--- title: Role lifecycle management for Identity Governance description: Role lifecycle management (role LCM) lets authorized end users create, update, delete, and view role information. It also enforces policies by requiring approval workflows before the system applies any role changes. This prevents users from granting excessive permissions without oversight and ensures access remains aligned with organizational policies. component: pingoneaic page_id: pingoneaic:release-notes:rapid-channel/DOCS-11971/lcm-role canonical_url: https://docs.pingidentity.com/pingoneaic/release-notes/rapid-channel/DOCS-11971/lcm-role.html section_ids: role-lcm-admin: Administrator experience personas: Personas role_scope_permissions: Role scope permissions create_scopes: Create scopes create_an_internal_role: Create an internal role enable_roles_lcm: Enable roles LCM test_roles_lcm: Test roles LCM end_user_experience: End user experience role-lcm-create-a-new-role: Create a new role and assign it to an end user role-lcm-modify-a-role: Modify a role role-lcm-delete-a-role: Delete a role --- # Role lifecycle management for Identity Governance ## Administrator experience Role lifecycle management (role LCM) lets authorized end users create, update, delete, and view role information. It also enforces policies by requiring approval workflows before the system applies any role changes. This prevents users from granting excessive permissions without oversight and ensures access remains aligned with organizational policies. As a tenant administrator or governance administrator, you must configure and enable role lifecycle management (role LCM) before delegated end users can manage roles. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | * Role LCM doesn't support custom forms. You must use the default forms provided with the feature. * Role LCM automatically seeds request types and workflows for create role, modify role, and delete role. | ### Personas Role LCM involves the following personas: **Role LCM personas** | Persona | Description | | ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Administrator | A tenant administrator or an internal administrator, such as a properly configured OAuth 2.0 client. | | Role owner | A user listed as the owner of a role in Advanced Identity Cloud. | | End user | An end user that's an application owner or an entitlement owner. They might also receive permissions directly from Identity Governance scopes or have no additional role-related permissions. | ### Role scope permissions Scopes control what roles a user can see and manage. They define boundaries for role lifecycle operations based on role attributes, such as which applications or entitlements the role includes. When you assign a scope to a user, that scope determines whether they can view, create, modify, or delete specific roles. By default, administrators, role owners, and end users have the following scope permissions: | Action | Admin | Role owner | End user | | ----------- | ------------------------ | ------------------------ | --------- | | View role | [icon: check, set=fa]Yes | [icon: check, set=fa]Yes | If scoped | | Create role | [icon: check, set=fa]Yes | If scoped | If scoped | | Modify role | [icon: check, set=fa]Yes | If scoped | If scoped | | Delete role | [icon: check, set=fa]Yes | If scoped | If scoped | Example: Combined role owner and end user permissions Sarah owns the Marketing role. As an end user, she also has a scope that lets her manage roles that match a filter for CRM entitlements. Together, these permissions let Sarah: * View and edit the Marketing role through role ownership. * View and edit any role that matches the CRM-entitlement filter through her end-user scope. * Create roles that match the CRM-entitlement filter through her end-user scope. * Delete roles that match the CRM-entitlement filter through her end-user scope. Because Sarah is the Marketing role owner and also has a scope that applies to roles matching the CRM-entitlement filter, she can still edit the Marketing role after it includes CRM entitlements. ### Create scopes Create one or more scopes to define who can manage roles and what data they can access. Scopes let you control visibility and permissions for roles, role members, and assigned entitlements so you can delegate role management to the right administrators. 1. Sign on to the Advanced Identity Cloud admin console as a tenant administrator. 2. Go to Governance > Scopes. 3. Click [icon: add, set=material, size=inline] New Scopes. 4. On the New Scope page, enter the following on the Details page: 1. Name: Enter a descriptive name for the scope. The name should be descriptive enough to easily identify the purpose of the scope. For example, enter Scope for role LCM for contractors if you want to assign an employee to manage roles for contractors. 2. Description: Enter a description for the scope. For example, enter This internal scope allows managing roles for contractors. 3. Click Next. ![Screen capture of the New Scope page showing the Details tab with Name field containing 'Role LCM scope for contractors' and Description field with explanatory text, and a Next button at the bottom.](../../_images/DOCS-11971/governance-role-lcm-scope-details.png) 5. On the Applies to page, define which users should be subject to this scope. 1. Select if the All or Any condition must be met. 2. Select a property for this scoping rule. For example, select description. 3. Select an operator for the scoping rule. For example, select contains. 4. Enter a condition. For example, enter Default Approvers. 