Role Wizard User Stories
This document contains business view for usage of Role wizard after testing actual role wizard in MP development version: v4.7devel-635-g0fe5635b86
The main business reason for role wizard is to offload IDM team in the process of role engineering. The easy-to-use user interface can help in transferring of part of role engineering activities to end-users.
1. Audience and usage
The role wizard should be used as standard interface for creation and management of roles for business users and technical staff who are not specialized in IDM. Secondary, it can be helpful for new IDM administrators, to speed up the adoption of midPoint.
By business users in this case are meant business managers who will create and modify business roles.
By technical staff in this case are meant IT engineers or application administrators who are configuring application roles.
The role wizard should be used for creation of new roles. If the user interface is not so similar to role wizard, that user’s don’t take the wizard as different interface, it should be used also for modification of existing roles. User-storis for modification of roles is not defined here, as the role wizard is planned only for creation of roles in 4.7.
| One unhandled situation - when business user required creation of new role and the creation of role is rejected → must be modified. Then the user needs to go to different user interface - without wizard. |
2. Environments
The role engineering process can be implemented in different forms in midPoint. Whether the role engineering process requires approvals or not affects the use cases.
3. User-stories: Full self-service, no approvals
There are no approvals defined for role engineering or assignment (modification of role owners or . Anybody with sufficient access rights can create/modify/delete roles.
3.1. Create new business role
- User story
-
AS a business user
I WANT TO create new business role, set access to multiple applications there,
SO THAT I can start assigning this role for people in my organization (project) instantly. - Acceptance criteria
-
GIVEN defined application roles that are needed for accessing applications,
WHEN the business user creates the role in wizard (fills in basic details and configures access),
THEN the role is created and the business user can start assigning the role to the users.
3.2. Create new business role and assign members
- User story
-
AS a business user
I WANT TO create new business role, set access to multiple applications and assign the role to my users
SO THAT the users get the access instantly. - Acceptance criteria
-
GIVEN defined application roles that are needed for accessing applications,
WHEN the business user creates the role in wizard (fills in basic details, configures access and configures members),
THEN the role is created and already assigned to users.
| This one-step configuration and also assignment of the role may be confusing users, as they may mix process for role creation and assignment, and they will be creating new roles instead of just assigning existing ones. But for smaller environments without approvals it may be ok. |
3.3. Create a copy of role
- User story
-
AS a business user or IT engineer who wants to create new role
I WANT TO create a copy of existing role when I’m creating a similar role (e.g. multiple application roles for an application),
SO THAT I don’t need to perform full configuration of the role, can save time and avoid errors.
3.4. Modification and Deletion of roles
Users will need also modify and delete roles. At this moment modification is not part of the design of role wizard.
4. User-stories: Controlled self-service, approvals
In many environments, approvals by specific users are required when roles are created or modified.
4.1. Create new business role (with approval)
- User story
-
AS a business user
I WANT TO create new business role and set access to multiple applications there
SO THAT I start assigning this role for people in my organization (project) when the role is approved. - Acceptance criteria
-
GIVEN defined application roles that are needed for accessing applications
WHEN the business user creates the role in wizard (fill in basic details and configure access), sends the new role for approval and the creation of the role is approved,
THEN the business user obtains notification of new role being created and can start assigning the role to his users.
4.2. Create new business role and assign members (with approval)
- User story
-
AS a business user
I WANT TO create new business role, set access to multiple applications and assign the role to my users
SO THAT the users get the access instantly when the role is approved. - Acceptance criteria
-
GIVEN defined application roles that are needed for accessing applications,
WHEN the business user creates the role in wizard (fills in basic details, configures access and configures members), sends the new role for approval and the creation of the role is approved,
THEN the business user obtains notification of new role being created, and the access for assigned users is active since the role was approved.
| As written above, this one-step configuration and also assignment of the role may be confusing users, as they may mix process for role creation and assignment. |
4.3. Rejection of request - business user
- User story
-
AS a business user who created role and sent it to approval
I WANT TO NOT create new role when my request is rejected because of some errors,
SO THAT I can just correct the errors and send the role for approval again.
4.4. Rejection of request - Approver
- User story
-
AS an approver of role creation,
I WANT TO be able to approve the role, return the role back to requester to correct some details, or fully reject the role request creation (may be done in 2 steps)
SO THAT I can handle the role creation request correctly.
5. Additional user-stories: Visibility
5.1. See all roles to approve
- User story
-
AS a IDM administrator or Role manager
I WANT TO see all roles that are in DRAFT (or similar state)
SO THAT I can clearly see which roles have to be approved. - Acceptance criteria
-
GIVEN Specific view
WHEN Opens the view with the roles in DRAFT (or similar state)
THEN He can process the roles.
5.2. See all inactive roles
- User story
-
AS a IDM administrator
I WANT TO see all roles that are invalidated (e.g. lifecycleState in (deprecated, archived, failed))+ SO THAT I can perform cleanup of old roles. - Acceptance criteria
-
GIVEN roles in different states
WHEN IDM administrator select roles with defined lifecycleState
THEN he can delete the roles, if other specific system configuration allows that.