The Role Manager module is used to publish create and manager roles including permission management and provisioning rules.

This module functions outside the realm of the normal permissions hierarchy. It can be viewed by any user with membership in Site Administrators, Security Administrators, or Dashboard Management site-level roles with no regard to permissions assigned to the tab on which the module is placed. For more information on the roles referenced in this section please see the role based security topic. Administrative users can configure additional module settings by clicking the button.

For a complete understanding of the various levels and types of roles and a primer on pasPortal security please consult the role based security topic before designing or modifying security roles.

All Site Administrators and Security Administrators have the ability to modify both site and dashboard level roles but Dashboard Management users can manipulate dashboard level roles in dashboards where they have explication Dashboard Admin rights.

Adding New Roles

To add a new role, users click the either the green (dashboard-level) or red (site-level) add button which will open the role editor where they will be presented with the new role editor template. The user must then supply only a role name which is unique at the level being created and press save.

Editing Existing Roles

To edit an existing hosted application administrative users click the button which will open the role editor where they will be presented with the edit role template that allows them to change the name of the role.

NOTE: System roles will not have the button present and do not allow changes even by Site Administrators as they protected roles required for necessary operation of the system.

Managing Role Membership

Click either the green (dashboard-level) or red (site-level) permission button on a role will open the role membership editor. From here an administrative user will be able to view membership in any role and in depending on their permission level be able to assign users to roles by selecting one or more account in the account drop down and clicking the button. Users can be removed from roles by clicking the button next to their name.

Managing Role Provisioning Rules

Role provisioning rules allow for the automatic assignment of users to roles when they sign in using claims-based Single Sign On. The process allows incoming claims to be matched to rules associated with the roles and when a rule matches an automatic role assignment is made. This allows delegation of security outside the system to administrators of a local Active Directory environment.

To manage role rules, click the role rules icon (the torn page) next to the role to author for. This opens the list of active role rules. From here administrative users can add, edit, or delete role rules by clicking the add , edit , and delete buttons.

Role rules have the following attributes:

•Origin: This claim will be appended to the incoming claim set by the system to uniquely identity the system of origin.

•Claim Type: This is the well-known name of the claim in URL notation of the claim type to match.

•Claim Value: This is the value of the claim to match.

A single role may have many role rules associated with it but as a protective mechanism certain system protected roles do not allow assignment via role rules and as such will not display a role rule editor.

Send comments on this topic.