This screen provides detailed information relating to the Permissions assigned to a Role in KIM.
The Role Lookup screen is accessible directly off the Rice Administration menu by clicking Role in the Identity section.
Click the Granted to Roles field on the Document Configuration screen to display the Role Lookup screen. You can also access the Role Lookup screen by clicking a Granted to Roles value in any list where it appears.
This screen may have three or four tabs of information, depending on the Role. The first three tabs are Overview, Permissions, and Responsibilities. KIM only displays the fourth tab, Assignees, when Assignee information is associated with this Role.
Information on the fields in all of these tabs can be found in the Role Maintenance section of this user guide.
The Role Maintenance Document allows you to create a new KIM Role and edit existing Roles. Each Role collects a specific set of Permissions and Responsibilities and allows you to assign members to it.
The purpose of each Role is defined by its associated Permissions and Responsibilities. Roles are classified by Types that generally indicate with which Permissions and Responsibilities they are associated.
Note
The process of creating a new Type for Roles requires technical assistance.
To access the Role screen:
Do a Role Lookup.
Find the Role you want to change in the list of search results.
Click Edit for the row that has the Role that you need to change.
The Role document includes eight tabs:
Document Overview
Overview
Permissions
Responsibilities
Assignees
Delegations
Ad Hoc Recipients
Route Log
Those contains unique information are addressed below. For more information about the Document Overview, Ad Hoc Recipients and Route Log tabs, please see the Common Features and Functions document.
This tab gives the Role a unique system-assigned ID number, a Namespace, and a Name. Each Role also has a Type that usually matches the kinds of Permissions and Responsibilities associated with it.
Table 4.15. Role Overview Fields
| Field | Description |
|---|---|
| Role Identifier | Display-only. The unique, system-assigned ID number that identifies this Role |
| Type Name | Display-only. The Type Name usually identifies the
general kinds of Permissions and Responsibilities
associated with this Role.
NoteWhen creating a new Role, you must select its Type before you can display a new Role document. See Creating New Roles below. |
| Role Namespace | Required. An indicator that associates the Role with a particular application and module |
| Role Name | Required. The common descriptive name by which this Role is known |
| Active | Check this box to indicate that this Role is Active and is, therefore, to be included by KIM when it evaluates Permissions and Responsibilities. Uncheck the Active box to indicate that this Role is inactive. |
You must search for and select an existing Type for KIM to generate a new Role document. When you click the Create New button, KIM displays the KIM Type Lookup screen:
Note
While you use the KIM Type Lookup screen both for creating new Groups and new Roles, not all KIM Types are valid for both Groups and Roles. When using this Lookup, you may see different results depending on the KIM Types that are appropriate for your task.
This tab identifies the Permissions associated with this Role. Permissions authorize specific actions in the system with which they are associated. A Role can have any number of Permissions (including no Permissions) associated with it.
Table 4.16. Role Permissions Fields
| Field Name | Description |
|---|---|
| Add Permission ID | To add a Permission to this Role, enter the appropriate Permission ID, or search for and select a value using the Permission lookup |
| Add | Click the Add button to add the selected Permission to this Role document. |
After you add a Permission to the document, KIM displays additional information about the Permission:
Note
You cannot edit Permissions from the Role Maintenance Document.
Table 4.17. Role Permission Fields
| Field | Description |
|---|---|
| Permission Namespace | Display-only. The Namespace identifies the application and module associated with this Permission. |
| Permission Identifier | Display-only. The unique system-assigned ID number for this Permission |
| Permission Name | Display-only. The descriptive name of this Permission. This often tells you, in general terms, what the Permission authorizes. |
| Permission Detail Values | Display-only. The document Types, tabs, and/or fields that this Permission authorizes the holder to see or use. Not all Permissions have Detail Values. |
| Active Indicator | Display-only. Indicator showing whether this Permission is active in KIM |
| Actions | Click the Delete
button to remove this Permission from this Role.
WarningYou may delete a Permission from a Role only if it has not yet been saved. (In other words, you can delete a Permission from a Role only if you added it to this Role, but have not yet submitted the document.) |
This tab identifies the Responsibilities associated with this Role. Responsibilities define the workflow actions that will be requested of the Role. A Role can have any number of Responsibilities (including none) associated with it.
Table 4.18. Role Responsibilities Fields
| Field Name | Description |
|---|---|
| Add Responsibility ID | To add a Responsibility to this Role, enter the Responsibility ID, or search for and select a value using the Responsibility lookup . |
| Add button | Click the Add button to add the selected Responsibility to this Role document. |
After you add a Responsibility to the document, KIM displays additional information about this Responsibility.
Note
In general, you cannot edit Responsibilities using the Role document, but some Responsibilities have associated attributes that you must define at the Role level.
Table 4.19.
| Field Name | Description |
|---|---|
| Responsibility Namespace | Display-only. The Namespace tells you the application and module associated with this Responsibility. |
| Responsibility Identifier | Display-only. The unique system-assigned ID number for this Responsibility |
| Responsibility Name | Display-only. The descriptive name of this Responsibility. For most Responsibilities, the name is Review. |
| Responsibility Detail Values | Display-only. This gives you more specific
information about the Responsibility. Responsibility
Detail Values are formatted in a standard way with these
attributes, separated by commas:
|
| Active Indicator | Display-only. Indicator showing whether this Responsibility is active within the system |
| Actions | Click the Delete button to remove this Responsibility
from this Role.
