# Creating a role A **role** in OpenIAM is a predefined bundle of access rights that you assign to users to control what they can see and do. It is a collection of permissions, entitlements, or access rules that represent a job function or responsibility within an organization. Instead of assigning access one by one, you assign a **role**, and the system automatically grants everything included in it. There are several ways to create a role in OpenIAM: * **Webconsole** UI * Synchronization * OpenIAM REST API This page covers the UI flow. ## Creating a role To create a role in the UI, follow these steps. {% stepper %} {% step %} ### Open Roles Go to **Webconsole** → **Access Control** → **Role**. {% endstep %} {% step %} ### Open the Create new role form In the side menu, open *Create new role*. {% endstep %} {% step %} ### Select the role type Select a role type from the dropdown. By default, OpenIAM provides two values: **Access Role** and **Provision Role**. These values are used for classification only. They do not change role behavior. The dropdown also shows any custom role types already created in the system. If the role affects user provisioning, select **Provision Role**. Use **Access Role** for SSO and authorization use cases. {% endstep %} {% step %} ### Complete the role creation screen Complete the role creation screen as described in the table below. | Field name | Description | | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Password policy | Select the password policy that applies to the systems associated with this role. In most cases, use the default password policy. | | Role Name | A unique name for the role. | | Description | A clear description of the role. This helps end users, reviewers, and administrators understand its purpose. | | Managed System | If the role is used for provisioning, select the managed system where the account will be created. If the role needs more than one managed system, add the others on the **Role entitlements** screen. | | Risk | Sets the role risk to low or high. By default, this value does not change behavior. You can use it in rules, including access certification campaigns. | | Status | Sets the role to **Active** or **Inactive**. An inactive role cannot be used. | | Max. number of users | The maximum number of users allowed in the role. | | Default membership duration | The default amount of time a user can stay in the role. After that period, the user is removed from the role. | | Role parent | The parent role from which this role inherits entitlements. | | GUID | An external GUID that may map to this role in another application. OpenIAM does not generate this value. | | Role owner | The user or group that owns the role. This value is often used in request approval and access certification tasks. | | Role admin | The user or group that administers the role. This value is often used in request approval and access certification tasks. | | Is Visible | Controls whether the role is visible to administrators in **Webconsole** and **SelfService**. When cleared, the role is available only to super security administrators. | | Participate in access certification | Controls whether the role is included in access certification requests. | | All users provisioned to this role | Assigns the role to all users by default, regardless of other criteria. | | {% endstep %} | | {% step %} ### Save Click **Save**. The role is created. {% endstep %} {% endstepper %} ## Adding or deleting users from a role Find the user you want to update. Then go to *User Entitlements* and click *Add*. In the form that opens, add the required role and complete the fields. If you set an *End Date*, OpenIAM automatically removes the user from that role on the specified date. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs-beta.openiam.com/automated-user-provisioning/creating-a-role.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.