Access
Access to the Roles app is enabled by default for all end users. This means all end users can view their own role memberships and request assignment or revocation of any roles for themselves via the Roles app.
Roles must be both enabled and assignable in order for membership to be requested.
User classes
In order to use the Roles app and associated pre-defined requests (PDRs), users can be added to the following default user classes:
User class | Description |
|---|---|
ROLE_AUTHORIZERS | Role request authorizers |
ROLE_CREATE_USERS | Users who can create roles |
ROLE_DELETE_USERS | Users who can delete roles |
ROLE_UPDATE_USERS | Users who can update roles |
Pre-defined requests
Users can create, update, delete and/or authorize role membership and configurations based on which PDRs they have access to:
Pre-defined request | Description |
|---|---|
ROLE_CREATE | Create role |
ROLE_DELETE | Delete role |
ROLE_UPDATE | Update role |
ROLE_UPDATE_ATTRS | Update attributes |
ROLE_UPDATE_ENTITLEMENTS | Update entitlements |
ROLE_UPDATE_USERS | Update user members |
USER_ADD_ROLES | Assign roles |
USER_DELETE_ROLES | Revoke roles |
_CERT_ROLE_REMEDIATION_ | Default remediation for roles |
_RESOLVE_ROLE_DEFICITS_ | Add missing role entitlements |