Because the Manager role is restrictive, role policy conditions must be specified. The Manager role is assigned only to the users who meet the conditions.
Click Devices > Identity Servers > Edit > Roles > Manage Policies > New.
Select a policy type of Identity Server: Roles and specify a display name (for this example, Manager.)
Click OK.
In the Conditions section, click New > Liberty User Profile.
In Condition Group 1, select the conditions the user must meet:
Liberty User Profile: Select Entire Personal Identity > Entire Common Name > Common Analyzed Name > Common Last Name.
If these options are not available, you haven’t enabled the Liberty attributes. Click Identity Servers > Edit > Liberty > Web Service Provider, then enable one or more of the following: Employee Profile or Personal Profile.
Comparison: Select how you want the attribute values to be compared. For the Common Last Name attribute, select String > Equals.
Mode: Select Case Insensitive.
Value: Select Data Entry Field and type the person’s name in the box (Smith, in this example). This sets up the condition that if the user has the name Smith, his or her role as Manager is activated at authentication.
Result on Condition Error: This sets up the results that are returned if an error occurs while evaluating the condition (for example, the LDAP server goes down). This rule is set up to grant the user the role of Manager if the condition evaluates to True. If an error occurs, you do not want random users assigned the role of Manager. Therefore, for this rule, you need to select False.
In the Actions section, click Activate Role.
In the Activate Role box, type Manager, then click OK > OK.
On the Policies page, click Apply Changes.
Click Close, select the Manager role, then click Enable.
Click OK, then update Identity Server.