Managing roles
The roles of a user can be managed by a SuperAdmin from the Roles section of the left menu where you can manage roles and permissions.
Here, you can:
- Find predefined and custom roles.
- Create, update and delete custom roles.
About roles and permissions
Roles are groups of permissions that you can assign to the users in your SIAM platform. A role contains one or more permissions, which offer a granular way of specifying rights of action.
Predefined roles
SIAM provides default roles that you can use to give granular access to users. These roles are created by Signicat to provide you with common groups of permissions that apply to basic cases.
Custom roles
SIAM also lets you define your own custom roles to follow your principles and policies for identity and access management.
Permissions
Permissions encode actions that users can perform on resources in SIAM, such as the ability to view a page or invite other users. To give permissions to users, you assign them roles.
In SIAM, you can assign predefined roles or create new ones depending on the use case.
Predefined roles
When you navigate to the Roles section of the left menu, you can view the predefined roles created for you by SIAM. These are described in the table below:
Creating roles
When you create a new role, you define the scope of actions and operations that users can perform. These are represented as permissions. To create a new role, do the following:
- In the Roles section, select + Create new role at the top right.
- In the create role page, configure the following:
- Name: The title of the role.
- ID: The identifier of the role.
- Description: Human-readable summary of the role's purpose.
- Category: The class of the role.
- Permissions: The set of permissions to include in the scope of this role. Learn more in the Permissions section below.
- Tags: Labels for you to organised and identify similar roles.
- Click Create to create the role with this configuration.
After you create a new role, you can view it in the Roles section and start assigning to your users.
Assigning roles to users
Roles determine the kind of operations users can perform in the SIAM-managed environment. You can control the scope of a role you assign by deciding whether it applies globally or only at the organisation level (scope).
You can assign, edit or remove roles from users in Access section of the left menu. To grant a role to an existing user, do the following:
- In the Access section, select + Grant access at the top right.
- In the "Grant access" menu, configure the following:
- To assign a role at the global level (across all organisations and hierarchies), tick the Global access box. To limit the scope of the role to a specific organisation, leave the box unticked and choose an organisation under Scope.
- To select a user, select + Add and select a user.
- To add roles, select + Add and select the roles to associate with the user.
- Click Save to apply the changes.
Users receive an email when you edit their roles. For the new roles to take effect, users must log in again.
Permissions
In SIAM, permissions follow a structured naming convention using the format <signicat>:<ownidp>:<permission>:<CRUD-operation>.
For example, the signicat:ownidp:roles:create permission allows a user to create new roles in SIAM.
To help you understand and apply this model, the tables below describe the different parts of the permission string and how the associated operations work.
CRUD legend matrix
First, the CRUD operations table explains the actions that can be performed on a resource. The CRUD (Create, Read, Update, Delete) acronym in the below table has the following meaning:
Permission components table
The permission components table outlines how the <permission> elements defines the scope of a permission. This is matched to most of the CRUD operations in SIAM.