WarningYou can delete a Responsibility only if it has not yet been saved to the database (in other words, you can only delete it if you have added it to this Role but have not yet submitted the document). |
When you add a Responsibility with an Action Detail Values at Role Member Level value of False, you must complete additional fields in a Responsibility Action sub-section. KIM automatically displays this sub-section immediately beneath the Responsibility you’ve just added.
The fields in this sub-section define the type of Action Requests generated for, and the general workflow behavior associated with, this Responsibility. Entries in these fields cause KIM to generate the same Type of Action Requests for all members of this Role and handle actions by all members of this Role in the same way.
Table 4.20. Action Detail Fields
| Field Name | Description |
|---|---|
| Name | Display-only. The namespace and name of the Responsibility associated with these action details |
| Action Type Code | Required. The Type of Action Request that KIM generates for this Responsibility. Action Type Codes are: Approve, FYI, and Acknowledge. |
| Priority Number | Optional. If multiple requests are generated at the route node specified on this Responsibility, this determines the order in which KIM generates these requests. KIM processes requests with lower priority numbers before processing requests with higher numbers. Requests with no number are treated as a priority 1. |
| Action Policy Code | Required. This determines what happens if multiple members of this Role receive the same Action Request and one of them takes the action. For example, if a Role has a Group with three members assigned, all of these members receive the Action Request defined here; this code then determines what KIM does when one of them takes action on the document. A value of FIRST indicates that the first Group member to take action on the document causes KIM to clear all the requests for this Responsibility that may be in other Group member’s action lists. A value of ALL indicates that each Group member must take individual action to clear his or her own requests. |
| Force Action | Check this box to indicate that each user must take action for this request, even if the user has previously taken action on this document. Leaving the box unchecked allows a request to be immediately fulfilled if the Role member has previously taken action on this specific document. |
This tab displays all members who belong to this Role. You may also use the tab to add new members and to edit the values associated with existing members.
Just as with group, role members not added by the specific maintenance document will have their “delete” buttons inactivated. To end that member’s active association with the group, set the “Active To Date” field to the end of the membership.
Table 4.21. Assignees Fields
| Field Name | Description |
|---|---|
| Type Code | Required. Role members can be Principals (as defined on the Person document), Groups, or other Roles. Select the Type of member you want to add to this Role. |
| Member Identifier | Required. Enter the ID of the member you want to add, or use the lookup to search for and select a Member. The lookup icon displays the Principal, Group, or Role Lookup screen based on the Type Code you selected for this Role member. |
| Namespace Cd | Display-only. Identifies the namespace code associated with this Role member. Note that only Groups and Roles display a namespace code. |
| Name | Display-only. Identifies the name of the member you are assigning to this Role |
| Active From Dt | Optional. Enter a Active From date to define the earliest date on which this member is a valid member of this Role. |
| Active To Dt | Optional. Allows you to deactivate a member’s
association with a Role on a specific date. Enter the
date the user is no longer a member of this
Role.
NoteYou cannot delete or inactivate Role members. To remove a member from a Role, enter an Active To Dt. |
| Actions | Click the Add button to add this member to the Role. |
This tab defines and identifies Delegates associated with this Role. Delegates are users that a member of this Role has authorized to have the same Permissions and take the same actions as that member is authorized to take. For example, a manager may make someone a Delegate for his or her actions in a particular Role.
The Assignees Tab dealing with Delegates is slightly different, as shown in the following table. Note that if the members of a Role require qualifying values, the delegation requires these values as well. In most cases, Delegates must have the same qualifiers as the Role member with which they are associated.
Just as with Group and Role Associations, delegations added outside of the current maintenance document have inactive “delete” buttons and must have the “Active To Date” field set to end the delegation.
Table 4.22. Delegations Fields
| Field Name | Description |
|---|---|
| Role Member | Required. Use the lookup to search for, and return, the Member of this Role for whom you wish to create a Delegate. |
| Member Type Code | Required. Select the Type of Delegate you want to add to this Role. Delegates may be Principals (as defined on the Person document), Groups, or other Roles. |
| Member Identifier | Required. Enter the ID that identifies the Delegate you want to add, or use the lookup to search for and select a Delegate. Note that the lookup takes you to the Principal, Group, or Role Lookup screen, depending on the Member Type Code you selected. |
| Member Namespace Code | Display-only. The namespace of this Delegate. Note that only delegations to Groups or Roles display a Member Namespace Code. |
| Member Name | Display-only. The name of the selected Delegate |
| Active From Date | Optional. You may choose to qualify this Delegate’s association with this Role by date. Entering an Active From Date is the earliest date on which this Delegate is valid for this Role. |
| Active To Date | Optional. Allows you to deactivate a Delegate’s
association with a Role on a specific date. The date you
enter is the date on which this user is no longer a
Delegate for this Role.
NoteYou cannot delete or deactivate Delegates. To remove a Delegate from a Role, enter an Active To Date. |
| Delegation Type Code | Required. Select Secondary or Primary. Note that this selection only applies to Responsibilities associated with the Role. This indicates whether the Delegate automatically receives documents directly in their Action List (Primary) or if the Delegate may only choose to view documents in their Action List using the Secondary Delegate dropdown (Secondary). |
| Actions | Click the Add button to add this Delegate to this Role. |