5. If you want to add another rule, click [icon: add, set=material, size=inline] and repeat the steps. 6. Click Next. ![Screen capture of the New Scope page showing the Applies to tab with condition builder containing All/Any selector, property dropdown set to 'description', operator dropdown set to 'contains', and value field with 'Default Approvers', plus a Next button.](../../_images/DOCS-11971/governance-role-lcm-scope-appliesto.png) 6. On the Access page, click Roles. 1. Select the All Roles or Roles matching a filter. 2. If you selected Roles matching a filter, select if All or Any conditions must be met. 1. Select a property for this scoping rule. 2. Select an operator for the scoping rule. 3. Enter a condition. 4. If you want to add another rule, click [icon: add, set=material, size=inline] and repeat the steps. 3. Select the permissions available to the scope: * Create Roles: Permission to create a new role. * Modify Role: Permission to modify a role. * Publish Roles: Permission to publish a role. * Delete Role: Permission to delete a role. 4. Click Save. ![Screen capture of the New Scope page showing the Access tab with Roles selected and four permission checkboxes: Create Roles, Modify Role, Publish Roles, and Delete Role, plus a Save button.](../../_images/DOCS-11971/governance-role-lcm-scope-access.png) ### Create an internal role Administrators must create an internal role so that authorized end users can view the Roles object. 1. Sign on to the Advanced Identity Cloud admin console as a tenant administrator. 2. Go to Identities > Manage. 3. Click Internal Roles > [icon: add, set=material, size=inline] New Internal Role. 4. In the New Internal Role modal, enter the following and click Next. * Name: Enter a name for the internal role, such as Role LCM. * Description: Enter a description for the internal role. ![Screen capture of the New Internal Role modal with Name field containing 'Role LCM' and Description field for entering role description, and a Next button.](../../_images/DOCS-11971/governance-role-lcm-internal-role-new.png) 5. In the Internal role Permissions modal, select Alpha realm - Roles, and click [icon: add, set=material, size=inline] Add. ![Screen capture of the Internal role Permissions modal showing a selectable list with 'Alpha realm - Roles' option and an Add button.](../../_images/DOCS-11971/governance-role-lcm-internal-role-permissions.png) 6. Select the internal role permissions you want available with the role: * View: Allows viewing role information. * Create: Allows creating new roles. * Update: Allows updating existing roles. * Delete: Allows deleting roles. ![Screen capture of permission configuration showing four checkboxes: View for viewing role information, Create for creating new roles, Update for updating existing roles, and Delete for deleting roles.](../../_images/DOCS-11971/governance-role-lcm-internal-role-permissions-add.png) 7. Click Show advanced. Click set all attributes and select Read/Write for the attribute permissions. * Name * Description * Members * assignments * applications * condition * temporalConstraints | | | | - | ---------------------------------------------------------------------------------------------------------------------------------- | | | Click Administer only a subset of Alpha realm - Roles by applying a filter to access a subset of roles based on specific criteria. | 8. Click Next. 9. In the Dynamic Internal role Assignment modal, click A conditional filter for this role if you want to set a conditional role assignment. Otherwise, click Next. ![Screen capture of the Dynamic Internal role Assignment modal with option to select 'A conditional filter for this role' and Next button to continue or skip.](../../_images/DOCS-11971/governance-role-lcm-internal-role-assignment.png) 10. In the Time Constraint modal, click Set a start and end date during which this role will be active if you want to assign the role on a temporary basis. Otherwise, click Save to finish creating the internal role. ![Screen capture of the Time Constraint modal with option to 'Set a start and end date during which this role will be active', with Save button to complete or continue without time constraint.](../../_images/DOCS-11971/governance-role-lcm-internal-role-time-constraint.png) 11. On the Role LCM page, click [icon: add, set=material, size=inline] Add Members. 12. In the Add Members modal, select the users to which the internal role applies, and then click Save. ![Screen capture of the Add Members modal showing a list of users with checkboxes for selection and a Save button to add selected users to the role.](../../_images/DOCS-11971/governance-role-lcm-internal-role-add-members.png) ### Enable roles LCM Administrators must enable role LCM to activate the feature in the hosted account pages. 1. In the Advanced Identity Cloud admin console, go to Governance > Requests. 2. On the Requests page, click the Settings tab. 3. In the Governance LCM section, click ellipsis ([icon: more_horiz, set=material, size=inline]), and then click Settings. 4. In the Governance LCM modal, read what activating this feature entails, and click Next. ![Screen capture of the Governance LCM modal showing introductory information about the feature with a Next button to proceed.](../../_images/DOCS-11971/governance-lcm-modal-about.png) 5. In the Governance LCM modal, click Role LCM, and then click Activate. ![Screen capture of the Governance LCM modal with Role LCM option displayed and an Activate button to enable the feature.](../../_images/DOCS-11971/governance-lcm-modal-roles.png) The roles LCM feature is now enabled. ### Test roles LCM After you enable role LCM, test the feature to ensure it's working as expected before delegating role management to end users. 