NIM

Role generators

Use role generators to populate Role models all at once. In other words, use role generators to generate Roles in bulk.

To get started, Create a role generator.

A role generator takes two filters as input. These two filters are the most important parts of a role generator, and must be configured in a specific way. They include the Role Generation Filter and Role Member Filter.

Applying a role generator does not write any changes into target systems. It only updates the relevant role model. Changes are only written into target systems when you execute the relevant role model.

Tip

Role generation is an advanced feature, and the best way to understand it is to follow the example in Create a role generator. Use the below information as a supplement.

Below is a full breakdown of the role generator configuration screen. User-specified fields are denotated with an asterisk (*). They are the fields that you must manually specify. All other fields are automatically calculated by NIM.

Roles And Members pane
2021-12-14_14-25-10.png
Role Generation Filter*

A filter that contains two things:

  1. A column whose rows correspond to the names of the roles to be generated. This may be as simple as directly pulling the department or job title table from your HR system. More commonly, though, it is a transformation of column(s) via a JavaScript column (see Custom JavaScript columns). For example, adding a prefix to department names to match the group naming scheme in the target system, or even combining multiple columns (e.g., grades, buildings, schools). This becomes the Role Name Column.

  2. A lookup (see Lookups) of that filter column against the relevant column of the Groups table of the target system. This lookup ensures that the role generator creates roles for all groups that exist in the target system, and does not create roles for groups that don't. You can see an example in the article Create a lookup.

Role Name Column*

The column in the Role Generation Filter whose rows will be used to name the generated roles.

Role Member Filter*

A parameterized filter that calculates which target accounts will become members of which roles. Must relate the objects based on which roles will be generated (again, typically departments in your source system), to user accounts in the relevant target system. Must use a parameterized expression item for the department. This becomes the Member Filter Param Name. You can see a worked example in the article Create a role generator.

Member Filter Param Name

The name of the parameter in the Role Member Filter, through which NIM will iterate each row in the selected Member Filter Param Value column to generate the roles. If the filter has more than one parameterized expression item, this pane will contain multiple rows.

Member Filter Param Value*

The specific column in the Role Generation Filter whose rows will be iterated through the parameter in the Role Member Filter, in order to generate the roles and their associated members. Typically, this will be the same column used for the Role Name Column.

Role Groups pane
2021-12-14_14-26-43.png
Enabled*

Select this checkbox to include the groups looked up in the associated System Name in this role generator. Typically there will only be one target system and thus one row in this pane, and it should be enabled. However, if your Role Generation Filter performs lookups in multiple target systems, there will be multiple rows and you may want to disable some to exclude those systems from this role generator.

System Name

The target system from the Role Generation Filter, in which the Lookup is being performed.

Group Table Name

The target system data table in which the lookup in the Role Generation Filter is being performed. Typically is a Groups table or similar.

Membership Table Name

The target system data table which contains intra-system relations between users and groups. Typically is a Memberships table or similar.

Member Table Name

The target system data table whose rows will become members in roles. Typically is a Users table or similar.

Lookup

The lookup being used in the Role Generation Filter.

Status

Tabs pane
Role Generation Filter tab
2021-12-14_14-31-01.png

Shows the output of the Role Generation Filter.

Role Member Filter tab
2021-12-14_14-31-19.png

Shows the output of the Role Member Filter.

Members tab
2021-12-14_14-34-30.png

Click Calculate to see the results of every parameter iteration for the Role Member Filter. In other words, this is a preview of all members involved in this role generator, and the roles to which they will be assigned.

Groups tab
2021-12-14_14-32-02.png

Click Calculate to see all groups in the target system to which this role generator will assign members, and their corresponding roles. This only includes groups that already exist in the target system, as determined by the Lookup.

Roles tab
2021-12-14_14-32-31.png

Click Calculate to see all roles that this role generator will create.

Run tab
2021-12-14_14-32-56.png

Click Calculate to preview the operations that will be performed when you apply the role generator. Note that no changes are written into the target system when you do so. Applying the role generator only updates your active role model.

Execution Options pane
Create Roles

Include all add role operations in the Impact Analysis pane under the Run tab.

Update Roles - Add Groups

Include all add group to role operations listed in the Impact Analysis pane under the Run tab. Determined by which rows' Enabled checkboxes have been selected in the Role Groups pane.

Update Roles - Delete Groups

Include all delete group from role operations listed in the Impact Analysis pane under the Run tab. Determined by which rows' Enabled checkboxes have been cleared in the Role Groups pane.

Delete Roles

Include all delete role operations in the Impact Analysis pane under the Run tab.

Apply Generator

Click to apply the role generator, based on the Impact Analysis pane under the Run tab.