Implementation Guide › Optimizing Identity Manager › Task Optimizations › How Identity Manager Renders Relationship Tabs

How Identity Manager Renders Relationship Tabs

A relationship tab allows users to view and manage the relationship that a task's subject has with a set of entitlements. For example, the Provisioning Roles tab shows the provisioning roles that a user has.

To determine the objects that appear on a relationship tab, CA Identity Manager performs numerous security evaluations, which can significantly impact performance.

The following example shows the steps that CA Identity Manager takes to render the Provisioning Roles tab:

1. An administrator clicks the Provisioning Roles tab in the Modify User task.
2. CA Identity Manager retrieves the provisioning roles where the selected user is a member.
3. If the tab is configured to allow management of role administrators, CA Identity Manager makes a second call to retrieve the list of provisioning roles where the selected user is an administrator.
4. CA Identity Manager evaluates each provisioning role that the user has to see if the administrator who initiated the task can manage membership for that role.

   If the administrator can manage role members, CA Identity Manager displays an active check box in the Membership column for that role in the list of roles on the tab.

5. CA Identity Manager evaluates each provisioning role that the user has to see if the administrator who initiated the task can manage administrative rights for that role.

   If the administrator can manage administrative rights, CA Identity Manager displays an active check box in the Administrator column for that role in the list of roles on the tab.

   CA Identity Manager must complete steps 2-5 to display the provisioning roles the user currently has. If the administrator needs to assign a new provisioning role, the following additional steps are required.

6. The administrator clicks the Add button to locate new provisioning roles to assign.
7. CA Identity Manager displays a search screen that the administrator can use to search for the role to add.
8. The administrator enters a search filter to find the role to add.
9. CA Identity Manager returns the list of provisioning roles that meet following criteria:
   • The roles match the search filter entered by the administrator.
   • The administrator can manage membership for the roles.
   • The user is in the administrative scope of the administrator for the roles.
   • The user does not already have the provisioning roles.
10. CA Identity Manager repeats step 9 to determine the roles where the administrator can manage administrative privileges.