Remove memberships assignments as application role manager in web portal

Dear community,

I hope someone can help me with the following question.

 

Environment

One Identity Manager v9.0 CU1

API server-based web portal (Angular/HTML5)

 

Use Case

A specific AErole A is a defined manager role via AERole.UID_AERoleManager of another AERole B. A member X of the managing AErole A wants to remove a direct and assigned by order membership of a Member Y in AERole B.

So, X was in this case not the original requester of member Y in AERole B, but a designated manager of AERole B.

 

Issue

Removing a membership as described above seems not to be possible with an out-of-the-box setup.

When trying to so, I get the following error in web portal:

You cannot unsubscribe the following memberships because you are neither their requestor nor recipient. - Person Y

 

Question

Is it possible to allow membership removal for all AERole managers with origin “Assignment requests” with minor modifications either in the angular web portal config parameters or in the backend?

 

How to reproduce

  1. Open web portal and login as manager X
  2. Click on “One Identity Manager application roles” in the “My Responsibilities” section
  3. Click on “Edit” for AERole B
  4. Switch to the “Memberships” tab.
  5. “Secondary memberships” are displayed
  6. Select member Y (Origin: Asssignment request)
  7. Click “Remove”
  8. Error Message appears
Parents
  • I've had the same issue and I've created an enhancement request for this, 36058. This was possible in the old portal. Hopefully it will be added soon.

  • Hello Henrik,

    Still had the same issue in the 9.2 APIserver but after reading about your enhancement request: 36058
    I looked for it in the OneIM_9.2_ReleaseNotes.pdf
    "In the Web Portal, you can now cancel requests to which you have write permissions. 36058, 319102"

    So thank you you for this enhancement request!

  • Hello  , is it supported by default now? We are not able to cancel the role membership with role manager/role owner functions. Any suggestion? version 9.2.

  • Yes, but you may still need to manually configure the right database permissions
    From release notes: In the Web Portal, you can now cancel requests to which you have write permissions 36058, 319102

    If you want to check/test the database permission of the user performing the role manager functions:
    Create custom role-based permission group: CCC_StartObjectBrowser
    Assign to following program functions:
    - ApplictionStart_ObjectBrowser
    - ObjectBrowser_SQLEditor

    Assign this Permission group to an Appliction role and assign this to the identity performing the role manager functions
    Start de objectbrowser and login with the identity you just configured with the permissions.
    I personally find this really handy for troubleshooting permissions

    Now for example what do you need to do if you get these errors when removing a member from the role.

    Remove error: You cannot unsubscribe the following memberships because you are neither their requestor nor recipient.
    Then you could to setup a custom permisison group with edit permissions on PersonWantsOrg with edit condition (needed for the unsubscribe of the pwo):

    ObjectKeyOrgUsedInAssign IN (
    		SELECT XObjectKey
    		FROM AERole
    		WHERE UID_AERole IN (
    				SELECT orgc.uid_org
    				FROM BaseTreeCollection orgc
    				JOIN helperheadorg hho ON hho.uid_org = orgc.uid_parentorg
    					AND hho.uid_personhead = '%useruid%'
    				)
    		)


    Remove error: PersonInAERole: You do not have delete permission for this object (Hill, Terence (H)). [810033]
    Then you could setup a custom permission group with edit permissions on PersonInAERole with delete condition:

    uid_aerole IN (
    		SELECT orgc.uid_org
    		FROM BaseTreeCollection orgc
    		JOIN helperheadorg hho ON hho.uid_org = orgc.uid_parentorg
    			AND hho.uid_personhead = '%useruid%'
    		)

    P.s. these are just examples to give you some insides: database permissions configuration is complicated so tread carefully ;-)
    I hope this helps a little bit.
    Niels

  • Thank you Niels for detailed explanation. Somehow role owners could remove the existing role assignments which came from requests but.. we will try and let you know.

Reply Children
No Data