Version 8.2
hello,
Can we make business roles not requestable or hide from manage user access page ? Please advise how to accomplish it.
Do roles have something like for entitlements mark requestable or not. if we need to implement custom solutions, please share your inputs.
Thanks in advance!
@ramthetribo
If you are looking for all business roles to be non-requestable or not to display in manage user access, you can just go to Global Settings–> Role Configuration and select Business role related definition and check the No Manual Assignment Option
if you are looking for only specific set of roles to requestable or non-requestable, One option will be just create extended attribute as above, have a advanced policy configuration which is interactive so that compare the existing and expected identities , if the role that is not-requestable one throw a policy violation error.
For selective role you may try using some extended attribute to mark non-requestable role and then use Quicklink population to control what to show for request.
To disable all role request you may use global configuration as pointed by @iamksatish .
Thanks
yes one more option is to use quicklink Population as @ashutosh08 mentioned and under What can members request? for Role, Have the rule to check only the requestable marked roles only to be allowed
import sailpoint.object.Filter;
import sailpoint.object.QueryInfo;
Filter filter = Filter.eq("extended_requestable", true);
return new QueryInfo(filter, false);
@ramthetribo
For your first request, you ca follow the solution provided by @iamksatish .
For your second request, you can probably create a plugin. What to change in plugin –
<input type="button" id="roleSaveButton" value="#{roleEditor.fromViewer ? msgs.button_submit : msgs.button_update_workflow}" class="primaryBtn"
onclick="SailPoint.modeler.setButtonsDisabled(true); Ext.getDom('editForm:roleSaveAction').click();" />
<h:commandButton id="roleSaveAction" style="display:none" onclick="saveRoleEditor()" action="#{roleEditor.saveAction}" />
Note: In the jsf, you can also add a small checkbox next to each of the entitlment which you are adding as direct entitlements as “requestable”. This value can be used in the bean method like “saveAction” to update the requstable flag in the entitlements (managedAttribute object).
Hope this helps.
Hello @ramthetribo ,
There is a work around – If you want to make the business role requestable only by specific set of users (eg. HR Department) and not even display for other set of user, it is possible
Solution 1:
Configuration of scope. If we have scope enabled and configured Identity and role level, It is possible. But it is complex since it involves whole new process in place.
Solution 2:
Quicklink Population: This also involves a process in place. Eg. Add an additional attribute in Role. Eg.HR
And If Identity belonging to that particular department can request the role with correct attribute in place.
Create a rule (RequestObjectSelector) with condition corresponding to the above mentioned scenario
Thanks,
Balaji
Thanks everyone for the inputs.
I will try them out and see how it goes.
Please let me know if there is any limits on number of extended attributes
You can create new searchable extended attributes and for above approach you attribute needs to be searchable
There is no limit in creating a new one if you are exhausted with existing already ootb provided
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.