Restricting Applications & Operations in "Manage Accounts" Quicklink for ServiceDesk Role

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Which IIQ version are you inquiring about?

IdentityIQ 8.4

I have the following requirements and would appreciate guidance or best practices from the community:

Requirement 1: Application Restriction

  • Under the “Manage Accounts” quicklink, the ServiceDesk team should only be able to see and manage “Active Directory” accounts.

  • All other applications should be hidden or excluded from their view.

Requirement 2: Delete Operation Restriction

  • Within the same quicklink, I want to restrict the “Delete Account” operation for the ServiceDesk team.

  • The goal is to prevent accidental account deletions, while still allowing other operations like Enable/Disable/Unlock.

2

@VinodC

  1. For requriement 1, you can control which application can be requested under quicklink populations settings.

image
image1350×196 7.51 KB

  1. For requirement 2, try setting “manageAccountsDeleteSubordinateEnabled” to false in system configuration.
3

Hi @VinodC - you would need to implement these requirements with a custom plugin to hide certain buttons/accounts from the UI, or create a new custom QuickLink/Form to handle these requirements for the Service Desk team.

There are some OOTB Manage Accounts action settings for Delete, Disable, Enable, and Unlock, but they are global and would not let you restrict Delete only for the Service Desk team or limit them to seeing only Active Directory accounts. These are found in Gear > Lifecycle Manager.

OOTB DynamicScope options allow you to set what members can request and remove for roles, applications, and entitlements, but this only applies to the Request Access process, not Manage Accounts.

If you end up going the custom plugin route, this pre-built plugin may handle your requirement or be a good starting point to tweak: Remove "Delete" and "Disable" button from manage Account page - #3 by PoojaSingh03

This post was answered by a Palyrian Solutions Architect. Feel free to message me directly if your problem requires a deeper dive.
:globe_with_meridians: palyrian.com | :telephone_receiver: ‪(301) 284-8124‬

4

@robert-hails - Thanks for the reply. I had a similar thought that this is a least/workaround option to go with the custom quicklink. Howerver, i’m exploring the Scoping feature which can figure it out it this scenario.

If not last option would be Plugin can be implemented.

Let me hear insights from the community.

5

@SivaprakashRNTBCI -Thanks for the reply. As you suggested First option will only fulfill with Access Requests page restrictions unlike Manage Accounts requirements.

Second option will stop deleting globally for everyone irrespective of UserType.

6

Requirement 1:

you need to implement rule in quick section.

quicklink
quicklink1716×932 40.4 KB

7

Hi @VinodC, You are thinking in the right direction, this is actually a limitation in IIQ.

From OOTB:

  • Lifecycle Manager settings are global, so you can’t restrict Delete only for Service Desk users
  • Dynamic Scope works only for Access Requests, not for Manage Accounts
  • Capabilities also won’t control specific actions inside the page

So OOTB won’t fully meet your requirement.

Better approach

1. Custom QuickLink
Create a separate QuickLink for Service Desk users (like “Service Desk Account Management”) with a custom form/workflow.

In that:

  • Show only required applications (ex: AD)
  • Allow only specific actions (Unlock, Enable, etc.)
  • Don’t include Delete/Disable

This is the cleanest and most maintainable solution.

2. Add backend rule
Even if you control UI, it’s better to enforce from backend as well.

You can use:

  • BeforeProvisioning Rule

Example:

  • If user is Service Desk → block Delete operation

This ensures no one can bypass restrictions.

3. Plugin (Optional)
As @robert-hails mentioned, plugin can help to:

  • Hide Delete/Disable buttons
  • Filter accounts

But this is only UI-level and not fully secure, so use it only if needed.

Hope this helps​:+1:

8

For the second requirement, I would suggest to create a plugin. It will be easy to achieve as well.

Do give it a try, and let me know, if you need assistance with plugin developement.

9

@VinodC You can create a plugin to achieve both the things. You can create a workgroup or use any other attribute to identify if user is from SD team or not, then only show the Active Directory. Similarly hide the Delete button.

I believe you only want to restrict at the Manage Accounts level, not other modules like custom rule, Batch, etc. So backend code is not mandatorily needed. In case you still want to put, you need to add the same validations in your before provisioning rule to block other apps and Delete operation requests.

Note: Found a fix?Help the community by marking the comment as solution. Feel free to react(:heart:,:+1:, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.