We are trying to delegate access to manage governance groups and applications in ISC. However, it appears that manage access to these objects is only available with the ORG_ADMIN user level. We also explored custom user levels but were unable to grant the required permissions. Is there any recommended approach or workaround to delegate this access without assigning ORG_ADMIN user level?
HI @ssowmya567
I haven’t done this exact use case, but something very similar with role management. I’d recommend a form/workflow approach that you can assign to users as a launcher.
You can basically make a form with very narrow inputs and use a secondary form as an “approval” before the action actually takes place. For example, letting users select an existing governance group and add additional members to it or even a form to create brand new governance groups. The possibilities are endless assuming you want to actually do the work of building the form/workflow.
If you require that the users need to see the governance group and applications in the UI specifically, I’m not aware of any workaround.
Hi @ssowmya567 ,
Have you tried ISC cloud governance connector for this requirement?
1 Like
Hi @trettkowski,
Thanks for the suggestion!
In our case, the requirement is not for end users via forms/workflows. We are trying to provide access to a limited set of internal users (like application onboarding or IAM team members) to directly manage governance groups and applications. We are looking for a way to achieve this via user levels rather than building workflows.
Please let me know if you’ve come across anything similar in terms of delegated admin access.
Hi @AsGoyal, Thanks for your response!
I haven’t explored the ISC Cloud Governance Connector for this use case yet. Could you please share a bit more detail on how it can help in managing governance groups and applications without Admin access?
That would be really helpful.
Unfortunately, I don’t think anything at that granular level exists in ISC yet.
If you look at the ISC User Level matrix, applications and governance groups are strictly an Admin only capability:
The custom user levels only cover these as far as I know and by just looking over them, none of them seem to fit your use case:
idn:ui-identity-management-read
idn:ui-identity-management-write
idn:ui-identity-access-history-page-read
idn:ui-access-profiles-read
idg:ui-admin
idn:ui-access-intelligence-center-page-write
idn:ui-password-sync-group-read
idn:ui-access-entitlements-write
idn:ui-virtual-appliance-clusters-read
idn:ui-access-roles-read
idg:ui-read-only
idn:ui-virtual-appliance-clusters-write
idn:ui-password-sync-group-write
idn:ui-access-entitlements-read
idn:ui-identity-accounts-read
idn:ui-access-profiles-write
idn:ui-access-roles-write
idn:ui-password-policy-write
idn:ui-access-intelligence-center-page-read
idn:ui-identity-accounts-write
idn:ui-password-policy-read
I think your only option are forms/workflows if you want them to be able to perform those tasks without having other ORG_ADMIN capabilities.
1 Like
Hi @ssowmya567 ,
You will be able to see governance groups as entitlements. for more details, you can check
Hope this helps.
1 Like