Managing project team access

 

Applies To: Forefront Identity Manager

Managing access to information technology (IT) resources for project teams can be a challenge. Unlike teams that are based on the organizational hierarchy, project teams tend to be much more changeable, often cross organizational boundaries, and require different levels and type of access throughout the project lifecycle.

For example, a project to bring a new product to market might initially involve marketing and design personnel. Engineers would be added to the project to execute the design, quality assurance specialists would be called in to ensure that the product was working as expected, and technical writers would join the team to provide supporting documentation. Finally, as the product moved toward release, marketing personnel would rejoin the project to prepare for the product’s introduction to the marketplace.

In most organizations, these specialists would belong to different organizational teams, reporting to different managers and sometimes even in different business units. The challenge, then, is how to provide each of these specialists the access to IT resources that will enable them to perform their respective roles within the project without exposing those resources to users who do not need them.

Role-based access control (RBAC) simplifies the task of providing access to IT resources by project teams. By grouping access permissions into roles and then assigning those roles to team members as needed, you can more easily manage the access provided to team members throughout the lifecycle of the project. The responsibility for managing this access can be delegated to one or more supervisors, users who have the ability to add or remove project team members, assign and enable roles, and link permissions to roles. Roles can be linked to organizational units (orgunit) that represent the organization of the project itself, or they can be assigned directly to specific team members.

The following are the basic tasks for using BHOLD to manage project team access:

• Creating a project team

• Creating project roles

• Linking a permission to a project role

• Assigning a role to a team organizational unit

• Assigning a role to an individual team member

• Activating a proposed role

Creating a project team

The first step in creating a project team is creating the orgunit structure that represents how the project team itself is structured. Unlike the orgunit hierarchy that represents the structure of your organization, a project orgunit structure is not normally synchronized through Forefront Identity Manager from another identity data store. Instead, a project orgunit structure is most often created and managed directly by using the BHOLD Core portal.

In the case of a small project, it might be necessary to create only a single orgunit. More complex projects would call for multiple orgunits, probably arranged hierarchically. The orgunits could represent groupings of member specialties, project stages, or any other method of organizing the project team that makes sense. It’s important to remember that, while roles will be associated with each orgunit, it’s not necessary to arrange the orgunits by role because roles can be shared across multiple orgunits, either by inheriting the role from a parent orgunit, or by being explicitly linked to an orgunit. Instead, you can arrange orgunits to represent the logical structure of your project and use the roles to control the access of team members within that structure.

Assigning supervisors to the project orgunits and roles allows management of access control for the project to be delegated to team members. This greatly reduces the need for BHOLD administrators to implement the details of the project access control, instead shifting responsibility for the implementation to those who are most familiar with the project’s requirements. Using multiple supervisor roles allows you to ensure that team members are given control over the orgunits and roles for the project areas that they are responsible for.

When you have the orgunit structure in place, the supervisor for each orgunit can then add users to the orgunit. This can be done before or after supervisors have linked roles to the orgunits. If it is done before the orgunits and roles are linked, however, the roles should then be linked as proposed roles so they will not allow access to orgunit members until the project is ready to begin and the roles have been activated by a supervisor.

The following are the essential tasks for creating a project team structure in BHOLD Core:

• Creating a team organizational unit

• Adding a team leader

• Adding team members

Creating a team organizational unit

Every new organizational unit (orgunit) must be created as a member of another orgunit, either the root orgunit that was created when you installed BHOLD Core, or another orgunit that was created later. Orgunits can represent the structure of your company or organization, or they can be used to group users for other purposes, such to control user access for a project of limited duration. If a project is within the scope of a particular business unit, you could place it within the orgunit structure of that business unit (perhaps creating it in an orgunit structure specifically created to hold project orgunits), or you could create it in an orgunit structure that is separate from the corporate structure.

As noted earlier, for a simple project, single orgunit to group team members might be sufficient, while more complex projects will probably require multiple orgunits. You can arrange the orgunits of especially complex projects hierarchically to enable roles to be inherited from parent orgunits. Typically, however, the top-level project orgunit does not inherit roles from its parent, especially if the orgunit is a member of an organizational orgunit.

To create a project organizational unit

1. In the BHOLD Core portal, in the left pane, click Organizational units.

2. On the Organizational units page, click the orgunit in which you want to create a new orgunit.

   Tip

   To quickly locate the parent orgunit, in the Attribute type list, click Description, in Search string, type the parent orgunit name, and then click the Search button.

3. On the Organizational unit/<orgunit> page, next to Organizational unit structure, click Add.

4. On the Add organizational unit page, in Description, type the name of the new orgunit, and then in the Organizational unit type list, click the type of the new orgunit.

5. If you do not want the new orgunit to inherit roles from its parent, clear the Roles from parent check box. Otherwise, leave the check box selected.

   Note

   In most cases, the first orgunit that is created for a project does not inherit roles from its parent.

