<association> <ref>ri:group</ref> <outbound> <strength>strong</strength> <expression> <value xsi:type="c:ShadowAssociationType"> <shadowRef oid="fb7a61ee-382e-44a3-bef2-a1e78b6cf39b" type="c:ShadowType"/> </value> </expression> </outbound> </association>
Open Questions for Role management
1. Assignment policies
We should handle somehow definition of autoassignment policies in GUI. Are users able to define such policies ? Are users able to read such policies ? At least IGA admin should be able to do it via user interface.
Easy to use/easy to see policies can be defined by inducing the business role to the ORG. This would be easily readable and can be manageable by end users. Can we include it in user interface ? Wouldn’t it be too complicated ? Is "included in" panel enough ?
2. Easier selection of role owner
Creation of role owner is quite complicated now. For many users the owner is just attribute value. Additionally - sometimes we would like to have "manager of the OU" be owner of the business role. The wizard should handle this somehow.
3. Remove assign manager
For Roles - assignment of manager doesn’t make sense.
4. Management of governance users
Management of governance users should not be asynchronous. We are managing small number of objects in this page. Asynchronous page updates are confusing here.
5. Consistent design of selection of related objects
We should have same design for selecting related objects. We have multiple different patterns in one wizard:
-
Application selection - tiles - just tile with application name is selected
-
Governance - when empty
-
Assign manager/Owner/Approver - tiles - selection from list of users - asynchronous
-
-
Governance - when anything filled in
-
Button "Assign users" - additional tile for selection of manager/owner/approver - and then selection from list - asynchronous.
-
-
Configure members - Assign users button - selection from list of users in modal window
-
Configure provisioning - resources - selection from list of resources - but not in modal window
-
Configure provisioning - grant entitlements - selection from list of entitlements - not in modal window (but it could be the same as selection of members - and there is modal window there)
6. Application role: Name of the group instead of shadow OID
Some role definitions are part of project design and their configuration is stored in GIT. When role is stored in GIT and relates to specific object, the association should not be created using shadowRef with OID like this:
Such group can’t be moved between environments easily.
The question is, whether we should change configuration of the role generated by role wizard, or we should provide some notes for engineers.
7. ORG as inducement in role.
Can business role contain ORG as inducement ?
Do we have business case for this ?
Should role wizard provide such options ?