--- title: Effective roles and effective assignments description: Effective roles and effective assignments are virtual properties of a user object. Their values are calculated by IDM, using relationships between related objects to know when to recalculate when changes occur. The relationships between objects are configured using the notify, notifySelf, and notifyRelationships settings for managed/user, managed/role, and managed/assignment. Which related objects to traverse for calculation is configured using queryConfig. Calculation or recalculation is triggered when the roles or assignments for a managed user are added, removed, or changed, including by changes from temporal constraints, and notification of that change is sent to the related objects. component: pingidm version: 8.1 page_id: pingidm:objects-guide:effective-roles-and-assignments canonical_url: https://docs.pingidentity.com/pingidm/8.1/objects-guide/effective-roles-and-assignments.html keywords: ["Data Object Model", "Roles", "Assignments", "Virtual Properties"] --- # Effective roles and effective assignments *Effective roles* and *effective assignments* are virtual properties of a user object. Their values are calculated by IDM, using relationships between related objects to know when to recalculate when changes occur. The relationships between objects are configured using the `notify`, `notifySelf`, and `notifyRelationships` settings for `managed/user`, `managed/role`, and `managed/assignment`. Which related objects to traverse for calculation is configured using `queryConfig`. Calculation or recalculation is triggered when the roles or assignments for a managed user are added, removed, or changed, including by changes from temporal constraints, and notification of that change is sent to the related objects. The following excerpt of the managed object configuration *(tooltip: You can edit the managed object configuration over REST at the config/managed endpoint, or directly in the conf/managed.json file.)* file shows how these two virtual properties are constructed for each managed user object: ```json "effectiveRoles" : { "type" : "array", "title" : "Effective Roles", "description" : "Effective Roles", "viewable" : false, "returnByDefault" : true, "isVirtual" : true, "queryConfig" : { "referencedRelationshipFields" : ["roles"] }, "usageDescription" : "", "isPersonal" : false, "items" : { "type" : "object", "title" : "Effective Roles Items" } }, "effectiveAssignments" : { "type" : "array", "title" : "Effective Assignments", "description" : "Effective Assignments", "viewable" : false, "returnByDefault" : true, "isVirtual" : true, "queryConfig" : { "referencedRelationshipFields" : ["roles", "assignments"], "referencedObjectFields" : ["*"] }, "usageDescription" : "", "isPersonal" : false, "items" : { "type" : "object", "title" : "Effective Assignments Items" } } ``` When a role references an assignment, and a user references the role, that user automatically references the assignment in its list of effective assignments. `effectiveRoles` uses the `roles` relationship to calculate the grants that are currently in effect, including any qualified by temporal constraints. `effectiveAssignments` uses the `roles` relationship, and the `assignments` relationship for each role, to calculate the current assignments in effect for that user. The synchronization engine reads the calculated value of the `effectiveAssignments` attribute when it processes the user. The target system is updated according to the configured `assignmentOperation` for each assignment. When a user's roles or assignments are updated, IDM calculates the `effectiveRoles` and `effectiveAssignments` for that user based on the current value of the user's `roles` property, and the `assignments` property of any roles referenced by the `roles` property. The previous set of examples showed the creation of a role `employee` that referenced an assignment `employee` and was granted to user bjensen. Querying that user entry would show the following effective roles and effective assignments: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request GET \ "http://localhost:8080/openidm/managed/user/bjensen?_fields=userName,roles,effectiveRoles,effectiveAssignments" { "_id": "ca8855fd-a404-42c7-88b7-02f8a8a825b2", "_rev": "0000000081eebe1a", "userName": "bjensen", "effectiveRoles": [ { "_refResourceCollection": "managed/role", "_refResourceId": "2243f5f8-ed75-4c3b-b4b3-058d5c58fbb4" "_ref": "managed/role/2243f5f8-ed75-4c3b-b4b3-058d5c58fbb4" } ], "effectiveAssignments": [ { "name": "employee", "description": "Assignment for employees.", "mapping": "managedUser_systemLdapAccounts", "attributes": [ { "assignmentOperation": "mergeWithTarget", "name": "employeeType", "unassignmentOperation": "removeFromTarget", "value": [ "employee" ] } ], "_rev": "0000000087d5a9a5", "_id": "46befacf-a7ad-4633-864d-d93abfa561e9" "_refResourceCollection": "managed/assignment", "_refResourceId": "46befacf-a7ad-4633-864d-d93abfa561e9", "_ref": "managed/assignment/46befacf-a7ad-4633-864d-d93abfa561e9" } ], "roles": [ { "_ref": "managed/role/2243f5f8-ed75-4c3b-b4b3-058d5c58fbb4", "_refResourceCollection": "managed/role", "_refResourceId": "2243f5f8-ed75-4c3b-b4b3-058d5c58fbb4", "_refProperties": { "_id": "93552530-10fa-49a4-865f-c942dffd2801", "_rev": "0000000081ed9f2b" } } ] } ``` In this example, synchronizing the managed/user repository with the external LDAP system defined in the mapping populates user bjensen's `employeeType` attribute in LDAP with the value `employee`.