Organizational Units

Role modification options

A common example of the structure is using Department and Job Title (shown above). This will result in the creation of roles for every department (intermediary role) found within your organization, and every Job Title found under each department (terminal role).

Role Entitlement Building (toggle)

Enable Automatic Role-Entitlement Additions toggle

Role Entitlement Building is disabled any time a new Source of Truth is added, or when the Org Units configuration has changed. Enabling automatic role-entitlement building will add new entitlements to roles based on the intersection of each identity's entitlements. This is most useful when you want Clarity to augment your existing provisioning automation by showing you what roles appear to be granting access automatically. If you intend to use Clarity for provisioning then the recommended setting is to leave this disabled. You can add/remove entitlements from your roles as you see fit and then any entitlements that Clarity picks up from external sources will be converted to exceptions by default.

Soft vs Hard Refresh

Purge, Soft and Hard Refresh, and Save and Discard buttons

Soft Refresh roles will calculate all of the entitlement overlap for active identities in each existing role in your organization that are currently marked as "role" grant types. This is the default grant type when an entitlement is ingested from a downstream application during syncs.

Hard Refresh roles will first reset all of your identity's entitlements grant types to "role" based before refreshing your roles. This is useful when you have manually added entitlement exceptions to different members in your roles and you would like to roll those common exceptions up into birthright access for the role. For instance, if you have a role with 2 identities, and each of those two identities currently have an exception granted for a given entitlement, performing a hard refresh will convert those exceptions to role-based grants and add them to the role's birthright access.

Both Soft Refresh and Hard Refresh will keep your current role structure in place and only modify the entitlements that those roles grant.

Purge Roles

Purge roles will delete all of the roles in your organization and also reset all entitlement grant types (not exclusions) to role-based. This option is for starting completely fresh with no in place. After purging roles, you should perform a Refresh (soft or hard) to automatically rebuild your roles and their birthright entitlements.

Special Roles

Global (Everyone) - This role is always present, and cannot be removed. Every identity in Clarity is a member of this role and can be used to provide all Active Identities with an entitlement you specify.
Default or Intermediary/Default - For any identities that exist in Clarity, but are missing a valid attribute (for the corresponding ), a role (intermediary or terminal) will be generated using Default. Check out the examples below for more details on roles generated with the name Default.

Examples of Default roles

If an Identity is missing the Department attribute, but has the Job Title Senior Developer, they would receive the role Default/Senior Developer.
If an Identity is missing the Job Title attribute, but has the Department Accounting, they would be assigned the Accounting/Default role.
If an Identity is missing both Department and Job Title attributes, they would be added to the Default/Default role.

Need Help?

If you have any problems, contact your customer success team. You can also get in touch with our general support via email, open a support ticket. Our general support team is available Monday - Friday from 8:00 AM - 6:30 PM CST.