Skip to main content

NIM

Step 2: Add a role model & role generator (tutorial)

The next step is to create a NIM role model, to manage the memberships of the groups we just provisioned into AD. A role model can be created either manually, or programmatically using a role generator. We'll take the latter approach.

A role generator takes two filters as input. These two filters are the most important parts of a role generator, and must be configured in a specific way:

  • The Role Generation Filter is used to determine the roles that a role generator generates.

  • The Role Member Filter is used to determine which target accounts will become members of which roles.

Create a role generation filter

We don't need to create a new filter for our Role Generation Filter, because we can use the include lookup on the HR500_AD_Group_Create filter we already created.

Create a role member filter

  1. Go to Processing > Filters.

  2. Click Add.

  3. Enter a Filter Name.

    For this example, we'll name it HR500_AD_RoleMembers, following the convention Source_System_TargetSystem_RoleMembers.

    2023-07-24_11-05-23.jpg

  4. Click Create.

  5. In this filter, we need employees by department, joined to their AD user accounts. We'll do this by joining HR500.contracts to HR500.departments and AD.Users.

    2023-07-24_13-39-21.jpg

  6. Next, we'll parameterize the organizational_unit column of the HR500.departments table. This lets us dynamically filter employees by department. Thus, we only need one filter total, rather than one filter per department.

    1. We'll go to the Parameters tab, and add a parameter with a Name of deptName, a Type of input, a Data Type of string, and a Default Value of EN_DOC.

      Tip

      The specific department we use as the Default Value doesn't matter, and is only used to preview the filter results. In production, our role generator will iterate the necessary values through the parameter.

      2023-07-24_13-40-07.jpg

    2. On our with any HR500.departments filter item, we'll click expression-filter.png Expression filter item to add an expression item.

      2023-07-24_13-52-07.jpg

    3. We'll set it to with organizational_unit equals.

      2023-07-24_13-53-53.jpg

    4. For the new expression item, click constant-parameter-filter.png Constant/Parameter to change the expression item from a constant to a parameter.

      2023-07-24_13-44-29.jpg
      2023-07-24_14-01-12.jpg

    5. Set the parameter dropdown to deptName.

      2023-07-24_14-02-30.jpg

  7. Go back to the Data tab.

  8. Click Filter to test the parameterization.

    Only the 17 employees in the department EN_DOC are returned.

    2023-07-24_14-12-20.jpg

  9. Click Save.

Create a new development role model

Before we can create a role generator, we need to create a development role model for the generator to work on.

The development role model is the role model you work on, prior to activating it (i.e., putting it into production).

  1. Go to Output > Roles.

    2023-07-24_14-16-04.jpg

  2. On the Role Models tab, click Add to create a new development role model.

  3. In the dialog box, click Yes to confirm.

    2023-07-24_14-27-22.jpg

  4. A new development role model is created.

    2023-07-24_14-29-29.jpg
Create a role generator

  1. Go to the Role Generation tab.

  2. Click Add.

  3. Enter a Role Generator Name.

    For this example, we'll call it rg_AD, following the convention rg_TargetSystem.

    2023-07-25_9-43-23.jpg

  4. Click Create.

    2023-07-25_9-42-48.jpg

  5. For the Role Generation Filter, select the HR500_AD_Group_Create[group_include] filter we created earlier.

    2023-07-25_9-50-23.jpg

  6. For the Role Name Column, select the column of the Role Generation Filter which contains the names of the roles to be generated.

    For this example, we'll select the organizational_unit column.

    2023-07-25_10-04-42.jpg

  7. For the Role Member Filter, select the HR500_AD_RoleMembers filter we created earlier.

    2023-07-25_10-08-21.jpg

  8. For the Member Filter Param Value, select the column of the Role Generation Filter whose rows should be iterated through the Member Filter Param Name of the Role Member Filter, to find the target accounts for each role.

    For this example, we'll select the organizational_unit column.

    2023-07-25_10-17-36.jpg

  9. In the Role Groups pane, select the Enabled checkbox for the AD system.

    2023-07-25_10-24-43.jpg

  10. Click Save.

  11. Go to the Members tab.

  12. Click Calculate to preview all role memberships.

    2023-09-13_11-33-39.jpg

  13. Go to the Run tab.

  14. Click Calculate to preview all role & group operations that will be performed.

    2023-07-25_10-32-49.jpg

  15. Click Apply Generator to execute the role generator.

    The development role model is populated with the generated roles and groups.

Verify the role generator's output

  • To verify the roles we generated and their members, go to Output > Roles and click edit-task.png Edit Role Model for the development role model. All generated roles are displayed.

    2023-09-13_11-37-25.jpg

    1. Click Group Membership Reports.

      2023-09-13_14-43-00.jpg

    2. Click Evaluate to ensure the report is up to date.

    3. Click a member, role, or group to see the other objects it's associated with. Click a role to see its groups and members. Click a group to see its roles and members. Or click a member to see its roles and groups.

      For example, here we are viewing the members and groups of the EN_HRTEAM role.

      2023-09-13_14-49-40.jpg
Activate the development role model

To stage our roles for production, we need to activate our development role model.

  1. Go to Output > Roles.

  2. For the current development role model, click task-manual-run.png Activate Development Role Model.

    2023-09-13_12-46-04.jpg

  3. In the dialog box, click Yes to confirm.

    2023-09-13_12-46-48.jpg

  4. The development role model is now the active role model.

    2023-09-13_12-47-21.jpg
Update the HR500_AD job

  1. Go to Output > Jobs.

  2. For the HR500_AD job, click edit-job.png Edit Job.

  3. Go to the Configuration tab.

  4. Click Add.

  5. For this job item, we'll select a type of groupmembership, and for the Name, we'll select AD. We'll set the Threshold to 10000.

    2023-09-13_14-56-22.jpg

  6. Click Save.

  7. Go to the Execution tab.

  8. Click Evaluate.

    39 group updates, with 793 total membership alterations will be performed when this job is executed.

    2023-09-13_14-57-19.jpg
Run the job from the schedule

  1. Go back to Scheduler > Overview.

  2. Click task-manual-run.png Manual Run for the HR500 schedule.

  3. Ideally, the schedule executes successfully, and all group memberships specified in the role model are assigned in AD.

    2023-09-13_14-58-12.jpg
In this section: