• State Verified Answer
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 95 subscribers
  • Views 2530 views
  • Users 0 members are here
Options
Related

permission groups and application role

angela bajo
over 3 years ago

Hi all,

Trying to understand and do some tests with permission groups and application role. I have this scenario:

  • user01 assigned to application role Identity Management\Organizations\Administrators, by default associated with vi_4_STRUCTADMIN_ADMIN permission group. In IT Shop, this user has in the menu: Responsabilities/Governance Administration/Organization
  • user02 assigner to application role custom/restrictedOrgAdmin, associated with CCC_vi_4_STRUCTADMIN_ADMIN permission group, that is a copy of the previous permission group vi_4_STRUCTADMIN_ADMIN. I am expecting the same menu as for the previous employee, but it does not appear. What am I forgetting? the permission group vi_4_STRUCTADMIN_ADMIN and its superiors were copied, and the copy was made with the permission and navigation options marked.

I'm trying to create some restricted admin application roles, when this works, I will apply a filter in these role for only affect on certain objects

Working with version 8.1.2

Regards,

  • +1 over 3 years ago

    Hello,

    Governance Administration would correlate to data Governance.  Have you assigned any of the Data Governance roles?  If not, you won't see this menu.

    Specifically, Data Governance\Administrators.

    Trevor

  • 0 over 3 years ago in reply to Trevor Pike

    Hi Trevor,

    if you are referring to the application roles that are under the Identity & Access Governance branch, no, I have not applied them neither to user01 nor  user02. user01 only has the application role Identity Management\Organizations\Administrators and user02 my new application role custom/restrictedOrgAdmin

    How can I get user02 to be the administrator of a subgroup of departments, and to access their administration from the IT shop portal?

    Regards,

  • 0 over 3 years ago in reply to angela bajo

    The manager of a department can see the department under Responsibilities | My Responsibilities.

    Perhaps you could look into delegation.

    Trevor

  • 0 over 3 years ago in reply to Trevor Pike

    Trevor,

    what I am looking for is simpler than delegation: that user02 is the administrator of all the departments with a specific role type, without having to make him the manager of these departments. I had seen in the one identity videos how permission groups are related to application roles and how filters are applied to achieve this, but I can't get it to work for me

    Thanks

  • 0 over 3 years ago in reply to angela bajo

    Hi,

    That's correct, permission groups are related to application roles, but it cant be complicated, especially as far as IT Shop is concerned.

    So vi_4_STRUCTADMIN_ADMIN would have read permissions on the Department table, as you probably have seen, but simply linking a permissions group does not always allow for viewing permissions in IT Shop.

    There's actually a condition on the Department tile that determines whether it is displayed on not.  This is based on the entry in HelperHeadOrg. You could look into changing the clause so that it uses the permissions group.  That may be one option.

    Trevor

  • 0 over 3 years ago in reply to Trevor Pike

    Trevor,

    Here in web designer: configure project> Role Management> Reponsability for objects of type Department  I can see the query with helperheadorg that you mention. This query would show the departments of which some of my users were manager from the menu My Responsibilities> Organizations (I will call it, myOrganizations tile) But this is not the case, none of my users is manager of any department or organization. As I said before User01 is a member of the the application role Identity Management\Organizations\Administrators, and from  Responsablitilies> Governance Administration> Organization (allOrganizations tile), this user can manage all the departments. I try, but I am unable to see the query that gives me the visibility of this other tile. Would you know how to guide me?

    Sorry, maybe with some images I could explain myself better ... but I don't know how to upload images to the forum

    Thanks!

  • 0 over 3 years ago in reply to angela bajo

    I got it!  Finally I have found the query in the QER_Responsibilities_Administration module

    exists("Person", variable("uid_person = '%useruid%' and uid_person in ( select piae.uid_person from personinaerole piae join AERoleCollection aec on aec.UID_AERole = piae.uid_aerole where aec.UID_ParentAERole = 'QER-AEROLE-STRUCTADMIN-ADMIN')"))

    I will change it to get it what I'm looking for

    Thank you!!