Building Roles
  • 08 May 2024
  • 6 Minutes to read
  • Dark
  • PDF

Building Roles

  • Dark
  • PDF

Article summary

The first step in building a robust Lifecycle Management process in Clarity is configuring and verifying your roles in the platform.

Before you begin

Before getting your Roles in order, first let's take a look at the Identity Attributes and Organizational Units configurations in Clarity, as these form the framework on which your Role Based Access Control is built.

Identity Attributes

Specifically, for Identity Attributes, we want to ensure that your custom attributes are available for use and properly configured. In the article linked below, the Identity Attributes are explained in detail to help with configuration.

Identity Attributes


Changes made to your Identity Attribute Precedence will not be reflected in an Identity until you select the Refresh Identity Attributes button at the top of the page..

Organizational Units

Next up, we will want to configure or verify the Organizational Units for your desired role structure. By default, Clarity is configured with the most common scenario (Department > Job Title). Check out the article below for details on how to configure that.

Organizational Units

Rebuild your Role Structure

If and when you make changes to your Identity Attributes precedence or your Organizational Units, you will want to purge and rebuild your roles.

Purge and Rebuild Roles

If you would like to start over from scratch, you will want to follow these steps in the Settings > Organization Units menu:

See Organizational Units to learn more detail on the steps below.

  1. Purge
  2. Enable Enable Automatic Role-Entitlement Addition
  3. Hard Refresh
  4. Wait for your roles to populate, depending on the size of your environment this may take a while.
  5. Confirm Roles were created, and Entitlements were added to these roles.
  6. Disable Enable Automatic Role-Entitlement Addition

After your role structure is reset and rebuilt Clarity will also add the Entitlements that make up the Roles birthright access (detailed below).

Refresh and Purge Buttons

Role Mining

In addition to resetting your role structure, Clarity also performs another automated task called Role Mining. This automatic process occurs when during the Hard Refresh step above.

When your new Roles are created, Clarity will automatically add entitlements to your roles when certain conditions are met. For Clarity to add these baseline entitlements to your Roles, the entitlement must be shared by 100% of the role members.

For example, if you have 20 employees in the Information Technology Department and each of them have an Entitlement called IT Department, then Clarity would add this entitlement to the Information Technology role at the department level.

Another example would be if you had the job title IT Manager (same Information Technology Department from above). For your 3 IT Managers, they have have the following entitlements IT Management and All Managers. Clarity would detect that all members of the Information Technology/IT Manager role have those entitlements in common, and automatically add this to the role.

Automatic Role-Entitlement Addition

Enable Automatic Role-Entitlement Additions toggle

The Automatic Role-Entitlement Addition toggle will allow Clarity to add new entitlements to your roles automatically, if it finds a 100% for all Identities in a given Role. This means that if Clarity finds that all Identities within the role have the entitlement, then it entitlement will be added to the role with a Grant Type of Role.


It is recommended to leave the Automatic Role-Entitlement Addition toggle disabled if you are using Clarity for automatic provisioning and Life Cycle Management, so that you have complete control over which entitlements are part of your Roles.

Defining your Roles

Now that Clarity's Role Mining has taken place, and given you a strong baseline for your roles, you just need to review your roles and identify any entitlements that might still be missing. Clarity provides several tools and ways for you to investigate likely additions for your roles, or scenarios where combining roles might make sense.

Entitlement Suggestions

When clicking the Manage button when viewing a role within Clarity, you will be taken to the Manage Role page, which lets you review Entitlement suggestions Clarity has found for the role. The entitlements listed are suggested based on the overlap of Identities within the Role that have an entitlement not already included in the role. Below we show an example of this from the Entitlement Suggestions tab on the Manage Role page.

In the image below, you see the CS/Implementation Specialist role, and some Entitlements Clarity has suggested be a part of the role based on the overlap of members in the role with the entitlement as an Exception. In the example, all 2 members of the role have the 5 entitlements listed. In the image, the Count column is indicating that this role has 2 Identities, and both of them already have this entitlement. Clicking the Add button would mean the entitlement becomes part of the Role, and any new employees hired would receive that access as part of their birthright access.

Entitlement Suggestions

Custom Roles

You may want to create some custom roles for special account types. A common scenario for this would be service accounts, admin accounts, etc. Often, accounts of these types do not have attributes that would include them in a role, so they are assigned to the Default role within Clarity.
Check out the Special Roles section of the What is a Role? article for more details.


It is typically recommended that you populate these fields in the Downstream Application (or source) for any Identities that appear in the Default roles, so an appropriate role will be assigned after the next sync.

Need Help?

If you have any problems, contact your customer success team. You can also get in touch with our general support via email, open a support ticket. Our general support team is available Monday - Friday from 8:00 AM - 6:30 PM CST.

Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.