Usage of "search attribute" and "user attribute" in entry type
does anybody know how these two entry type parameters can be used to restrict access, so that e.g. a manager can only see his employees in the IDM interface?
I only found the following description in the release notes, but I couldn't find any additional information on the SAP Help Portal:
"The same identity store can be shared by different groups of users, for instance users from
several companies may coexist in the same identity store. To prevent the users of the different
groups/companies to see each other's data, the fields in the "Access limitations" group box on
entry type ("Search attribute" and "User attribute") to specify these access restrictions.
The access limitations are a global setting that restricts which entries will be returned when a
user searches for entries in the "Manage" tab and when adding references.
See Help File (Functional View) on the SAP Help Portal for more information"
Thanks in advance for your help!
I just found out how to use them.
I use it to restrict access to roles, and set it up this way:
- I defined an attribute Z_COMPANYNAME (single value) and assigned it as a mandatory attribute to MX_PERSON and MX_ROLE.
- I assigned a value for Z_COMPANYNAME to all my users and all my roles.
- after this, I set both the search attribute and user attribute in entry MX_ROLE to attribute Z_COMPANY.
Now, when searching for available roles, only the roles for which the company name of the logged-in user (MX_PERSON - User Attribute) matches the company name defined on the role (MX_ROLE - Search Attribute) are shown.
Please note, I had to apply the latest patch (7.1 SP3 patch 1) for the UI to get it to work on Oracle. Before this patch I got an SQL error when searching the roles. Furthermore, patch 1 for the UI and the design time components allow the use of wildcards in the attributes according to the documentation. Haven't played with this yet however.
Hope this helps, best regards,