Role Wizard Design Notes

Last modified 27 Mar 2023 22:05 +02:00

This document contains my (Martin) notes for updating role wizard after testing actual role wizard in MP development version: v4.7devel-635-g0fe5635b86

1. Role wizard - business role

The wizard should be designed for business users to be able to create and modify business roles as containers of (mainly) application roles.

To provide the users consistent environment, the wizard should provide user interface not only for creation of new roles but also for modification of the roles.

The option for using role wizard also for modification of the role will not be part of 4.7, because of time constrains. But I would keep it in design for future. Just to provide end-user only one environment - not one for creation and another for modification.

1.1. Draft mode

When role is created using role wizard, it should be created by default in "DRAFT" mode (lifecycleState = Draft). It means, that no assignments of the role are active. They start to be active only when lifecycleState is switched to Active state by relevant user (approver or IDM administrator).

The switch to Active state can be performed by button "Activate" on the role page. See role screen.

1.2. Pages

The role wizard should consist of following screens (or pages, don’t know what name is better):

Step 1: Basic role setting page

The user enters here all role attributes.
All necessary attributes should be visible by default - defined in business role archetype. IDM engineer should be able add-remove additional attributes.

Step 2: Role configuration page

This is "splitter page". The user should be able to configure different apects of the role. After configuring each aspect, the user gets back to this page.
The role configuration page should provide access to:

  • Role content page (current name: access page)

  • Role governance page

  • Role Members page

That is all. Nothing more is needed. The "Go-to role panel" doesn’t make sense here.

1.3. Buttons - navigation

Basic role setting page
  • Save → bottom of the page. Go to Role configuration page.

  • Cancel wizard → End of wizard without saving.

Role configuration page
  • Save → End of wizard with saving of the data. Midpoint stays in the view where user started.

  • Save & Go to role → End of wizard with saving of the data. Midpoint opens the newly created role.

  • Cancel wizard → End of wizard without saving.

Role content page / Role governance page / Role Members page
  • Save → Saves the changes and go back to Role configuration page.

  • Cancel wizard → End of wizard without saving. The whole wizard. No new changes are done.

1.4. Buttons - other:

Role content page

Here I would allow also other archetypes of roles and also services directly, if IDM engineer allows it.

Business reason: the business role may contain also other business roles (not often but may happen), some roles not being of different archetypes may be included too, and most important - some services may be assigned directly to business roles.

Role governance page

Hide "relation" in choosing assignment page.
Hide search bar on the page - no need to use it. There will be small numbers of users listed here.

  • Assign owner

  • Assign approver

No need to have another buttons here. Unassignment is easy and straightforward. Actions button doesn’t make sense here.

If assignment with new specific relation should be designed, the engineer should be able to configure new button here (idea for the future, no need to have it in 4.7).

Role members page
  • Assign members → adding of members

  • Unassign members → removal of members

Create only assignments with relation = member here. Hide the relation field and hide CSV export button from window "Select objects". The CSV export doesn’t make sense here and there is also bug (MID-8493 - lock GUI).

Avoid generation of task for removal of members - doesn’t make sense here. Members are added directly, so also removal should be done directly. The task configuration starts when there are no users selected. In this case just display notification "No members selected to be removed."

Role screen

In the role page (role screen), there should be button allowing easy activation of the role. The activation can be performed by changing value of lifecycleState from Draft to Active, but users are used to perform operations using buttons. It is much more intuitive and easy to follow.

  • Activate role → switches role lifecycleState from Draft to Active

The button should be visible to users with relevant authorizations.

1.5. Attributes in Basic role setting page

Following fields (role attributes) should be visible by default in the business role definition:

  • name

  • environment

  • description

  • requestable

  • Delegable

  • Risk level

  • jpeg photo (this should be named as role Icon)

DisplayName attribute should normally have null or the same value as name attribute of the role. Therefore should not be shown.

IDM engineer should be able to configure default values for specific fields (requestable, delegable, Risk level,..).

Computed name attribute

Name attribute may be filled in by creator, or may be computed based on values of other attributes. This is useful in deployments where MP manages multiple environments. name attributes does not allow duplicities, so IDM engineers should create generation of name attribute from e.g. applicationName attribute and environment attribute.

This doesn’t need to be part of midpoint default configuration. Just MP must allow engineers to configure displayed fields to hide name attribute, display another one instead and compute the name attribute based on different values.

Schema extension
  • role should be extended of environment attribute

Should be role extended also by applicationName attribute ? This name can be used if there are duplicities of role names in different environments. Name attribute should be computed based on this attribute.
Or should we use just displayName attribute for this ?

2. Role wizard - application role

The wizard should be designed mainly for users who are technicians, but not IAM specialists.

Not finished yet.