Step 3: Configure Role Based Access Control
  • 19 Oct 2023
  • 5 Minutes to read
  • Contributors
  • Dark
  • PDF

Step 3: Configure Role Based Access Control

  • Dark
  • PDF

Article Summary

{{glossary.Role Based Access Control}} is the concept that {{glossary.Entitlement}}s (unique assignable permissions) are assigned to members of your organization based on their role. In Clarity, how you define the roles is configurable, however, a common configuration would be for your roles to be defined by your Department and Job Title (as attributes in Clarity).

In this step, you will perform the following steps:

  1. Explore Organizational Unit Examples
  2. Configure Organizational Units
  3. Purge and Rebuild your Roles
  4. Automatic Role-Entitlement Addition option

Organizational Units

Before we select the Organizational Units for your tenant, let's explore a common example of Role Based Access Control. We will also explain the generic roles that Clarity includes for all tenants or will generate based on missing data.

Common Example

A common example of the Role Based Access Control structure is using Department and Job Title (see below). This will result in the creation of roles for every department (intermediary role) found within your organization, and every Job Title found under each department (terminal role).
Department, Job Title RBAC Structure

Example Role Visual

In the image below, you can see the example from above utilizing Department (Top) and Job Title (Bottom) to build the Role Based Access Control structure. Accounting is the Department highlighted, and the interface on the right will show both the Accounting (Department level) role, as well as all the roles that exist under it (Job Title level).

The Accounting Department (in this example) results in 4 total roles, 1 intermediary role, and 3 terminal roles:

  • Accounting (intermediary)
  • Accounting/Junior (terminal)
  • Accounting/Senior (terminal)
  • Accounting/VP (terminal)

Demo RBAC - Accounting

Special Roles

Global (Everyone) - This role is always present, and cannot be removed. Every identity in Clarity is a member of this role and can be used to provide all Active Identities with an entitlement you specify.
Default or Intermediary/Default - For any identities that exist in Clarity, but are missing a valid attribute (for the corresponding Organizational Units), a role (intermediary or terminal) will be generated using "Default". Check out the examples below for more details on roles generated with the name "Default".

Examples of "Default" roles
  1. If an Identity is missing the Department attribute, but has the Job Title "Senior Developer", they would receive the role "Default/Senior Developer".
  2. If an Identity is missing the Job Title attribute, but has the Department "Accounting", they would be assigned the "Accounting/Default" role.
  3. If you are missing both Department and Job Title attributes, you would be added to the "Default/Default" role.

Configure your Org Units

Using the custom Attributes configured in Getting Started Step 2, we will now choose the attributes which will determine our Role Based Access Control structure.

Select the Org Unit(s) that you would like to use from the list. Please note that the order matters for this list, the interface has a "Top" and "Bottom" label so you can plan your hierarchical structure accordingly.


To add additional attributes to this list, you need to modify the "Custom Attributes" section of Settings > Identity Attributes.

Select Org Units

Now that you have selected the organizational unit values, click the Save Changes button to proceed.
Save Changes

Refresh and Rebuild

To make sure your new Organizational Units are the source for your new roles, we are going to perform a Purge and Rebuild of your role structure. This process lets you completely remove your existing role structure, and then rebuild it from scratch.

Purge Existing Roles

To start this process, simply click the "Purge Roles" button. This button will purge (delete) all of the existing roles, except "Global (Everyone)", and leave the Roles section of Clarity in an empty state.

Soft Refresh

Performaing a Soft Refresh of your roles will calculate all of the entitlement overlap for active identities in each existing role in your organization that are currently marked as "role" grant types. This is the default grant type when an entitlement is ingested from a downstream application during syncs.

Hard Refresh

Doing a Hard Refresh of your roles will first reset all of your identity's entitlements grant types to "role" based before refreshing your roles. This is useful when you have manually added entitlement exceptions to different members in your roles and you would like to roll those common exceptions up into birthright access for the role. For instance, if you have a role with 2 identities, and each of those two identities currently have an exception granted for a given entitlement, performing a hard refresh will convert those exceptions to role-based grants and add them to the role's birthright access.


Both Soft Refresh and Hard Refresh will keep your current role structure in place and only modify the entitlements that those roles grant.

Role Purge and Rebuild

Automatic Role-Entitlement Addition toggle

Enable Automatic Role-Entitlement Additions toggle
This toggle allows Clarity to add new entitlements to your roles automatically, as it finds 100% member entitlement matches for a given role. This means if Clarity determines that everyone in a role has an entitlement, then the entitlement will be added to the role, and the Grant Type will be changed to role.


It is recommended to leave this toggle disabled if you are using Clarity for automatic provisioning and Life Cycle Management, so that you have complete control over which entitlements are part of your Roles.

Up Next: Clean up Unreconciled Users Accounts

In the next section of our Getting Started guide, you will use the built-in Alert system to find any Unreconciled Users. This will not only improve the data you have in Clarity, but may result in cost recovery based on active licenses attached to Unreconciled User.

Need help?

If you have any problems, contact your customer success team. You can also get in touch with our general support via email, open a support ticket. Our general support team is available Monday - Friday from 8:00 AM - 6:30 PM CST.

Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.