1. Sign on as a test user that's a role LCM administrator. 2. Go to Administer > Roles. 3. Click [icon: add, set=material, size=inline] New Role. 4. In the New role modal, fill out the form for the new role, and then click Save. 5. Click View request to see the details of the change request you just submitted, and ensure the workflow is correct. 6. Sign on to the Advanced Identity Cloud admin console as a tenant administrator. 7. Go to Governance > Requests. 8. Click the change request you just submitted, and ensure the request details are correct. 9. Approve or reject the request, and ensure the request status updates accordingly. ## End user experience | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This section is for delegated end users who have been granted role LCM privileges through scopes and internal roles. If you're an administrator looking to configure role LCM, see [Administrator experience](#role-lcm-admin). | Role lifecycle management (LCM) lets administrators delegate key responsibilities to trusted end users. This lets the trusted end users perform administrative tasks on behalf of other end users without granting them full administrative privileges. A delegated end user can now manage the entire lifecycle of specific roles directly from their hosted page dashboard. This includes the ability to: * Create new roles. * Modify existing roles. * Delete roles that are no longer needed. To ensure proper governance and security, the system submits every action the delegated end user takes, such as creating, modifying, or deleting a role, as a request that requires workflow approval. This approach streamlines role management by empowering those closest to the business needs to handle these tasks. ### Create a new role and assign it to an end user 1. In the hosted pages, sign on to your account. You should have received a notification that you have new permissions to manage roles. 2. Go to Administer > Roles. 3. On the Roles page, click [icon: add, set=material, size=inline] New Role. ![Screen capture of the Roles page showing a list of existing roles with a New Role button in the top right for creating a new role.](../../_images/DOCS-11971/governance-end-user-role-add.png) 4. In the New role modal, fill out the form for the new role: * Name: Enter a name for the role. This is a required field. * Description: Enter a general description of the role. * Requestable: Click to enable the role as requestable. This means that the role can be requested in access requests and access reviews. * Role Owner: Select a user as a role owner. ![Screen capture of the New role modal showing form fields for Name (required), Description, Requestable toggle switch, and Role Owner selector.](../../_images/DOCS-11971/governance-end-user-role-add-details.png) 5. Go to Entitlements > [icon: add, set=material, size=inline] Add Entitlements. ![Screen capture of the role configuration page with Entitlements tab selected, showing an empty entitlements list and an Add Entitlements button.](../../_images/DOCS-11971/governance-end-user-role-add-entitlements.png) 6. In the Add entitlements modal, select the application's entitlement and object type and click Next. ![Screen capture of the Add entitlements modal showing application and object type selectors with a list of available entitlements to choose from and a Next button.](../../_images/DOCS-11971/governance-end-user-role-add-entitlements-modal.png) 7. Go to Members > [icon: add, set=material, size=inline] Add Role Members. ![Screen capture of the role configuration page with Members tab selected, showing an empty members list and an Add Role Members button.](../../_images/DOCS-11971/governance-end-user-role-add-members-button.png) 8. In the Add role members modal, select the users to add as members of the role and click Save. ![Screen capture of the Add role members modal displaying a searchable list of users with checkboxes for selection and a Save button.](../../_images/DOCS-11971/governance-end-user-role-add-members.png) This action creates a change request that requires approval from the user specified in the workflow. 9. Click View request to see the details of the change request you just submitted. ![Screen capture of a success notification banner stating the role creation request was submitted, with a View request button to see the change request details.](../../_images/DOCS-11971/governance-end-user-role-add-success.png)![Screen capture of the change request details page showing request status, requester information, requested changes, and approval workflow status.](../../_images/DOCS-11971/governance-end-user-role-add-request.png) ### Modify a role 1. In the hosted pages, go to Administer > Roles. 2. Select a role. 3. On the role details page, modify any field in the Details, Entitlements, and Members tabs, and click Save. ![Screen capture of the role details page with Details, Entitlements, and Members tabs visible, showing editable fields for role properties and a Save button.](../../_images/DOCS-11971/governance-end-user-role-lcm-modify.png) This action creates a change request that requires approval from the user specified in the workflow. ### Delete a role 1. In the hosted pages, go to Administer > Roles. 2. Click [icon: more_horiz, set=material, size=inline] > Delete to remove a role. 3. In the Confirm Removal modal, click Remove if you're certain you want to delete the role. This action creates a change request that requires approval from the user specified in the workflow.