Skip to main content

Example: Adding a role with a start time

In this example the role membership will have a start time defined. When the request to change role membership is submitted, the user will not get the role entitlement immediately. The role entitlement is handled by the nightly update. When the nightly update is run and the validity window is open, the entitlements will be changed in accordance with the new role.

Requirements

  • The CONTRACTOR role has the group "All users at ABC Inc" set to required

  • The requester's profile has Role based access control enforcement set to "True".

    See Create a new user using a role for an example of how to set RBAC on profiles.

Enable RBAC enforcement on the entitlements

  1. Log in to the web app as superuser.

  2. Click to Manage the system > Resources> Options.

  3. Set the following:

    • RBAC ENFORCEMENT ENABLED Enabled

    • RBAC DEFICIT DEFAULT ACTION Add resource

    • RBAC SURPLUS DEFAULT ACTION Remove resource

    • RBAC AUTO PROPAGATE REQUESTER a user

  4. Click Manage the system > Resources > Groups.

  5. Select the AD target.

  6. Search for and select All users at ABC Inc.

  7. Click the Role enforcement tab

  8. Select Enabled.

  9. Click Update

Configure the PDR

  1. Manage the system > Workflow > Pre-defined requests

  2. Search for and select the _UPDATE_ROLES_ PDR.

  3. Click the Attributes tab.

  4. Click Select.

  5. Select the ROLE_VALIDITY attribute group.

  6. Click Select

    uc-time-based-roles-pdr-attributes
Submit a request for a change in role membership with a start time

  1. Log in to the web app as a requester.

  2. Click View and update profile.

  3. Select the Change role membership PDR.

  4. Select the "Basic entitlements for all contractors" role and specify the current date as the Start Date.

    uc-time-based-roles-pdr

  5. Click Submit.

Check the request does not contain a role entitlement assignment operation

  1. From the home page click Requests.

  2. Click Recent from the left panel.

  3. Select the latest request.

  4. Click the request in the details panel.

    The request details page opens.

    The request does not contain a role entitlement assignment operation.

    uc-time-based-roles-first-request
Check the PSA role user page

  1. Log in to the web app as superuser.

  2. Click Manage the system > Resources > Roles.

  3. Select the CONTRACTOR role.

  4. Click the Users tab.

    The requester has been added with a Start time.

    uc-time-based-roles-user-in-role
Run nightly update

  1. Run auto discovery: Click Manage the system > Maintenance >Auto discovery > Execute auto discovery, then click Continue. See Auto Discovery for more information.

  2. Log in to the web app as the requester.

  3. Click Groups.

  4. Click My memberships from the left panel.

    The All users at ABC Inc. group is now assigned to the requester.

In this section: