Skip to Content

Creation & Transport of Business Roles and its assignments

This is my first blog in IdM and on the onset I would like to thanks members of the SCN IdM Community for their support in assisting with various questions.

In this blog I will explain how I had created and transported the Business Roles and the privilege assignments from DEV to QA. When we use the Transport Tool, it copies all the Repository, Tasks, Jobs etc. It does not copy the Business Roles and Privileges from DEV to QA system. This came as a surprise initially, but later I could understand the reasoning.

I have tried to make it very basic for beginners to follow. In most of the projects, there would be an excel sheet which has got the list of Business Roles and Privileges. I used this as my source.

Upload of Business Roles

Create a flat file with the Business Role name and its description as below.

Create an Empty Job and have two passes within it. The first pass called “Read Business Roles From File” which is a “From ASCII File” type and the second called “Add the Business Roles to Identity Store” which is a “To Identity Store” type.

In the “Read Business Roles From File” pass refer the repository to a newly created FILE repository.

In the FILE repository, under constants, create one called FILENAME_1 and provide a folder location in IdM server. The delimiter is ‘,’ and I have included a Header Line.

In the Destination, select the Identity center from the context menu and provide a Temporary table name called “read_roles”. Maintain the column names (in the input file header) under Target as shown below.

The execution of this pass would pull the records from the flat file and store them into a Temporary table. Notice the table setting “Delete table before loading”.

Maintain the details for the next pass “Add the Business Roles to Identity Store” as shown below. Select the Database (which Is the Identity Center) from the context menu. Issue an SQL command which reads all the record from the temporary table which was created in the previous step.

In the Destination tab, select Entry type as “MX_ROLE” as we are dealing with creation of Roles. Maintain the Attribute list as shown below. The MSKEYVALUE will refer to the actual role name provided in the file.

changeType can either be add, modify or delete. In our case, it will be “add” for creation of role.

Save all your changes and navigate to the Job and click on “Run now” as shown below. This should run both the passes within it to create the Business Roles from the flat file.

Navigate to the IdM UI and search for these roles.

Assignment of Privileges to Business Roles

Now that the Business Roles are created, you would have to assign Privileges to them. Ensure that an Initial load job has been executed.. Only after this, you will be able to see your backend roles as Privileges in IdM.

Create an input file as shown below. It consists of Business Role name and Privilege name.

Create an empty job and attach two passes to it. The first one being a “From ASCII File” and the next one being “To Identity Store” type like the previous ones created at the top.

Maintain the information for the pass “Read assignments from File” and point it to the FILE repository.


Create a constant FILENAME_2 under the FILE repository with the file location and refer it as shown below.

Maintain the attribute list as below providing a temporary table name “assign_privs”

For the pass “Add the assignments to Identity Store”, issue an SQL statement to select all records from assign_privs table.

In the destination tab, set changeType to modify as we are modifying an existing Business Role. For the attribute MXMEMBER_MX_PRIVILEGE provide the field name with < >.  This attribute by default expects a privilege number (MSKEY). Since we only have the name of the Privilege, provide the name with < >.

Save the changes and run the job.


After execution of the job, navigate to the IdM UI to see the changes.

With these steps,one would have created Business Roles and performed the assignments in DEV system.

Once the Transports are pushed into the QA system, an Initial load job should be run in the QA system to bring the Privileges from the backend system. After this step, we can run the same job with the same input file in the QA system to create Business Role and assign the Privileges to them.

Hope you found this informative.

1 Comment
You must be Logged on to comment or reply to a post.