cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

User Group restriction in SAP IDM

Go to solution
Former Member

on ‎08-19-2013 3:54 AM

0 Kudos

Hello Experts,

I want to create group restrictions in SAP IDM. Can you please help me. My scenario is given blow.

I have 5 user groups. Say Group A, B, C, D, E . I want to maintain an administrator for each group. where in which when the administrator logs in to IDM UI, he or she should be able to serach users that belong to his group only.

Can you please let me know how this can be achieved.

Thanks.

Krishna.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎08-20-2013 10:58 PM
0 Kudos

Hi Krishna,

Is it important they can't see the users in the other groups, or is it ok for them to see them in the search and just not be able to change them?

Thanks,

Ian

Show replies
Show replies
Former Member
‎08-22-2013 2:37 PM
0 Kudos

Hi Krishna!

You basically have two options:

1) one is to restrict he entries in the Manage Tab which a person can see.

You use the search-value / user-value mechanism to do this.

Basically, a person can see all other entries whose search-value matches one of the user values of that person.

On the MX_PERSON entry type, you define two attributes, say

- ADMIN_DOMAIN and

- ADMIN_DOMAIN_PRIV

To be most flexible for future extensions, make them multi-valued.

In the entrytype configuration for MX_PERSON, you set the user-attribute to ADMIN_DOMAIN_PRIV and the search-attribute to ADMIN_DOMAIN.

The values to both attributes will be your admin domains A,B,C, etc.

For each user, set the ADMIN_DOMAIN to the value applicable for his user group, say "B".

For each administrator, add values for the domains he is entitled to see to the ADMIN_DOMAIN_PRIV attribute, e.g. an administrator responsible for user group B will only have a "B" in this attribute, for admins responsible for A and B, set the ADMIN_DOMAIN_PRIV to "A|B" (both values).

Superadmins with access to all groups, shoud get a "*" wildcard in their ADMIN_DOMAIN_PRIV attribute, which entitles them to viewing all entries.

This will accomplish what you described.

However, now "normal" users (those without a value in ADMIN_DOMAIN_PRIV) will not see any person entries at all with this configuration. If  you require this, you will have to set up additional schemes to control the visibility of the user entries.

2) the second option applies if you want to control which tasks your administrators are entitled to execute. Use the standard access rule options in the Access Control tab of the task to define your access rules.

Good success

Andreas

Former Member
‎09-06-2013 5:28 AM
0 Kudos

Hi Andreas,

Thanks for your detailed explanation. I have implemented with the option 1.

Hurray !!! its working now !!

Thanks a ton for your help.

Best Regards,

Krishna.

Former Member
‎06-02-2014 8:33 AM
0 Kudos

Hello Krishna,

       After setting up the attributes ADMIN_DOMAIN and ADMIN_DOMAIN_PRIV , where are you writing the select query to compare these attributes and restrict the Admins from viewing the users from other groups? Or Rather, What step did you do after setting up the above mentioned attributes?

Thanks and Regards,

Mohamed Fazil

Answers (2)

Answers (2)

Former Member
‎08-20-2013 12:19 PM
0 Kudos

You can set up filters on the object such that only a person with attribute X value Y can see objects who have a filter value Y.  IIRC you do it on the EntryType.  You can use wildcards as well to help.

Be aware that this can be a little problematic if you ever want them to see the users at all (they can't).

Peter

Show replies
Show replies
bxiv
Active Contributor
‎08-19-2013 5:12 PM
0 Kudos

I think this is what you are after:  https://scn.sap.com/docs/DOC-26322 It provides various scenarios on different ways to have approval configured, and this should also enforce users to only see IDs they have rights to view.

Administrator = Approver which in most cases is a supervisor/manager.

Show replies
Show replies
Ask a Question