4.3 Default roles
You can set default roles for each group. These roles are automatically assigned to any new account added to the group, both on user account creation and when moving a user account to a different group.
Note: Previous versions of MyID automatically added the PasswordUser and Cardholder roles to every person account created where there were no default roles set by membership of a group; from MyID 11.6, however, this is no longer the case. Any person created receives the default roles specified by their group membership. By default, groups inherit the default roles from their parents, and the Root group is assigned the PasswordUser and Cardholder roles to replicate the previous behavior; you can edit the default roles for the Root group if necessary.
4.3.1 Default roles example
Assume your system has the roles Help Desk, System, Manager, and Cardholder.
Create a group called Administrators with a parent group of Root. Add System, Manager and Cardholder as the available roles for the group, then add System and Cardholder as the default roles.
Create a new subgroup called Admin North beneath the Administrators group. The new subgroup inherits System, Manager and Cardholder as the available roles for the group, and inherits System and Cardholder as the default roles.
Add a new account John Smith to the Admin North group. This account is automatically assigned the System and Cardholder roles; you can also choose to add the Manager role if necessary by editing the user's record.
You cannot assign the Help Desk role to John Smith, as the group's permissions do not allow it.
Edit the Admin North group to change the default roles to System, Manager and Cardholder.
Add a new account Jane Jones to the Admin North group. This account is automatically assigned the System, Manager and Cardholder roles.
Note, however, that the John Smith account still has only the System and Cardholder roles: changing the default roles for a group does not affect the roles of existing users within the group.
4.3.2 Setting up default roles
To
-
From the People category, select Add Group.
- Type the Group name and Description.
-
Select the Parent Group.
-
Click the Roles box to select which roles will be available to users in this group.
Note: If you do not select any roles, 0 Role(s) is displayed in the box; this means that users in this group may have any role. See also section 4.2.2, Setting a group to inherit roles for details of inheriting roles.
-
Click the Default Roles box to select which roles will be assigned by default to users who are added to this group.
-
If you select the Inherit Roles option, the default roles from the parent group are inherited. However, these roles are inherited only at the point of setting the option; if the default roles for the parent group subsequently change, this does not affect the child group.
If there are no explicit default roles set up for the parent group or any of its ancestors up to and including Root, the system default roles of Cardholder and PasswordUser are assigned instead. These roles are also assigned if you select the Inherit Roles option when editing the Root group.
- If you deselect the Inherit Roles option, you can set the default roles for the group manually. You can change these default roles to any of the available roles for the group. If the default roles for the parent group change, this does not affect the child group.
-
If you deselect the Inherit Roles option, then deselect all of the roles in the list, the group is configured to inherit default roles from its parent, and a link is created between the group and its parent – if you change the default roles for the parent group, the child group's default roles are changed accordingly.
Note: If you have created a link to a parent group by deselecting all of the roles, and subsequently save the child group without again deselecting all of the roles, the link between the child and parent is broken, and the inherited default roles are converted into an explicit list of default roles.
If you want to set up the group to have no default roles, you must deselect the Inherit Roles option, deselect all of the roles in the list, then do the same for its parent group and all of its ancestors up to and including Root.
Note: If you deselect all the default roles for the Root group, any of its child groups that are linked to their parent do not lose their default roles; instead, the list of default roles they previously inherited through the link is changed to be an explicit list of default roles. However, the link between the child group and its parent is broken, and setting default roles for the parent no longer affects the child group.
-
- Click OK.
- Click Save to create the group.
Note: You can also amend which roles are available to a group using the Amend Group workflow.
4.3.3 Known issues
-
IKB-307 – Default roles may attempt to exceed the maximum scope that can be assigned due to the operator's scope
This is prevented in the MyID Operator Client, but when you click Save in MyID Desktop you may see an error similar to:
Supplied logon name is invalid. Please enter a new logon name.
Open the Select Roles dialog, then click the Advanced button and ensure that the scope for all of the roles is permitted; scope settings beyond your own operator scope are grayed out, but may have been automatically selected by the scope of the group's default role settings. Fix the scope settings, click OK, then try to save the person's record again.
If you import a person from a directory automatically, for example using Request Card, you are not presented with the opportunity to change the person's roles; to fix the scope, use the Edit Person workflow.
4.3.4 Synchronizing with LDAP
If you synchronize a user with LDAP, and this changes their group, the following actions occur:
- If there are any roles in the user's new group that are not permitted by the user's new role, these roles are removed.
-
If there are any default roles in the user's new group that the user does not have already, these roles are added, using the default scope defined for the group.
Note: LDAP linked roles take precedence over MyID group role restrictions. Do not apply role restrictions in a system that uses LDAP linked roles.
- These actions are audited.
These actions apply to synchronizations carried out through the Batch LDAP Sync tool or through the Background update option.