Role Wizard User Stories

Last modified 24 Jan 2024 09:47 +01:00

The main business reason for role wizard is to provide user interface to business users and application engineers for self-service the role engineering where possible and enable cooperation with IGA administrators.

1. Audience and usage

The role wizard should be used as standard interface for creation and management of roles (business roles or application roles). It should be used by business users, technical IT staff and by IGA administrators.

Business roles should be defined/modified mainly by business users - e.g. business managers/project managers or such positions - who manage people and their access. The content of these roles can be easily explained in business language.

The application roles are more technical. These roles should be defined by technical staff - e.g. application engineers with greater support of IGA administrators.

1.1. Role wizard

The role wizard should be used for creation of new roles, but the same screens should be used also for modification of existing roles.

The main difference is that while creation of new role the wizard navigates user step-by-step over the panels, and while modification, the user just select panel (tile) with the configuration part.

The role wizard must balance complexity of role definition options provided by midpoint with ease to use by expected audience. If the interface is too complicated for business users or technical IT staff, the wizard can omit specific elements that are not used very often. IGA administrator, or even the user should have option to switch to advanced (our standard) interface for performing such modification.

Display and modification of existing role should be performed also using the wizard panels. The existing screen with tiles (configure governance/configure members/go to role) that is displayed at the end of this wizard can be such starting point. User can start on such screen with tiles and select option he needs to modify.

Proposal of panel structure and information provided by role screen is provided in role screen - panels page

2. User-stories: Self-service, no approvals

In this basic set of user stories, there are no approvals defined for role engineering. Anybody with sufficient access rights can create/modify/delete roles.

No lifecycle management is being performed. All roles are created in Active lifecycle state.

2.1. Create new business role

User story

AS a business user
I WANT TO create new business role and set access to multiple applications there
SO THAT I can start assigning this role for people in my organization (project) instantly.

Acceptance criteria
  1. MidPoint provides interface for creation of business role

  2. MidPoint is preconfigured to create business role in "Active" lifecycle state

  3. User creates business role (fills in basic details and configures access) that can be used immediately for assignment to users

Story details

Engineer preconfigured midpoint to create roles in lifecycle state "Active".

Business user performs all operations.

  1. Business user opens roles view and starts New business roles wizard.

  2. Panel Basics. Business user enters:

    1. Name of the business role, description and other attributes defined by engineer

    2. Selects role owner (selects user - like related objects, no relation mentioned)

    3. Clicks Next

  3. Panel Access. Business user selects roles that will be induced to the business role.

    1. He can filter the roles by archetype (not only application roles)

    2. He can search for the role

    3. Roles are listed in list, not in tile design, because there is a lot of roles

    4. Doesn’t need to select any role (The business role may be created as empty shell. Doesn’t make sense now, but later in some use-cases yes)

    5. Clicks button "Save" in wizard.

Role is created. Midpoint opens the new role - panel Overview. User can review the role. Role is created in Active lifecycle state and is prepared for assigning to users.

2.2. Create new business role and assign members

User story

AS a business user
I WANT TO create new business role, set access to multiple applications and assign the role to my users
SO THAT the users get the access instantly.

Acceptance criteria
  1. MidPoint provides interface for creation of business role

  2. MidPoint is preconfigured to create business role in "Active" lifecycle state

  3. User creates business role (fills in basic details and configures access) that can be used immediately for assignment to users

This one-step configuration and also assignment of the role may be confusing users, as they may mix process for role creation and assignment, and they will be creating new roles instead of just assigning existing ones. But for smaller environments without approvals it may be ok.
Story details

Steps are the same as in previous user story Create new business role. At the end, newly created business role is prepared and opened. Business user then:

  1. switches to panel Members and assigns users.

  2. saves the modification

Actually midPoint creates assignments on user objects without necessity to save changes. This is confusing.
Compare the operation with creation of inducements or assignments in the role. Very similar GUI, different behavior.
See All modifications of role should be applied only after Save button user story.

2.3. Allow different archetypes of inducements in business role

User story

AS a business user or IGA administrator
I WANT TO add different archetypes of roles or services to business role
SO THAT the business role can contain another business roles, or IT roles or any other type of role or service.

Acceptance criteria
  1. Panel "Access definition" of role wizard allows inducing any archetype of role into business role, even roles without archetype. It allows inducement of services as well.

    • Engineer can specify set of object types and archetypes in configuration

  2. User should be able to create inducements in iterations.

    • E.g. add some set of roles, filter other archetype, select roles of that archetype, add, then search for another role + add. And save the role when finished.

    • User should be able to review list of inducements prior saving role

  3. Access definition panel should display roles in list not tiles by default. There are too many roles for tiles.

2.4. Allow inducements of services with relation in business role

Midpoint can assign objects with relations. To avoid role explosion we can utilize relations in inducements. So we can create inducements with relations in business roles. Role wizard should support it.

User story

AS a business user or IGA administrator
I WANT TO add services with relations to the business role
SO THAT the business role can induce services with relations.

