on 05-14-2013 9:22 PM
Hello,
I'm in the process of creating user administration roles for positions like 'help desk'.
These roles need to have the following limitations:
- can only assign roles/privilges for specific user groups, and not others. (attribute MX_ADMIN_UNIT)
- cannot assign roles in Dev/Test repositories, only production.
I understand using access control on tasks to create a filter specifying which user groups a user can complete assignments 'on behalf of'.
However, I haven't found a similiar way to limit the respositories this help desk role can assign roles to.
Has anyone dealt with this type of requirement?
Cheers, Paul
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Tero,
I had actually thought of using the filter to restrict which user group the 'help desk' role could make assignments to.
However, I've checked some of the help documentation around roles and see that I can limit which users can even see roles. This is helpful for a number of reasons, especially in my case where I can limit the visibility the 'help desk' roles have to even see the Dev/Test roles and priviliges.
Hope this helps others.
Thanks again Tero.
Paul
Does your business roles contain privileges for dev, test and production in the same IdM instance?
I cannot think anything else than context based assignments to solve it.
(If you have business roles for dev that has dev privileges and same for other tiers in the landscape, then you can limit what privileges can be added to business roles with the attribute value filters (SQL) in the role creation/modification UIs.)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.