Every RiskVision user needs a role in order to establish privileges in the system. The Roles page is shown only if you have the System User Manage permission. A user with no assigned role cannot log in, because they lack permission to view or edit anything. RiskVision includes a set of default roles, and organizations may define their own.
Anticipating that roles defined in the external directory may not be applicable to RiskVision, the system provides a way to specify a default role rather than using the role attribute from the external directory. Also, the user attribute which specifies the user's role in the organization is likely not named "role" in an LDAP directory. For example, it might be the "memberOf" attribute.
A role that has the System User Manage permission allows a user to view the Login Integration page to manage authentication parameters, external roles, and the external user attributes.
To specify role policy:
- In the Administration application, go to Administration > SAML Configuration and click the Authentication tab.
- Click Edit at the upper-right corner of the Authentication tab.
To use the external directory's role attribute when a user is imported or automatically created, choose Yes for the question Map external role.
To use a default RiskVision role rather than the role attribute in the external directory, choose No.
- If you chose Yes for Map external role, specify the External role attribute name.
- Specify a default RiskVision role, such as Questionnaire Responder, to use either all the time (if you chose No for Map external role) or when no role mapping is available.
- Click Save to update the policy, or Cancel to exit without saving changes.
To convert external directory roles to RiskVision roles, you will need to specify a mapping, even if the role names are the same. External roles can be mapped to zero, one, or more RiskVision roles. For example, the LDAP-defined role "IT Analyst" might be mapped to RiskVision roles "Questionnaire Responder" and "Technical Analyst."
When no mapping exists--either because the external user does not have a role, or because the role is not found in the RiskVision mapping table--the new RiskVision user is created with the default role specified by role policy.
To manage role mapping:
- In the Administration application, go to Administration > SAML Configuration, and click the External Roles tab.
Click Edit at the upper-right corner of the External Roles tab.
- The External Roles list on the left must include every role that you expect to map. Click New External Role to add additional role names. To delete invalid external roles, click the role to select it, then click Delete External Role.
To assign an external role to a RiskVision role, click the external role to select it, then check the box next to the (RiskVision) role or roles that make sense.
This role mapping only affects the initial, automatic mapping when a user is automatically created or imported from an external directory. Any user's roles can be adjusted at any time.
- Click Save to update the role mappings, or Cancel to exit without saving changes.