Role assignment attributes

You can define role assignment attributes. The attributes can be associated with a person-role relationship.

Optional role assignment attributes tasks are:
  • Defining role assignment attributes when creating or modifying a static role.
  • Associating a custom label with each assignment attribute.
  • Specifying assignment attribute values to the existing user members of the role.
Note:
  1. Only static roles support assignment attributes.
  2. Only the string type and text widget of assignment attributes are supported.

ACI capabilities for role assignment attributes

Both the default and new ACIs supports attribute-level permissions for role assignment attributes like other attributes in the role definition. You can now modify or create ACIs. You can set attribute-level permissions for granting or denying usage of these role assignment attributes within the role definition. Only authorized users can read or write assignment attributes. Additionally, you can:

• Set ACIs to read or write assignment attribute values when adding a user to the role.

• Set assignment attribute values to the existing user members.

ACI works the same way as it does for other entities. There is no ACI on specific role assignment attributes. The following attributes are available:

• erRoleAssignmentKey is on the role that dictates the permission to define role assignment attributes on the role and an attribute.

• erRoleAssignments is on the person that dictates the permission to assign values for the assignment attributes.

To view the role assignment attribute value on a person form, the logged in user must have read permissions on erRoles, erRoleAssignmentKey and erRoleAssignments.

To edit the role assignment attribute value on a person form, the logged in user must have read permissions on erRoles, erRoleAssignmentKey and write permissions on erRoleAssignments.

You cannot define ACI on the assignment attribute that you defined on the role.

JavaScript capabilities for role assignment attributes

You can access these capabilities for role assignment attributes within the JavaScript interface:

  • The role assignment attributes of the role schema. For example, you can access a role object inside an entitlement workflow.

  • The role assignment attributes and their values for users in role membership. For example, you can access a person object within a JavaScript provisioning policy entitlement.

    JavaScript APIs include:
    Person
    • Person.getAllAssignmentAttributes()
    • Person.getRoleAssignmentData()
    • Person.getRoleAssignmentData(String roleAssignedDN)
    • Person.removeRoleAssignmentData()
    • Person.updateRoleAssignmentData()
    • Person.getRemovedRoles()
    • Person.isInRole()
    • Person.removeRole()
    Role
    • Role.getAssignmentAttributes()
    • Role.getAllAssignmentAttributes()
    • Role.setAssignmentAttributes()
    RoleAssignmentAttribute
    • RoleAssignmentAttribute.getName()
    • RoleAssignmentAttribute.getRoleName()
    • RoleAssignmentAttribute.getRoleDN()
    RoleAssignmentObject
    • RoleAssignmentObject.getAssignedRoleDN()
    • RoleAssignmentObject.getDefinedRoleDN()
    • RoleAssignmentObject.addProperty()
    • RoleAssignmentObject.getChanges()
    • RoleAssignmentObject.getProperty()
    • RoleAssignmentObject.getPropertyNames()
    • RoleAssignmentObject.removeProperty()
    • RoleAssignmentObject.setProperty()

For more information, see the reference pages in the IBM Verify Identity Governance Reference Guide.

Role assignment attributes and the Self Service or the IVIG Service Center user interface

For more information about adding or modifying role assignment attributes for a user profile in the IVIG Service Center user interface, see Modifying role assignment attributes for your personal profile.