cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

My Roles task and MX_ROLE:ADMIN

Go to solution
jasonevans1
Explorer

on ‎11-15-2018 10:54 PM

0 Kudos

Hello,

Apologies if this is a basic question as I am new to SAP IdM.

I have a new SAP IdM Installation. Following the installation guide, I have imported the 'com.sap.idm.forms.html5' SAP package.

As a test, I have created a test user called 'Z_TEST' in both the IDM User Store and the UME. When I added the user into the user store, I ensured that both the 'Add Manager Privileges' and 'Add Administrator Privileges' check-boxes were unchecked:

Now when I navigate to https://<host>:<port>/idm , I see this:

When I click on My Roles, it looks like this brand new user is able to assign itself Administrator privileges:

Now when I navigate back to https://<host>:<port>/idm , I see the user has a lot more access with this role assigned:

I would like to restrict this access, so when I create a user they should not be able to assign themselves Administrator privileges. I know the 'My Roles' task is from the com.sap.idm.forms.html5 package, however the installation guide states to not modify access control for predefined forms.

Does anyone have an idea for how to restrict this access?

Thanks!

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Steffi_Warnecke
Active Contributor
‎11-16-2018 2:32 PM

Hello Jason,

easiest thing would be to restrict the visibility of that business role (and any other you don't want them to see) in the UI. I do this with privileges a lot.

.

Check the following fields (they are probably already part of the form for business roles):

"MXAC_ENTRY" = which groups can see it

These values are available:

  • 0: Entry is visible to all
  • 1: Entry is visible to owner and members
  • 2: Entry is visible to owner only

.

"MX_OWNER" = businessroles or identities

.

So normally I set it this way:

MXAC_ENTRY = 2 (so only "owners" can see it)

MX_OWNER = Businessrole that contains the people who need to see it in the UI

.

For "MX_ROLE:ADMIN" I would probably restrict the visibility to our IDM administrators businessrole. Anyone, who is not part of that business role, will simple not see "MX_ROLE:ADMIN" in the UI and this way can't "request" it.

.

BTW: I would think that something that says "Request" involves an approval workflow. Looks like this is not the case here. ^^

.

Regards,

Steffi

Show replies
Show replies

Answers (1)

Answers (1)

Former Member
‎12-04-2018 1:14 PM

Short addition to Steffis response:

MX_ROLE:ADMIN does consist of several "menu privileges" predefined for standard forms and tabs. If you want to restrict them, make your own copy of MX_ROLE:ADMIN and cut all the tabs you don't need. A list of privileges and their use is pasted below. There is also one for the Admin UI.

Regards,

Hendrik

  • MX_PRIV:IDS:MANAGE

    Gives access to the forms on the Manage tab. Using these forms, provided in the Provisioning framework for SAP Identity Management 8.0, the manager can perform CRUD operations (create, read, update, delete different entry types) in the Identity Management User Interface.

  • MX_PRIV:MANAGED_APPROVALS:MODIFY

    Provides both read and write access to the Approval Management tab. This tab provides a manager an overview over approvals assigned to users that he/she is manager for.

  • MX_PRIV:MANAGED_APPROVALS:PROCESS

    Gives access to the Approval Management tab. This tab provides a manager an overview over approvals assigned to users that he/she is manager for and he/she can escalate or decline the approval, if necessary.

  • MX_PRIV:MANAGED_APPROVALS:READONLY

    Gives read only access to the Approval Management tab. This tab provides a manager an overview over approvals assigned to users that he/she is manager for.

  • MX_PRIV:WD:TAB_HISTORY

    Gives access to the History tab. This tab provides the status and history of the tasks executed on own entry (self service tasks), on other entries (tasks available from the Managetab) and the approvals.

  • MX_PRIV:WD:TAB_MANAGE

    Gives access to the Manage tab. From this tab, the user is able to search for entries in the identity store and perform tasks on (manage) these. Which tasks are available is controlled by the access control defined on each task.

  • MX_PRIV:WD:TAB_REPORT

    Gives access to the View Reports tab. In this tab, the generated reports can be viewed.

  • MX_PRIV:WD:TAB_TODO

    Gives access to the To Do tab. In this tab, the approvals can be handled.

Show replies
Show replies
Ask a Question