cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Security: Role in IdM UI

Former Member

on ‎02-12-2014 12:55 PM

0 Kudos

Dear all,

Which attributes do I have to use to give security in teh IdM UI for different tasks?

1. User: Selfservice for reset his own oassword

2. Service Desk: This group should reset all password, without members of the admin group

3. Authority manager: This group should assign security roles to users without changing the other user attributes.

Please advise.

Best regards,

Hans

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

deepakkg86
Participant
‎04-30-2014 9:08 AM
0 Kudos

Hello Andrew

For moving the task into self service, You just need to change the access control as below :

Even though you give access to Manage tab , it doesnt mean user can do all tasks under manage tab.. Access would be granted as its defined on each UI Tasks.

I am bit confused with your question, Do you mean that Users should be able to add the privilege assignment to users but they shouldn't be able to remove any existing one ?

Regards

Deepak Gupta

Show replies
Show replies
Former Member
‎02-13-2014 8:40 AM
0 Kudos

Hi Hans,


I. For self service password reset, the document provided by is the best one !!

II. For service desk - "this group should reset all passwords".

  1. Create an ordered task which resets the password for the selected user.

  2. Create a role, say BizRole_ServiceDesk

  3. Go to the Access control tab and maintain the access control as shown below.

  4. Assign the role BizRole_serviceDesk. Ensure you giving him the privilege to Manage tab, i.e MX_PRIV:WD:TAB_MANAGE. I would suggest you to           add this privilege as a member privilege on the role.

III.  "Authority manager: This group should assign security roles to users without changing the other user attributes."

  1. Create an ordered task for role assignment. Since you want to restrict the users from changing any other attribute other than the roles, make all                 the attributes as read only except the MXREF_MX_ROLE (& MXREF_MX_PRIVILEGE, if required) attribute.

  2. Create a role, say BizRole_AuthorityManager

  3. Go to the Access control tab and maintain the access control as Bizrole_AuthorityManager, similary to the screenshot under query 2.

  4. Assign the role BizRole_AuthorityManager. Ensure you giving him the privilege to Manage tab, i.e MX_PRIV:WD:TAB_MANAGE. I would suggest             you to add   this privilege as a member privilege on the role.

All the best !!

~ Krishna.

Show replies
Show replies
Former Member
‎04-29-2014 6:11 PM
0 Kudos

Krishna,

Great post.  Question, is it possible to move #4 to be a Self-Service tab-based item?  Secondly and in conjunction with the first question (if possible), if all users have access to the manage tab to add, they also have the ability to remove.  Of course, if workflow is in place, no provisioning or de-provisioning task will execute without an approval, but how would you suggest allowing the user to add, but restricting the removal capabilities?  We'd prefer to have a Self-service tab item that allows all users to request access for any user; but it be for adds only.

former_member2987
Active Contributor
‎02-12-2014 1:34 PM
0 Kudos

Hans,

Take a look at the SSPR document.  Basically you need the ability to log on anonymously. As far as your other requirements, whatever you would like to call the role.  I don't believe there is any standard for this in general, although there could be a SAP Security best practice.

BR,

Matt

Show replies
Show replies
terovirta
Active Contributor
‎02-12-2014 1:45 PM
0 Kudos 


Matt Pollicove wrote:




 As far as your other requirements, whatever you would like to call the role.

Hans,

just create role for Manager and Service Desk and assign the privilege representing the Manage-tab to the roles.

Then create UI to reset the password and assign the Service Desk role to the ACL of the task plus create (or copy from SAP PF) an UI for the assignment and add the Manager-role to the task ACL.

regards, Tero

Ask a Question