 'generalRole' and 'emergencyRole' and make a user 'mandar' member of that. Update life cycle rule filter so that it will be applicable only to 'emergencyRole'.

  2. Select life cycle rule and click 'Run'.

  3. Go to 'View Requests → View All Requests' and check the result.

  4. Verify that user 'mandar' now has only one role 'generalRole' assigned to him.

  5. Testing this life cycle rule again by providing some schedule.


Issue 1 - Operation not available in the list while creating life cycle rule.

Solution - Open operation from 'Configure System → Manage Operations' and check properties. Operation type must be non-static.


Issue 2 - Syntax error after running lifecycle rule.

Solution – Check javascript node for syntax error.

In case of any other issues follow the product's troubleshooting document or check the product's trace and message log files.


  1. IBM Security Identity Manager Information Center:


  2. IBM Security Privilege Identity Manager Information Center:


  3. IBM Security Access Manager for Enterprise Single Sign-On Information Center: