NIM

Role generators

Use role generators to populate Role models. In other words, use role generators to generate Roles in bulk.

To get started, the recommended process is to Provision groups & manage memberships.

Alternatively, directly Create a role generator.

A role generator takes two filters as input. These two filters are the most important parts of a role generator, and must be configured in a specific way. They include the Role Generation Filter and Role Member Filter.

In addition to generating roles and adding members to those roles, role generators can optionally add groups to the roles (in the Role groups pane). An alternative way of adding groups to roles is Role mining.

Caution

Role generators cannot yet be applied in jobs, or scheduled in sync tasks. You must apply them manually with the Apply Generator button on the Run tab.

This functionality is under development. When it is released, it will be possible to automate the entire Provision groups & manage memberships process.

Below is a full breakdown of the role generator configuration screen. User-specified fields are denotated with an asterisk (*). They are the fields that you must manually specify. All other fields are automatically calculated by NIM.

Tip

Role generation is an advanced feature, and the easiest way to understand it is to follow the example in Provision groups & manage memberships. Use the below information as a supplement.

2021-12-14_14-25-10.png

The options in the Roles And Members Pane determine the roles to be created and the target accounts to be added to the roles. Subsequently, the options in the Role groups pane determine the groups to be added to the roles.

Role Generation Filter

The Role Generation Filter is used to determine the roles that a role generator generates. It must contain:

  1. A column whose rows correspond to the names of the roles to be generated. This becomes the Role Name Column. For example, the name column from your HR system's departments table (for the common scenario of 1:1 correspondence of roles to departments).

  2. Optional: An include lookup (see Lookups) of that column against the name column of the Groups table of the target system. This lookup lets the role generator add the correct groups to the generated roles in the Role groups pane. A transformation may be required via Custom JavaScript columns, if the naming scheme of departments in the HR source system is different than the desired naming scheme of groups in the target system. For example, appending DEPGRP_.

    1. If you are also using NIM to provision groups into the target system, you can additionally create an exclude version of the lookup, to use the same filter in a group create mapping prior to role generation. This process is demonstrated in the Provision groups & manage memberships tutorial.

For example:

2022-02-15_15-13-23.png
2022-02-15_15-13-46.png
Role Name Column

The column in the Role Generation Filter whose rows will be used to name the generated roles.

Role Member Filter

The Role Member Filter is used to determine which target accounts will become members of which roles. It must:

  1. Relate source system employees to their relevant target system accounts

  2. Parameterize the source system column which roles are based on (e.g., departments)

  3. Include the unique ID column (typically the primary key column) of the target system users table (e.g., the objectGUID for Active Directory)

The role generator assigns the correct members (i.e., target accounts) to each generated role, by iterating the rows of the Member Filter Param Value column through the parameterized expression item (the Member Filter Param Name).

For example, if you want a role model based on a 1:1 correspondence of roles to departments, then your filter must 1) relate the source system employees table to the target system users table, and 2) be parameterized on the name column of the departments table. See Parameters.

For example:

2022-02-15_15-27-36.png
Member Filter Param Name

The name of the parameter in the Role Member Filter through which NIM will iterate each row in the selected Member Filter Param Value column to generate the roles.

If the filter has more than one parameterized expression item, this pane will contain multiple rows.

Member Filter Param Value

The specific column in the Role Generation Filter whose rows will be iterated through the Member Filter Param Name parameter, in order to determine the members for each generated role. Often, this is the same column used for the Role Name Column.

2021-12-14_14-26-43.png

Whereas the options in the Roles and members pane determine the roles to be created and the target accounts to be added to the roles, the options in the Role Groups Pane determine the groups to be added to the roles.

Tip

Using the Role Groups pane is entirely optional. A potential alternative way of adding groups to your generated roles is Role mining.

 
Enabled*

Select this checkbox to include the groups looked up in the associated System Name in this role generator. Typically there will only be one target system and thus one row in this pane, and it should be enabled. However, if your Role Generation Filter performs lookups in multiple target systems, there will be multiple rows and you may want to disable some to exclude those systems from this role generator.

System Name

The target system from the Role Generation Filter, in which the Lookup is being performed.

Group Table Name

The target system data table in which the lookup in the Role Generation Filter is being performed. Typically is a Groups table.

Membership Table Name

The target system data table which contains Intra-system relations between users and groups. Typically is a Memberships table or similar.

Member Table Name

The target system data table whose rows will become members in roles. Typically is a Users table or similar.

Lookup

The lookup being used in the Role Generation Filter. Only include lookups are detected.

Status

The options in the Tabs Pane help you preview the output of the role generator, and subsequently apply the role generator.

 
Role Generation Filter tab
2021-12-14_14-31-01.png

Shows the output of the Role Generation Filter.

Role Member Filter tab
2021-12-14_14-31-19.png

Shows the output of the Role Member Filter.

Members tab
2021-12-14_14-34-30.png

Click Calculate to see the results of every parameter iteration for the Role Member Filter. In other words, this is a preview of all members involved in this role generator, and the roles to which they will be assigned.

Groups tab
2021-12-14_14-32-02.png

Click Calculate to see all groups in the target system to which this role generator will assign members, and their corresponding roles. This only includes groups that already exist in the target system, as determined by the Lookup.

Roles tab
2021-12-14_14-32-31.png

Click Calculate to see all roles that this role generator will create.

Run tab
2021-12-14_14-32-56.png

Click Calculate to preview the operations that will be performed when you apply the role generator. Note that no changes are written into the target system when you do so. Applying the role generator only updates your active role model.

Execution Options pane
Create Roles

Include all add role operations in the Impact Analysis pane under the Run tab.

Update Roles - Add Groups

Include all add group to role operations listed in the Impact Analysis pane under the Run tab. Determined by which rows' Enabled checkboxes have been selected in the Role Groups pane.

Update Roles - Delete Groups

Include all delete group from role operations listed in the Impact Analysis pane under the Run tab. Determined by which rows' Enabled checkboxes have been cleared in the Role Groups pane.

Delete Roles

Include all delete role operations in the Impact Analysis pane under the Run tab.

Apply Generator

Click to apply the role generator, based on the Impact Analysis pane under the Run tab.

Applying a role generator does not write any changes into target systems. It only updates the relevant role model. Changes are only written into target systems when you execute the relevant role model.