ACCESS MANAGEMENT SYSTEM
U.S. Department of Health & Human Services

Role Assignment Service – Management of an Application Role

Note: The Role Assignment Service allows you to add, modify, and delete application roles for AMS users. If you do not yet have permission to perform role assignment services in AMS, you will need to complete the AMS Administrator Role Request Form for submission to IAMAMSPMO@hhs.gov for assignment. During an active AMS session (i.e., after logging into AMS), retrieve the form by clicking on the "Help" button on your homepage or directly copying this link into your navigation bar: https://ams.hhs.gov/amsApp/help/HelpIndex.html.

Note: If you are an OpDiv Role Assigner, you are able to perform the addition and removal of application user role(s) for users belonging to one or more designated OpDivs that you have been assigned to as part of the AMS Administrator Role Request process.

Performing role assignment tasks requires authentication with your HSPD-12 access card; if you logged into AMS by other means, you will be required to complete a second step of authentication before you can proceed with related activities.

  1. Log into AMS, preferably using your HSPD-12 access card, at https://ams.hhs.gov. For quick and easy access to your applications, add this page to your browser favorites or create a desktop shortcut.

  2. On your AMS homepage, select the "User Management" tab.

    AMS homepage - User Management

  3. On the "User Management" page, enter your search criteria and click "Submit".

    Note: You may enter any combination of valid search terms in the available fields, including partial expressions (e.g., first three letters of last name, first letter of first name, partial HHSID).

    • Entries are not case sensitive
    • Entering more information limits the number of matching records returned by your search (e.g., complete first and last name)
    • Entering less information returns broader results (e.g., last name only)
    • Entering a complete HHSID will return a single matching record
    • Entering a complete AMS username may return more than one matching record

    User Management - Find User

  4. To proceed, click "Agree" on the "Data Protection Policy Statement" pop-up notice

    Data Protection Policy Statement: This search is intended for authorized administrators who need to look up and review an AMS user's profile data, including the user's HHSID and application access. Note that the results will include information on HHS employees, contractors, and affiliates, as collected by their respective badging offices and on-boarding systems.  
          By clicking the Agree button, you are accepting the responsibility
to protect the privacy of the user data presented in the search results. If you agree and would like to process with the
search, click Agree button.

    1. Adding an Application Role

      1. Highlight the desired record under the "Search Result" heading and click on the "Add Application Role" button.

        Note: If you are performing an application role assignment service for an external user, set the User Type to "External".

        Note: Select the HHSID/XID hyperlink next to the user's name to view additional user profile attributes in a pop-up window.

        Add Application Role button highlighted with HHSID/XID highlighted

      2. In the "Role Assignment Service" pop-up window, choose the desired application role from the drop-down menu.

        Note: The drop-down menu will only include applications you are allowed to manage and which have not yet been added to the user's profile.

        Some applications require an account mapping attribute to proceed. Unless the respective field appears and is prepopulated with the user's HHSID, you will need to enter the user's application username or whichever other attribute is used to uniquely identify the user's application account. It is critical that this information is an accurate match with the user for whom you are setting up the role.

        Add Application Role selection

      3. If necessary, enter information in the "Account Mapping Attribute" field. Click on the "Next" button to advance to the next screen.

        Add Account Mapping Attribute field highlighted

      4. Review the request and click "Submit" if the information is accurate.

        Review Role Assignment Service add request

      5. On the "Role Assignment Service" confirmation pop-up notice, click "Close" to complete the process and return to the "User Management" tab.

        Role Assignment Service: Step 3 of 3: Request Submitted
                  Repeat the user search to refesh the data and confirm the change was implemented.

    2. Removing an Application Role

      1. Highlight the desired record under the "Search Result" heading and click on the "Remove Application Role" button.

        Remove Application Role button highlighted with HHSID/XID highlighted

      2. In the "Role Assignment Service" pop-up window, choose the desired application role from the drop-down menu.

        Note: The drop-down menu will only include applications you are allowed to manage and which have been previously added to the user's profile.

        Remove Application Role selection

      3. Click on the "Next" button to advance to the next screen.

        Application Role select with account mapping attribute visible

      4. Review the request and click "Submit" if the information is accurate.

        Review Role Assignment Service remove request

      5. On the "Role Assignment Service" confirmation pop-up notice, click "Close" to complete the process and return to the "User Management" tab.

        Role Assignment Service: Step 3 of 3: Request Submitted
                  Repeat the user search to refesh the data and confirm the change was implemented. class=

    3. Updating an Application Role

      1. Highlight the desired record under the "Search Result" heading and click on the "Update Application Role" button.

        Update Application Role button highlighted with HHSID/XID highlighted

      2. In the "Role Assignment Service" pop-up window, choose the desired application role from the drop-down menu.

        Note: The drop-down menu will only include applications you are allowed to manage and which have not yet been added to the user's profile.

        Some applications require an account mapping attribute to proceed. Unless the respective field appears and is prepopulated with the user's HHSID, you will need to enter the user's application username or whichever other attribute is used to uniquely identify the user's application account. It is critical that this information is an accurate match with the user for whom you are setting up the role.

        Update Application Role selection

      3. If necessary, enter information in the "Account Mapping Attribute" field. Click on the "Next" button to advance to the next screen.

