October 19, 2015 at 3:28 pm #5888aivokParticipant
Is it possible to limit OpenIDM so that roles can be created only by AD groups sync or if that is not possible then allow role creation only to certain users.
Problem is that if the user creates role with wrong active directory entitlement value then it may create problems in AD side.October 19, 2015 at 3:47 pm #5890ssripathyParticipant
Yes. You can do both. You can setup sync to go only one-way, where only AD groups sync back to IDM roles OR you can limit sync form IDM to AD based on certain conditions. I am guessing you would want the 2nd option as there may be cases where info has to originate from IDM.October 19, 2015 at 4:00 pm #5891aivokParticipant
Yes, I think the 2nd case is where limiting is needed. So does that mean editing UI forms for roles or somewhere else too?October 20, 2015 at 3:31 pm #5904ssripathyParticipant
Yes, setting up a some basic delegated admin structure, where a super admin can delegate a few to do this role creation would work. Couple of ways to do this, you could edit the UI form and then see if there is access to that form can be limited by a configured roles, or write a workflow to manage roles and limit workflow access to specific admin roles, or simply limit access to REST endpoints based on user roles. Plethora of options.
You must be logged in to reply to this topic.