This topic contains 1 reply, has 2 voices, and was last updated by  patrick.hagen@kit.edu 1 month ago.

  • Author
    Posts
  • #24504
     fdinapoli 
    Participant

    Hi,

    I would like to know if is possbile to restict the user visibily based on logged user attribute or role.

    For example, to be clear:
    1) userHR1 belongs to standard openidm-admin role and his identity form attribute department is set to HR
    >>>
    userHR1 can see and manage only users whose department attribute is set to HR

    2) userHR1 belongs to HRadmin, a custom admin role
    >>>
    userHR1 can see and manage only users whose department attribute is set to HR

    Is it possible to implement one of those requirements ?

    Many Thanks,
    Fabrizio.

    #24505
     patrick.hagen@kit.edu 
    Participant

    Hi Fabrizio,

    I’m aware of two possibilities.

    a) I’ve seen a forgerock demo, where the Identity Gateway is used to enforce such policies. Basically, your browser talks to the gateway, which detectes “User is HR” and modifies the search to include some “and departement eq ‘hr'”. Quite generic, should work with the default ui.

    b) develop your own endpoints enforcing this logic. It’s not that bad, but won’t work with the default ui. Developing a custom ui is probably the real cost to this solution.

    Best regards
    Patrick

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?