Managing applications

 

Applies To: Forefront Identity Manager

The essential purpose of role-based access control (RBAC) is to provide a framework for controlling user access to information technology (IT) resources by classifying users according to the roles they play in an organization and then providing users access based on those classifications. These IT resources are under the control of operating systems and applications, which are ultimately responsible for controlling user access to these resources. BHOLD Core associates user roles with application-specific permissions; the applications that control access to IT resources interpret those permissions and apply them by using their own access-control mechanisms.

A simple example of this process uses Active Directory Domain Services (AD DS). AD DS provides security groups that operating systems and applications can use to determine which users can access a given IT resource. When you enroll AD DS as an application in BHOLD Core, you can create permissions for AD DS that are then provisioned as security groups in AD DS by using Forefront Identity Manager (FIM) to synchronize the BHOLD permissions with AD DS.

In summary, BHOLD Core classifies users according to roles and associates application-specific permissions with those roles. The application interprets those permissions and grants access to users with those permissions by using the application’s own access-control mechanisms.

For detailed information about creating and managing permissions, see Managing permissions in this guide.

All activities in this topic require the BHOLD Core portal. For information about using the BHOLD Core portal to administer BHOLD Core, see Using the BHOLD Core portal in this guide.

The following are the basic tasks for managing an application:

• Adding an application

• Managing application attributes

• Managing application supervisor roles

• Managing user aliases

Adding an application

By adding an application to BHOLD Core, you are, in effect, specifying a scope for permissions that will be linked to roles in the BHOLD role model.

Because applications can use different methods to identify users, you can specify how to construct a user alias for an application by using BHOLD object attributes. BHOLD uses this formula to construct each user’s alias when the user is assigned a permission for the application. Otherwise, the BHOLD Default Alias user attribute is used.

For example, if the application identifies a user by using the user’s email address, you can specify [User.Email] as the alias formula for the application. You can use more than one attribute, and you can use additional characters, such as text or a backslash (\) in the formula. Note that square brackets ([ and ]) are used to delimit attribute names and so are reserved characters.

1. In the BHOLD Core portal, in the left pane, click Applications.

2. On the Applications page, click Add.

3. On the Add application page, in Description, type the name of the application, such as Active Directory.

4. In Parameter, type an abbreviation for the application name, such as AD.

5. In the Protocol list, click the protocol that BHOLD uses to communicate with the application.

6. To create an optional alias formula for the application, do the following:

   1. In the Object type list, click an object you want to use to provide a value when the formula is calculated.

      The attribute name appears in Alias Formula enclosed in square brackets ([ and ]).

   2. To add other attributes, repeat the previous step.

   3. In Alias Formula, type additional text as needed to construct the formula.

7. To add a supervising role, in the Supervising role list, click the name of the role you want to supervise the application.

8. Click OK.

Managing application attributes

You can change the attributes of an application at any time. To modify the supervisor roles for the application, see Managing application supervisor roles.

To change the attributes of an application

1. In the BHOLD Core portal, in the left pane, click Applications.

2. On the Applications page, click the application you want to change.

3. On the Application/<application> page, click Modify.

4. On the Edit application attributes/<application> page, change the attribute you want to modify, and then click OK.

Managing application supervisor roles

An application must be assigned a supervisor role. By default, the Default Supervisor Role is assigned to an application when it is created, but additional supervisor roles can be added and removed as needed.

To add a supervisor role to an application

1. In the BHOLD Core portal, in the left pane, click Applications.

2. On the Applications page, click the application you want to change.

3. On the Application/<application> page, expand Supervision, expand Supervisor roles, and then click Modify.

4. On the Application–supervisors/<application> page, in the Role list, click the supervisor role you want to add to the application, click Add, and then click Done.

To remove a supervisor role from an application

1. In the BHOLD Core portal, in the left pane, click Applications.

2. On the Applications page, click the application you want to change.

3. On the Application/<application> page, expand Supervision, expand Supervisor roles, and then click Modify.

4. On the Application–supervisors/<application> page, next to the supervisor role you want to remove from the application, click Remove, and then click Done.

Managing user aliases

When you add an application to BHOLD Core, you can define a formula that BHOLD uses to automatically create user aliases for the application. In cases where such a formula does not produce the correct alias (for example, if the user’s alias is changed within the application itself and that change is not synchronized back to BHOLD Core), you can directly specify an alias for the user.

To specify a user alias for an application

1. In the BHOLD Core portal, in the left pane, click Users.

2. On the Users page, click the user that you want to specify an application-specific alias for.

   Tip

   To locate a specific user, in Attribute type, click the user attribute you want to use to locate the user, in Search string, type the string you want to search for, and then click the Search button.

3. On the User/<user> page, expand Aliases, and then do one of the following:

   • If no alias is listed for the application, do the following:

     1. Click Add.

     2. On the User–add aliases/<user> page, in the Application list, click the application you want to define the alias for, and then, in Alias, type the user’s application-specific alias.

        Note

        The Alias field will contain the user’s default alias, if any.

     3. Click OK.

   • If there is already an alias for the application, do the following:

     1. Click Modify.

     2. On the User–modify aliases/*<user>*page, next to the application name, type the user’s new alias for the application, and then click OK.

See also

• Microsoft BHOLD Core Operations Guide

  • Introduction to administering Microsoft BHOLD Core

  • Administering Microsoft BHOLD Core

    • Managing permissions