This topic has 3 replies, 2 voices, and was last updated 6 years ago by ssripathy.

  • Author
    Posts
  • #5888
     aivok
    Participant

    Is it possible to limit OpenIDM so that roles can be created only by AD groups sync or if that is not possible then allow role creation only to certain users.
    Problem is that if the user creates role with wrong active directory entitlement value then it may create problems in AD side.

    #5890
     ssripathy
    Participant

    Yes. You can do both. You can setup sync to go only one-way, where only AD groups sync back to IDM roles OR you can limit sync form IDM to AD based on certain conditions. I am guessing you would want the 2nd option as there may be cases where info has to originate from IDM.

    #5891
     aivok
    Participant

    Yes, I think the 2nd case is where limiting is needed. So does that mean editing UI forms for roles or somewhere else too?

    #5904
     ssripathy
    Participant

    Yes, setting up a some basic delegated admin structure, where a super admin can delegate a few to do this role creation would work. Couple of ways to do this, you could edit the UI form and then see if there is access to that form can be limited by a configured roles, or write a workflow to manage roles and limit workflow access to specific admin roles, or simply limit access to REST endpoints based on user roles. Plethora of options.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?