6. Click OK.

Adding a team leader

Among the responsibilities of a project team leader is deciding who should be part of the team and how to provide team members with the resources they need to do their jobs. In BHOLD Core, these responsibilities are carried out by performing these tasks:

• Adding members to the organizational units (orgunits) that represent the project team structure

• Assigning roles to team members, either directly, through orgunit membership, or by other means

• Linking necessary permissions to roles

To accomplish these tasks, the team leader must be assigned a role that is a supervisor role for the required project orgunits and roles.

To create a team leader

1. In the BHOLD Core portal, in the left pane, click Roles.

2. On the Roles page, click Add.

3. On the Add role page, in Description, type the name of the role, and then click OK.

4. On the Role/<role> page, click Modify.

5. On the Modify role attributes/<role> page, select the Supervisor role check box, and then click OK.

6. On the Role/<role> page, expand Permissions, and then click Modify.

7. On the Role–permissions/<role> page, in the Application list, click B1, and then click the Search button.

8. Click Add next to the following permissions:

   • Bhold OrgUnit Owner

   • Bhold Role Owner

   • Bhold User Roles

   These permissions provide complete control over the orgunits and roles that are supervised by this role. You should consider using more precise permissions to restrict the team leader’s ability to take inappropriate actions. You may also want to provide additional permissions if the team leader will be responsible for supervising other elements of the BHOLD role model. For information about the permissions required to perform various tasks in BHOLD, see BHOLD Core permissions in BHOLD Core technical reference.

9. Click Done.

10. On the Role/*<role>*page, expand Users, and then click Modify.

11. On the Role–users/<role> page, in the Attribute type list, click Description, in Search string (Users), type the name of the team leader to be linked to the supervisor role, and then click the Search button.

    Tip

    To list all users, leave Search string (users) empty.

12. Under UnLinked Users, click Add next to the name of the team leader you want to add to the supervisor role, and then click Done.

13. On the Role/<role> page, expand Supervision, expand Supervised organizational units, and then click Modify.

14. On the Supervised organizational units/<role> page, in Attribute type, click Description, in Search string (Orgunits), type the name of the orgunit that you want to be supervised by the supervisor role, and then click the Search button.

    Tip

    To list all orgunits, leave Search string (Orgunits) empty.

15. Under UnLinked Orgunits, next to each of the orgunits you want to be supervised by the role, click Add, and then click Done.

    Note

    If you add an orgunit that contains other orgunits, BHOLD Core removes the member orgunits from the list of unlinked orgunits because the member orgunits inherit the supervision role from the parent orgunit.

16. On the Role/<role> page, expand Supervision, expand Supervised roles, and then click Modify.

17. On the Supervised roles/<role> page, in the Attribute type list, click Description, in Search string (Roles), type the name of the role you want to be supervised by the team leader, and then click the Search button.

    Tip

    To list all roles, leave Search string (Roles) empty.

18. Under UnLinked Roles, next to each role that you want to be supervised by the team leader, click Add.

19. Click Done.

Adding team members

An essential step in creating a project team is, of course, adding members to the team. In the case of BHOLD Core, this means adding members to the organizational units (orgunits) that represent the structure of the project team. This can be done immediately after the orgunits have been created, or it can be done later in the process of configuring the BHOLD role model for controlling project team access. Note that if you add users to the orgunits before creating and linking permissions to project roles, you should link the project roles to the orgunits as proposed roles and activate them only when they are actually needed. Also, because membership roles are always effective (activated) roles, you should use care when linking project permissions to membership roles.

In the most common case where project team members are members of the larger organization, BHOLD Core will already contain user objects for those team members. In such cases, all that’s necessary to add team members to the project is to add existing users to the project team orgunits.

To add an existing user to an organizational unit

1. In the BHOLD Core portal, in the left pane, click Organizational units.

2. In the Organizational units list, click the orgunit in which you want to add a user.

3. On the Organizational unit/<orgunit> page, expand Users, and then click Modify.

4. On the Organizational unit – Users/<orgunit> page, in the Attribute type list, click the attribute you want to use to locate the user you want to add to the orgunit, in Search string (Users), type the user’s description (name) or default alias, and then click the Search button.

   Tip

   To display all users, leave Search string (Users) empty when you click the Search button.

5. Under UnLinked Users, next to the user you want to add to the orgunit, click Add.

6. When you have finished adding users to the orgunit, click Done.

Creating project roles

When you create an organizational unit (orgunit) to manage project team access, BHOLD Core automatically creates a role and links it to the orgunit. All users who belong to the orgunit then receive the permissions that are subsequently linked to that so-called membership role. In addition to using membership roles to manage project team access, you can create additional roles that can be linked to project orgunits or directly to project team members. Regardless of how the role is linked, the process for creating a role is effectively the same in all cases.

For more information about creating and using roles, see Managing roles in this guide.

