Nested Roles in IDM

I am creating roles in IDM but need to be able to nest roles for membership across applications and publishing roles at the business level. Is there a way to nest roles inside of IDM? I was going to take the existing role managed object and make it a ‘technical role’ then create a new managed object called ‘bsuinessrole’ and create the relationship to technical role / users. But, at the existing technical role / managedrole level, need to be able to enumerate members from the parent / business role into the members of the role. I see there are virtual / effective role attributes at the user level, can this be created in the existing role to enumerate users for roles it is assigned?

e.g. (existing) managed/role is member of businessrole1
-in the managed/role, need to get members from businessrole1 and add them to the members attribute of the managed/role via the relationship.

For this, do a create an ‘effectivemembers’ virtual relationship to populate members?


Hi Nick,

How are roles used in the business solution? Are they provisioned to an external system? And is there a limit to the depth of the role graph? And how many roles a user may end up having?

In general, yes, using a virtual property to compute the members value is an option, however, responding to the questions above is important, as with a large number of nested roles, and larger number of relationships, this can push performances down - since it is computed each time it is retrieved.

Another option is to use RDVP, where the computed value is cached - but that would work only with a deterministic, fixed model.


The business roles are not provisioned to the external systems, they are more for adding membership to the technical roles (OOTB roles) which are tied to the assignments / provisioning. There really should be more 1-to-many possible relationships when it comes to business roles > technical roles but business roles would not be nested.

If I did do a virtual attribute to compute membership, is that going to cause a problem with assignments / provisioning to external systems given those are used for provisioning?

Hi Nick, Patrick,

Depending on your context, wouldn’t it be an alternative to consider IDM assignments as “roles” and IDM role as “business roles”.

Especially since in the lattest versions an assignment can be given indepentdantly from a role if I am not mistaken.

Thats somehow what we ended up doing to avoid too much customization and stick to the native managed objects.



Hi @cbontemps,

I usually would avoid tearing the model intent to accomodate for a specific behaviour - e.g an assignment is not a role, it might work the way you describe, however because an assignment is not a role you could end up bringing issues in the future when extending the solution for additional business cases,


In the IDM latest release, effectiveRoles are already computed with an RDVP - see [ Virtual properties :: IDM 7.3.0 ] - however, I don’t think it can accomodate the nested roles.

There is possibly another way this could be achieved - providing logic in the user’s and role’s onUpdate/onCreate scripts to inject the nested business roles. This is more efficient than transforming the effectiveRoles into a virtual attribute (rather then RDVP).