Standard roles in PRIME
The standard package of Identity Manager provides a set of predefined standard roles that can be used as is or adapted to your requirements. This table lists the standard roles and what rights they have in Identity Manager Admin and Identity Manager Operator respectively.
Role | Description | Rights | Technical reference |
---|---|---|---|
Bootstrap administrator | Does the initial configuration of Identity Manager. | Identity Manager Admin: All | BaseRoleBootstrapAdmin |
Policy administrator | A user in Identity Manager. | Identity Manager Admin: All | BaseRolePolicyAdmin |
Service administrator | Makes configurations in Identity Manager, such as:
| Identity Manager Admin: No | BaseRoleServiceAdmin |
Registration officer | Manages “target” users and identities, who are targets (or objects) of credential management actions. | Identity Manager Admin: No | BaseRoleRegistrationOfficer |
Approver | Approves card production. | Identity Manager Admin: No | BaseRoleOfficer |
Card production administrator |
| Identity Manager Admin: No | BaseRoleProductionAdmin |
Issuing authority | Activates and issues card to requester/user. | Identity Manager Admin: No | BaseRoleIssuingAuthority |
User administrator |
| Identity Manager Admin: Roles, User Administration | BaseRoleUserAdmin |
Helpdesk |
| Identity Manager Admin: No | BaseRoleHelpdeskOfficer |
Self-service user |
| Identity Manager Admin: No | BaseRoleSelfServiceUser |
Self-service visitor |
| Identity Manager Admin: No Identity Manager: No | BaseRoleSelfServiceVisitor |
Batch sync | A role used for automatic batch synchronization of identities with external sources such as Active Directory. This role can not be assigned to persons, but only used for this purpose. For the batch synchronization to work, the following entry must be set in the system.properties file of the Identity Manager main client: batchSync.permissionRole=BaseRoleBatchSync | Identity Manager Admin: No Identity Manager: No | BaseRoleBatchSync |
Pre-login user | This role has the permission to execute a process before login, for example, to reset a password. | Identity Manager Admin: No Identity Manager: No | BaseRolePreloginUser |
Data administrator | Creates and manages variables for two data pools in Identity Manager
| Identity Manager Admin: No Identity Manager: No | BaseRoleDataAdministrator |