Skip to Content
avatar image
Former Member

Usage of "search attribute" and "user attribute" in entry type

Hi,

does anybody know how these two entry type parameters can be used to restrict access, so that e.g. a manager can only see his employees in the IDM interface?

I only found the following description in the release notes, but I couldn't find any additional information on the SAP Help Portal:

"The same identity store can be shared by different groups of users, for instance users from

several companies may coexist in the same identity store. To prevent the users of the different

groups/companies to see each other's data, the fields in the "Access limitations" group box on

entry type ("Search attribute" and "User attribute") to specify these access restrictions.

The access limitations are a global setting that restricts which entries will be returned when a

user searches for entries in the "Manage" tab and when adding references.

See Help File (Functional View) on the SAP Help Portal for more information"

Thanks in advance for your help!

Best regards

Holger

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    avatar image
    Former Member
    Nov 18, 2009 at 10:58 PM

    Hi Holger,

    I just found out how to use them.

    I use it to restrict access to roles, and set it up this way:

    - I defined an attribute Z_COMPANYNAME (single value) and assigned it as a mandatory attribute to MX_PERSON and MX_ROLE.

    - I assigned a value for Z_COMPANYNAME to all my users and all my roles.

    - after this, I set both the search attribute and user attribute in entry MX_ROLE to attribute Z_COMPANY.

    Now, when searching for available roles, only the roles for which the company name of the logged-in user (MX_PERSON - User Attribute) matches the company name defined on the role (MX_ROLE - Search Attribute) are shown.

    Please note, I had to apply the latest patch (7.1 SP3 patch 1) for the UI to get it to work on Oracle. Before this patch I got an SQL error when searching the roles. Furthermore, patch 1 for the UI and the design time components allow the use of wildcards in the attributes according to the documentation. Haven't played with this yet however.

    Hope this helps, best regards,

    Jos

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Nov 19, 2009 at 08:47 AM

    Hi Jos,

    thanks for the hint. In the meantime I have also found out how it works, but I forgot to mention it in this forum.

    Best regards

    Holger

    Add comment
    10|10000 characters needed characters exceeded