Acceptance criteria
  1. Midpoint provides option for configuration of services, that defines set of relations by which the particular service or service archetype can be assigned (e.g. Service "Shared folder X" can be assigned as "reader","writer", "manager").

    • Midpoint allows to define this option to archetype. Roles of specific archetype will have defined set of relations that can be used in assignments/inducements.

  2. Panel "Access definition" of role wizard allows inducing services with default or specific relations into the business role.

    • The relations should be defined only if the service definition/archetype requests it

    • Each object can have different relation, so the relation is selected only after the application is selected

  3. As concept of relations is not well understood by end-users, the relations should be displayed only when explicitly allowed by engineer. Not by default.

  4. When such business role is assigned to a user, the user obtains role with the relation defined in the business role.

  5. Selection of service is preceding the selection of relation.

The configuration of relations should be allowed for roles as well (e.g. AppABC:User assigned with relation "remote-access").
Story details

When preconfigured by engineer, the business user is able to create new inducement with relation in Access definition panel in a following way:

  1. User selects roles/applications to be included as inducements in role

  2. When the user hits the button "add" or "save", midpoint checks if some of the services (or roles) are not defined with relation allowed. If yes, then

    • midpoint opens modal window with display of all services that require/allow relation definition.

    • User selects relation from predefined set for each service/role. Each service can have different set of relations - depends on archetype definition.

    • User adds the defined inducements by "add" or "save" buttons

2.5. Creation of new application role (TODO)

Not finalized yet.

2.6. Cooperation of multiple users in role engineering

Definition of new role is seldom just work of one person. Midpoint should provide interface for cooperation of multiple users in preparing the role. The process is often iterative, as not all details are known each time.

This user story describes step Tune and review candidate role from Role design process.

This user story requires lifecycle states to be applied.

User story

AS an IGA administrator,
I WANT TO review role prepared by business user and modify it when needed,
SO THAT the role can be safely implemented.

Acceptance criteria
  1. Midpoint provides interface where multiple users can perform modification of role definition prior role is being applied to production life

  2. IGA Administrator is able to identify roles that are in the "Tune and review stage".

    • This can be done for new roles by setting role lifecycle state to "Proposed"

  3. IGA Administrator (user with specific authorization) can move the role to Active state.

Open for discussion:

  1. Midpoint provides option for users to add notes what to be done in the role definition

  2. Midpoint provides track of who and when modified which component of the role

2.7. Review of impact

Role assignments and inducements can be complex and modifications of the role definition can affect multiple users. It is important if user knows what will be affected by the changes.

We need to display the changes according the knowledge of the audience. Business user can’t read detail technical description as IGA administrator.

User story

AS a business user who created or modified role,
I WANT TO know what will be affected by my changes of the role (e.g. when I added new app role to the business role),
SO THAT I will know who will get more access and understand business impact of the change.

Acceptance criteria
  1. Midpoint provides interface for business user to review business impact of the role creation/modification (who will get new access, where will be the access removed)

Story details
  1. When role is being modified, the business user can start "Review business impact" action.

  2. Midpoint performs simulation and displays simulation report, but in "business terminology". Only assignment and unassignment of roles to users will be shown.

    • who will get new access

    • where the access will be removed

2.8. Simulate application of the role

Role assignments and inducements can be complex and modifications of the role definition can affect multiple users. It is important if user knows what will be affected by the changes.

We need to display the changes according the knowledge of the audience. IGA administrator can see full simulation.

User story

AS a IGA administrator who perform/review modification of a role,
I WANT TO see all changes that will be induced by application of the change to the environment SO THAT I can understand the technical impact of the change.

Acceptance criteria
  1. Midpoint provides interface (simulation) for IGA administrator to review impact of role creation/modification

  2. The option for simulation is available to users with specific privilege

Story details
  1. When role is being modified, the IGA administrator can start "Simulate application of the role" action.

  2. Midpoint performs simulation and displays simulation report.

2.9. Create a copy of role

Roles are often similar. Especially application roles. It would be much easier if author of the application role could use copy-and-modify attitude while creating new role.

User story

AS a business user or IT engineer who wants to create new role
I WANT TO create a copy of existing role when I’m creating a similar role (e.g. multiple application roles for an application),
SO THAT I don’t need to perform full configuration of the role. This can save time and avoid errors.

Acceptance criteria
  1. Midpoint allows creation copy of the role in "Draft" so the new role can be modified and created.

  2. New role is created without copying members.

2.10. Approval policy selection

Setting approver for role is complex. It is often not only 1 person. Existing user interface, where just approvers are selected is not useful for setting such approval policies by business users.

User story

AS a business user creating a new role
I WANT TO just select approval policy from predefined list,
SO THAT I don’t have to learn how to select multiple approvers.

User story

AS a IGA engineer
I WANT TO prepare set of approval policies (e.g.: 1, 2, 3-step approval),
SO THAT I minimize possibility of errors while defining approvers by business users.

Acceptance criteria
  1. Instead of just selecting approver midPoint enables selection of approval policy object from predefined approval policies.

