We need to create a role that can only be requested by 10 specific identities. It should not be visible to any other identities within the tenant. I am trying to achieve this using segments, but I am not getting the desired result, as adding it to a segment does not remove visibility for the other identities in the tenant. Do you have any suggestions on how we could implement this restriction so that the role is only visible to this small group of people?
They shouldn’t be able to see it. According to the documentation, it may take some time for the segment to update after it has been created.
Hi @Juanisola
By implementing segments, you can address your scenario by creating a segment with criteria that include those 10 identities. This allows you to make the access items visible only to them, while controlling and restricting visibility for others through segmentation. Please note that this may take some time to reflect.
Thankyou!
@Juanisola Segments in ISC in reality work a bit differently and in fact I’ve tried and tested this. For segments to work correctly, all the access in your system need to be mapped to a segment for sure.
For example, there are 10 roles in your system. You’ve created a new segment called Segment_A and configured the assignment criteria for it. Now, a user called John.Doe satisfies the criteria for Segment_A and navigates to Request Centre page. Now your expectation here would be that the user John.Doe would only see 5 roles (based on the configured segment the user satisfies), but NO, the user would still see all the 10 roles in request center page.
Reason? : When a user in a segment visits the Request Center, they are presented with access items defined in their segment as well as access items that are not included in any of the segment in the tenant. So you need to ensure all the access in your system is part of a segment.
There is no OOTB way of restricting other end users from seeing the special role in request center page that you’re going to create unless you’re efficiently configuring segments for all the access in your system as per above example and the documentation.
My suggestion or workaround for your problem would be to have necessary approvals in place on the role level to help determine unauthorized access requests and then reject them (as long as they’re not initiated from the dedicated 10 users you were talking about). I know this is not the most efficient process, but it gets the job done rather than mapping each and every role in your tenant to a segment.
Hope that clarifies.
Thanks,
Arshad.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.