Configure Roles

Roles are used to assign Permission sets and permissions to users.

You can create, edit, and delete roles. You can also associate permissions with, and remove permissions from, specific roles.

Using the ActivID Management Console, you create a role to represent a relationship and associate the role with the relevant Permission set permission.

Then, you assign the role either to an individual user (local database users) or to an LDAP group or organizational unit (OU) (all external users belonging to the LDAP entity are granted the role).

Assigning the role gives the individual user the permission to perform the actions in the associated set.

One user can have many roles; one role can be assigned to many users.

Important: Assigning a Role to an LDAP user can only be done by assigning the role to the entity (LDAP group/OU) to which the user belongs. It is not possible to directly assign a role to an LDAP user through the user’s details as is done for local database users. For further information, see About Permissions/Roles for Local Users and LDAP Users.

Create a New Role

Prerequisites: To configure a role, the operator must have the following permissions to perform each related task.

To configure the role’s Predefined Permission sets, the operator must have the following permissions:

  • Modify role asset type Permission set privilege – allows adding a Predefined Permission on the resource Asset type.
  • Modify role Permission set privileges – allows adding a Predefined Permission on the resource Admin Group and adding a Predefined Permission on the resource type NONE.
Note: Permissions that apply to the resource type NONE are generic permissions. They do not apply to User Groups or Assets (for example, the permission to create a channel (no resource type)). The permission to create a password can apply to a specific group of users (that is, creating passwords for the resource type Admin Group). Then you can specify it to apply only for “Customer users”.

To configure the role’s External Permission sets, the role must have the following permissions:

  • Modify role asset set External Permission set privileges – allows adding an External Permission on resource Asset set.
  • Modify role External Permission set privileges – allows adding an External Permission set on resource NONE.
Note: Adding an External Permission Set on a resource Asset can only be performed on a user’s profile, not his role.
  1. Log on to the ActivID Management Console as an operator with the required permissions.
  2. Select the Access Administration tab and, under Access Control, select Roles.
  3. All existing roles are listed in a paged table. The total number of roles is given in the lower left corner.

    Each row corresponds to a role. It provides the following information in the different columns:

    • Name – the name of the role
    • Description – a description of the role

Launch the Role Creation Wizard

  1. Click Add.
  2. Enter a descriptive Name.
  3. Edit the Code to identify the role.
  4. The Code is pre-assigned and case-sensitive. You can modify it but it must be unique and a maximum length of 20 characters.

  5. Click Next and proceed to Assign Permissions to the Role.
  6. Alternatively, click Save and assign the permission to the role later.

Important:

Assign Permissions to the Role

  1. Log on to the ActivID Management Console as an operator with the required permissions.
  2. Select the Access Administration tab and, under Access Control, select Roles.
  3. Click on the Name of the role that you want to edit.
  4. In the Permissions tab, click Assign for the permission(s) to be granted to this role (in this example, Device Administration functions).

  5. Depending on the permission you selected, configure the permission by selecting the Authentication Policy(ies), Channel(s), and Resource(s) options.

  6. Select one or more check box(es) for the Authentication Policy.

  7. Important: You must choose the authentication policy that is supported by the user type of the future users.
  8. Click Next.

  9. Select one or more check box(es) for the Channel and click Next.

  10. Select one or more check box(es) for the Resources and click Next.

  11. Click OK and proceed to Configure the Role Assignment Rule for LDAP User Repository if required.

    If not, proceed to Add a Role to the Roles Assignment Functions Permission Set.

Configure the Role Assignment Rule for LDAP User Repository

  1. Select the Assignment Rules tab.
  2. Under User Repositories, select the check box for the user repository to which to assign the role.

  3. Select the basis on which the users in the user repository will gain role membership, and click Next:

  4. Click Save and proceed to Add a Role to the Roles Assignment Functions Permission Set.

Add a Role to the Roles Assignment Functions Permission Set

  1. Log on to the ActivID Management Console as an operator with the required permissions.
  2. Select the Access Administration tab and, under Access Control, select Permission Sets.
  3. Select the Roles Assignment Functions Permission set.

  4. Under Individual Permissions, click the edit icon (pencil) to add the role code in both the Modify user roles and Read role parameters.

  5. All the different roles that can be assigned are listed with a separator “|”. You must use this separator when adding the new role code.

  6. Click Save.

  7. You can then Assign Roles to a User.

Copy a Role

  1. Log on to the ActivID Management Console as an operator with the required permissions.
  2. Select the Access Administration tab and, under Access Control, select Roles.
  3. Select one or more check boxes of Roles that you want to copy, and click Copy.

  4. Edit the role settings as required.

Edit a Role

  1. Log on to the ActivID Management Console as an operator with the required permissions.
  2. Select the Access Administration tab and, under Access Control, select Roles.
  3. Click on the Name of the role that you want to edit.
  4. Edit the role settings as required.
  5. All the tabs are accessible and all settings can be modified except the Code.

  6. Click Save to apply your changes.
  7. If you want to cancel the operation, click Back to List.

Delete a Role

  1. Log on to the ActivID Management Console as an operator with the required permissions.
  2. Select the Access Administration tab and, under Access Control, select Roles.
  3. Select one or more check boxes of Roles that you want to delete, and click Delete.

  4. When prompted, click Yes to delete the role.