  2. Midpoint should be delivered with some set of predefined default approval policies in initial objects.

  3. Midpoint can define also approval policy automatically while saving of the object - based on some attribute values (e.g. role risk level)

2.11. Application role: Define new group object in role wizard

Actual role wizard allows selection from existing resource entitlements (e.g. LDAP groups). These groups must exist already while creating roles. MidPoint can also create the group objects on resources, just wizard should allow this. This increases application deployment speed if new group does not have to be created prior role definition.

User story

AS an application engineer preparing new roles for my new application controlling access via LDAP groups,
I WANT TO define new LDAP group name when granting entitlements in role wizard,
SO THAT I don’t have to request creation of the LDAP group by LDAP team.

Acceptance criteria
  1. The application role wizard should allow definition of new resource object name while granting entitlements

  2. The new resource object should be created only when the role is switched to production

2.12. Application role: Access to multiple applications

Although it is not the pattern we would recommend, an application role can provide access to multiple applications. E.g. read access to some internal applications can be provided via internal_apps AD group. Role wizard should support creation of application role accessing multiple applications.

It is easy - just allowing multiple inducements in the role wizard.

User story

AS an application engineer preparing new application role,
I WANT TO define application role that manages access to multiple applications,
SO THAT I can define the application access the way how to it should be.

Acceptance criteria
  1. Application role wizard should allow multiple inducements in the role wizard.

    • It would be better if there is some checkbox "manage access to multiple applications" provided and only then you can select more apps.

3. Modification of roles

Midpoint should provide option also for controlled modification of the role. The role being modified can be still in production and its members may change automatically. The role modification may be instant (e.g. change of the description), or may take some time.

If the modification is not instant, midPoint should provide graphical information of what is being modified and identification of the role that is being modified. Midpoint should provide option to graphically display what is being modified prior it is applied.

The modification should be performed via the same interface as new role creation.

4. User-stories: Controlled self-service, approvals

In many environments, approvals by specific users are required when roles are created or modified.

4.1. Create new business role (with approval)

User story

AS a business user
I WANT TO create new business role and set access to multiple applications there
SO THAT I start assigning this role for people in my organization (project) when the role is approved.

Acceptance criteria

GIVEN defined application roles that are needed for accessing applications
WHEN the business user creates the role in wizard (fill in basic details and configure access), sends the new role for approval and the creation of the role is approved,
THEN the business user obtains notification of new role being created and can start assigning the role to his users.

4.2. Create new business role and assign members (with approval)

User story

AS a business user
I WANT TO create new business role, set access to multiple applications and assign the role to my users
SO THAT the users get the access instantly when the role is approved.

Acceptance criteria

GIVEN defined application roles that are needed for accessing applications,
WHEN the business user creates the role in wizard (fills in basic details, configures access and configures members), sends the new role for approval and the creation of the role is approved,
THEN the business user obtains notification of new role being created, and the access for assigned users is active since the role was approved.

As written above, this one-step configuration and also assignment of the role may be confusing users, as they may mix process for role creation and assignment.

4.3. Rejection of request - business user

User story

AS a business user who created role and sent it to approval
I WANT TO NOT create new role when my request is rejected because of some errors,
SO THAT I can just correct the errors and send the role for approval again.

4.4. Rejection of request - Approver

User story

AS an approver of role creation,
I WANT TO be able to approve the role, return the role back to requester to correct some details, or fully reject the role request creation (may be done in 2 steps)
SO THAT I can handle the role creation request correctly.

4.5. Approval of role modification. Case should relate to the role.

When the role is in production, its modification may be approved.

5. Additional user-stories: Visibility

5.1. See all roles to approve

User story

AS a IGA administrator or Role manager
I WANT TO see all roles that are in DRAFT (or similar state)
SO THAT I can clearly see which roles have to be approved.

Acceptance criteria
  1. MidPoint should provide specific view where IGA administrator can see all roles in DRAFT (or similar state).

  2. MidPoint should provide action buttons in that view that allows controlled and consistent operations over the objects in the view.

5.2. See all inactive roles

User story

AS a IGA administrator
I WANT TO see all roles that are invalidated (e.g. lifecycleState in (deprecated, archived, failed))+ SO THAT I can perform cleanup of old roles.

Acceptance criteria
  1. MidPoint should provide specific view where IGA administrator can see all roles defined lifecycleState.

  2. MidPoint should provide action buttons in that view that allows controlled and consistent operations over the objects in the view.

5.3. All modifications of role should be applied only after Save button

Midpoint actually performs assignments of role on user objects. No saving is necessary. But for modification of attributes save is necessary. This is confusing to users who do not understand midpoint well. User can’t revert some operations.

User story

AS a business user or IGA operator
I WANT TO have all operations I perform on the role to be applied only when I hit Save button
SO THAT I can verify the impact that my operation will have on environment and I can revert it.

Acceptance criteria

All operations on the role (modification of attribute values, new assignments, inducements, new assignments of the role to role members) are applied only after Save button.

6. Lifecycle state management

User stories including lifecycle state management of roles.

6.1. New role in draft, switch to active

6.2. Decommissioning of active role

Was this page helpful?
YES NO
Thanks for your feedback