To create a project role

1. In the BHOLD Core portal, in the left pane, under Model, click Roles.

2. On the Roles page, click Add.

3. On the Add role page, enter the following information, and then click OK:

   Field	Description	Required?
   Description	The name of the new role. Tip: You should use a naming convention that indicates the type of role. If this is a membership role, use a prefix which distinguishes it from the default membership role. For example, if you are creating a project membership role, you could prefix the name of the role with PMR-. If the role will be linked directly to individual users, you could prefix it with PUR- (for project user role).	Yes
   Supervisor role	Identifies the new role as a supervisor role. When this is selected, the role appears in lists of supervisor roles. Ordinarily, this box is not selected for a project team role because supervisor roles are separate from project roles.	No
   Orgunit context adaptable	Specifies that the role will be linked to a context adaptable permission (CAP). For more information, see Managing context adaptable permissions in this guide.	No
   Supervising role	The name of the role whose users can manage the new role, such as the team leader.	Yes
   Maximum number of permissions	The highest number of permissions that can be linked to the new role. Leave blank or set to 0 for unlimited permissions.	No
   Maximum number of Subroles	The highest number of roles that can be subordinate to the new role. Leave blank or set to 0 for unlimited roles.	No
   Maximum number of users	The highest number of users that can be linked to the new role. Leave blank or set to 0 for unlimited users.	No
   Role type	Type a label that you can use to search for this role, such as the project name.	No
   Managed by FIM	Enter Yes to specify that this role is managed by FIM.	No

Linking a permission to a project role

The principal purpose of a role is to bring together users who should share a particular set of rights in one or more applications. In the BHOLD role model, these rights are represented as permissions, and these permissions are assigned to users by linking them to roles that are, in turn, linked to the users who are to receive the permissions.

For information about creating and managing permissions, see Managing permissions in this guide.

To link a permission to a role

1. In the BHOLD Core portal, in the left pane, click Roles.

2. On the Roles page, click the role to which you want to assign a permission.

3. On the Role/<role> page, expand Permissions, and then click Modify.

4. On the Role–permissions/<role> page, in the Application list, click the application that the permission belongs to, in Search string (Permission), type the name of the permission, and then click the search button.

   Tip

   To display all the permissions for an application, leave Search string (Permissions) empty when you click the Search button.

5. In the Unlinked Permissions list, click Add next to the permission you want to assign to the role, and then click Done.

Assigning a role to a team organizational unit

One method of assigning project roles is to link the role to an organizational unit (orgunit), so that all team members who belong to the orgunit automatically receive the permissions that are linked to that role. When you link a role to an orgunit, you can specify whether the role is effective immediately or a proposed role that must be activated later by a supervisor (such as a team leader). If the orgunit already contains users, you should consider linking the role as a proposed role to ensure that the members of the orgunit do not receive the permissions linked to the role until the role is activated.

To assign a role to an organizational unit

1. In the BHOLD Core portal, in the left pane, click Organizational units.

2. On the Organizational units page, click the orgunit which you want to link to a role.

3. On the Organizational unit/<orgunit> page, expand Roles, and then click Modify.

4. On the Organizational unit–roles/<orgunit> page, in Search string (Roles), type the role’s description (name), and then click the Search button.

   Tip

   To display all roles, leave Search string (Roles) empty when you click the Search button.

5. In the UnLinked Roles list, next to the role you want to assign to the orgunit, click Add.

6. Under Link role, in the Relation type list, click Effective to assign the role immediately to the orgunit, or click Proposed to require approval of the role assignment to the orgunit.

7. To allow the role to be inherited by member orgunits, select the Children inherit this role check box.

8. To limit the amount of time that the role is linked to an orgunit, do the following:

   1. In the Relation type list, click Proposed.

   2. In the Duration type list, click Hours or Days to specify the units you will use to specify the duration.

   3. Select the Duration fixed check box.

   4. In Duration length, type the number of hours or days you want the role to be effective for the orgunit.

9. Click Add, and then click Done.

Assigning a role to an individual team member

In some projects, the responsibilities of an individual team member might not align precisely with the structure represented by the project organizational units (orgunits). For example, if there is an orgunit representing product designers who are responsible for maintaining design documents, there might also be an engineer in the marketing department who is authorized to modify a subset of those design documents. In that case, instead of adding the marketing engineer to the product designers orgunit, it would be better to assign the marketing engineer a role that grants permission to modify only the appropriate set of documents.

To assign a role to a user

1. In the BHOLD Core portal, in the left pane, click Roles.

2. On the Roles, click the role you want to assign.

3. On the Role/<role> page, expand Users, and then click Modify.

4. On the Role – Users/<role> page, in the Attribute type list, click Description, in Search string (Users), type the user’s description (name), and then click the Search button.

   Tip

   To display all users, leave Search string (Users) empty when you click the Search button.

5. Under UnLinked Users, next to the user you want to assign to the role, click Add, and then click Done.

Activating a proposed role

If you assigned to an organizational unit (orgunit) a role that you designated as a proposed role, the role does not grant permissions to users in the orgunit until it is activated.

To activate a proposed role

1. In the BHOLD Core portal, in the left pane, click Organizational units.

2. In the Organizational units list, click the orgunit for which you want to activate a role.

3. On the Organizational unit/<orgunit> page, expand Roles, and then click Modify.

4. On the Organizational unit–roles/<orgunit> page, expand Roles, next to the role you want to activate, click Activate, and then click Done.

See also

• Microsoft BHOLD Core Operations Guide

  • Introduction to administering Microsoft BHOLD Core

  • Administering Microsoft BHOLD Core

    • Managing organizational units

    • Managing roles