        Update Account Mapping Attribute field highlighted

      4. Review the request and click "Submit" if the information is accurate.

        Review Role Assignment Service update request

      5. On the "Role Assignment Service" confirmation pop-up notice, click "Close" to complete the process and return to the "User Management" tab.

        Role Assignment Service: Step 3 of 3: Request Submitted
                  Repeat the user search to refesh the data and confirm the change was implemented.

    4. Bulk Role Provisioning

      Bulk Role Provisioning allows role assigners to add or remove a single role for multiple users in AMS at once by uploading a .csv file of the users’ HHSIDs, as per instructions detailed in the Bulk role assignment and removal workflow under the User Management tab. If you do not yet have permission to perform role assignment services in AMS, you will need to complete the AMS Administrator Role Request Form for submission to IAMAMSPMO@hhs.gov for assignment. During an active AMS session (i.e., after logging into AMS), retrieve the form by clicking on the "Help" button on your homepage or directly copying this link into your navigation bar: https://ams.hhs.gov/amsApp/help/HelpIndex.html.

      Performing role assignment tasks requires authentication with your HSPD-12 access card; if you logged into AMS by other means, you will be required to complete a second step of authentication before you can proceed with related activities.

      1. Log into AMS using your HSPD-12 access card, at https://ams.hhs.gov (https://ams.hhs.gov).

      2. On your AMS homepage, select the "User Management" tab.

        AMS homepage - User Management

      3. On the "User Management" page, click the "Bulk role assignment and removal" link.

        AMS User Management - Bulk role assignment and removal

      4. Choose "Add Application Roles" or "Remove Application roles" radio button, select appropriate role from the drop-down, upload the CSV file and click Submit.

        Bulk role assignment pop-up

      5. View confirmation message. A confirmation email will also be sent to the role assigner.

        Bulk role assignment confirmation

      6. Notify appropriate users of role assignment (as necessary).

        Note: An email notification is only sent to the role assigner. It is the role assigner’s responsibilities to notify individual users of role assignment or removal.

    5. Adding/Updating/Removing the PIV-EXCEPTION Role

      Adding the PIV-EXCEPTION Role
      1. Highlight the desired record under the "Search Result" heading and click on the "Add Application Role" button.

        Note: Select the HHSID/XID hyperlink next to the user's name to view additional user profile attributes in a pop-up window.

        Add Application Role button highlighted with HHSID/XID highlighted

      2. In the "Role Assignment Service" pop-up window, choose the "PIV-EXCEPTION" role from the drop-down menu.

        Note: The drop-down menu will only include applications you are allowed to manage and which have not yet been added to the user's profile.

        Add Application Role selection

      3. Select the reason for PIV Exception from the drop-down menu. If "Other..." is chosen, enter information in the "Justification for Other Reason" field. Then select the End Date for the PIV Exception by user the date picker.

        Note: The allowable end date range is two years from the current date.

        Add Piv Exception selection Add Piv Exception selection

        Add Piv Exception end date

        Click on the "Next" button to advance to the next screen.

      4. Review the request and click "Submit" if the information is accurate.

        Review Role Assignment Service add request

      5. On the "Role Assignment Service" confirmation pop-up notice, click "Close" to complete the process and return to the "User Management" tab.

        Role Assignment Service: Step 3 of 3: Request Submitted
                  Repeat the user search to refesh the data and confirm the change was implemented.

      Removing the PIV-EXCEPTION Role
      1. Highlight the desired record under the "Search Result" heading and click on the "Remove Application Role" button.

        Remove Application Role button highlighted with HHSID/XID highlighted

      2. In the "Role Assignment Service" pop-up window, choose the "PIV-EXCEPTION" role from the drop-down menu.

        Remove Application Role selection

      3. Review the request and click "Submit" if the information is accurate.

        Review Role Assignment Service remove request

      4. On the "Role Assignment Service" confirmation pop-up notice, click "Close" to complete the process and return to the "User Management" tab.

        Role Assignment Service: Step 3 of 3: Request Submitted
                  Repeat the user search to refesh the data and confirm the change was implemented.

      Updating the PIV-EXCEPTION Role
      1. Highlight the desired record under the "Search Result" heading and click on the "Update Application Role" button.

        Update Application Role button highlighted with HHSID/XID highlighted

      2. In the "Role Assignment Service" pop-up window, choose the "PIV-EXCEPTION" role from the drop-down menu.

        Note: The drop-down menu will only include applications you are allowed to manage and which have not yet been added to the user's profile.

        Update Application Role selection

      3. Select the reason for PIV Exception from the drop-down menu. If "Other..." is chosen, enter information in the "Justification for Other Reason" field. Then select the End Date for the PIV Exception by using the date picker.

        Note: The allowable end date range is two years from the current date.

        Update Application Role selection

        Click on the "Next" button to advance to the next screen

      4. Review the request and click "Submit" if the information is accurate.

        Review Role Assignment Service update request

      5. On the "Role Assignment Service" confirmation pop-up notice, click "Close" to complete the process and return to the "User Management" tab.

        Role Assignment Service: Step 3 of 3: Request Submitted
                  Repeat the user search to refesh the data and confirm the change was implemented.