You must specify an Add and Remove Action for CA IdentityMinder to correctly manage a role’s membership when an administrator grants or revokes the role.
Each role can have two add actions and two remove actions.
If administrators can add and remove members of the role, you define add and remove actions. Otherwise, the user has the role by meeting the member rule, such as by belonging to the RoleAdmins group. For example:
When you define add and remove actions, consider using the Admin Role attribute, which CA IdentityMinder can use to store a list of user's roles. For example, you can configure an add action that adds Employee to a user's Admin Role attribute when that user is added as a member of the Employee role. When an administrator assigns the Employee role to a manager who already has the Self Administrator and User Manager roles, the manager's Admin Role attribute would contain the following values: Self Administrator, User Manager, Employee.
To use the Admin Role attribute, the %ADMIN_ROLE_CONSTRAINT% well-known attribute must be mapped to a multi-valued attribute in user profiles. For more information, see the CA IdentityMinder Configuration Guide.
Important! When defining an add action, avoid setting up a rule that refers to the role you are defining. For example, do not define the add action that makes a member of Role A by being a member of Role A. This will create a recursive error that will cause the policy server to restart.
|
Copyright © 2013 CA.
All rights reserved.
|
|