cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Custom privilege assignment page with background filters

Go to solution
laurent_vandenbemden
Participant

on ‎06-26-2018 12:49 PM

0 Kudos

Hello Gurus,

I’ve received a request to create a custom privilege assignment page for one of my customers. The IDM system is a 8 version SP5 patch level 11 and running on an Oracle db.

It seems that during the past years the option to create a custom assignment attribute, which I surely used in 7.2 first SP versions, has disappeared.

Now for this particular customer I need to create a customized assignment page where a specific admin can only assign a particular bunch of privileges for a specific backend system. So not all privileges are “authorized” for this admin.

The easiest way would have been to create a new assignment attribute with some SQL query configured in the attribute values tab but as it is not possible to create a custo assignment attribute I need to find another solution.

So I thought to play a little with the visibility of the privileges in the identity store but this would impact the request new role task part of the self-services.

Has anyone experienced a similar request/issue?

All suggestions are welcome J

Thx!

Laurent

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Ckumar
Contributor
‎07-16-2018 3:40 AM
0 Kudos

Hello Laurent,

If any of the answer worked and you are able to fix the issue, request you to mark the correct answer and close the thread.


My Previous Comment -

After adding the IDM attribute in any Forms, IDM allows to change some of the properties of the same attribute from the Form itself. Please refer the first screenshot(attrvals.png) shared by Adam for details. If you make changes in the attribute from a form then the changes will be limited to specific form only, rest all forms will enjoy the global configuration which was standard or changed using Identity Store Schema -> Attributes.

Regards,

C Kumar

Show replies
Show replies

Answers (2)

Answers (2)

former_member85790
Participant
‎06-26-2018 3:23 PM

Hi Laurent,

Unless I'm misunderstanding the requirement, it is still possible to create the custom assignment attribute - this is done by selecting Identity Store Schema -> Attributes -> New Attribute in the Dev Studio.

However, you may be able to achieve the same result using the standard MX_ASSIGNMENT attribute, by modifying the Attribute Values tab within the form itself - you can then configure your SQL query in the same way you would for a custom attribute:

I've not explored this functionality extensively, so there may be some limitations in the latter approach, particularly around preventing removal of the privileges outside the approved set, but I hope this gives you a step in the right direction.

Regards,
Adam

Show replies
Show replies
laurent_vandenbemden
Participant
‎06-26-2018 4:46 PM
0 Kudos

Hello Adam,

Actually the possibility to create an assignment attribute has been removed. Creating an attribute is not an issue but it is not processing any assignments. When I create a new attribute the assignment tab is visible but no option to set the "attribute type" to assignment so that it stays visible after saving this new attribute.

As you can see below once saved the assignment tab disappears and as per SAP this is normal behaviour.

Modifying the standard assignment attribute is not an option as used by other admins on all the privileges available in the store. If I modify the MX_ASSIGNMENT attribute it will be effective for all users.

thx,

Laurent

former_member85790
Participant
‎06-26-2018 5:04 PM

Hi Laurent,

I see - that makes sense now - I hadn't realized that the tab did not remain after saving the custom attribute.

Nevertheless, I still think the second option could be explored - I'm not proposing to modify the MX_ASSIGNMENT attribute globally, but instead to set a form-specific configuration for this particular case.

Regards,
Adam

Steffi_Warnecke
Active Contributor
‎07-02-2018 5:48 PM

Hello Laurent,

just tested this in 7.2 SP10 and it's the same behaviour.

The assignment attributes delivered by SAP are now "System attributes", so the attribute type "Assignment attribute" is gone completly. The help says, that the tab "Assignments" just shows up for the SAP assignment attributes, so yeah... no chance here. We never used this, so I never even knew that option existed prior.

But we use what Adam proposes a lot: adding an sql statement on a UI task (form in 8.0) for MX_PRIVILEGE (for example). This will take care of the available privileges the admin can choose to assign. But unless you change the visibility of the privileges, all the already assigned privileges will still show up on the "assigned" side and can be unassigned, too. Not so great. You need to set the default search filter and make it read-only to prevent this.

This was not an option for us, so we changed the visibility of all privileges (which is not an option for you, as you wrote).

.
Regards,

Steffi.

laurent_vandenbemden
Participant
‎07-04-2018 6:54 AM
0 Kudos

Hello Steffi, Adam,

Thank you for your suggestions. I'll give it a try with the visibility of the privileges.

Strange that the option is not available to create custom assignment attributes. In a large company it seems essential to me 🙂

Anyway, what do you mean exactly by form specific config Adam?

Thx,

Laurent

laurent_vandenbemden
Participant
‎07-13-2018 3:22 PM

Hello Kumar,

Thx for your reply and sorry for my late response 🙂

I never noticed there was the possibility to add some form specific properties. Your tip will do the trick!

Thx,

Laurent

Ckumar
Contributor
‎07-04-2018 1:07 PM
0 Kudos

Hello Laurent,

After adding the IDM attribute in any Forms, IDM allows to change some of the properties of the same attribute from the Form itself. Please refer the first screenshot(attrvals.png) shared by Adam for details. If you make changes in the attribute from a form then the changes will be limited to specific form only, rest all forms will enjoy the global configuration which was standard or changed using Identity Store Schema -> Attributes.


Regards,

C Kumar

Show replies
Show replies
Ask a Question