Role membership criteria

vinaybethi · October 15, 2024, 4:24pm

Hi, Is there a way to build Role Membership criteria with if/else condition?
For example,identityAttribute “User Location” = “A” then add AD Group “A” else if …and so on? either a Rule or something. Thank You.

mpotti · October 15, 2024, 4:41pm

So at a high level the Membership logic in IdN works like is if else if statement.
if you use an OR statement between the 2 logic groups then all the logic in each group must be true to apply.

Logic Group A: User Location A
OR
Logic Group B: User Location B

In this example they both would be assigned to Group A

Logic Group A: User Location A OR User Location B
AND
Logic Group B: User Type User
In this case the user would need to be in location A or B and also be a user.

As for having a collection of groups that is not something IdN can do. As this logic would apply to each role that is created and is tied just to that one role.

Hope this helps.

Prashanth0707 · October 15, 2024, 4:41pm

Hi @vinaybethi ,
You can use a transform to build your if else logic and you can refer that attribute which the transform is tied to in your Role Membership criteria!

vinaybethi · October 17, 2024, 6:23pm

Hi @Prashanth0707 : I tried but I could not find anything to associate a transform with a role. Can you please point me to some doc or example.

vinaybethi · October 17, 2024, 6:24pm

understood. Thank You.

Prashanth0707 · October 17, 2024, 7:19pm

Hi @vinaybethi ,

Did the issue resolve? Did the above helped? or do you need any further help?

vinaybethi · November 16, 2024, 3:57pm

Hi @Prashanth0707 : Thank you for checking but I am struggling to understand how to fit Transforms in Role Membership Criteria.

sk8er23 · November 16, 2024, 8:45pm

I think @Prashanth0707 was referring to using an identity attribute in your role criteria, but applying some transform logic to populate the attribute value appropriately.

jrossicare · November 18, 2024, 12:34am

Create an identity attribute called userLocation.

Create a transform that contains the If/Else statements so ‘userLocation’ is set to the right value

Then your role will only look at identity attribute ‘userLocation’ as the role membership criteria.

Thanks Prashanth for providing this.

margocbain · November 18, 2024, 1:01am

Hi Vinay,
Dynamic Access Roles are now available for tenants with the Business Plus Suite (New Capability: Dynamic Access Roles! ) and this will let you make a simplified role model, where you can add a ‘dimension’ to cover your use case. If you don’t have Business Plus and don’t plan on procuring the capability, then Jason’s recommendation will likely be your best approach, but you will have more roles to manage.
Thanks,
Margo

system · January 17, 2025, 1:02am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
IdentityNow Role membership criteria ISC Discussion and Questions	2	1159	July 19, 2023
Assignment Logic Failing within Role ISC Discussion and Questions identity-security-cloud	6	635	July 19, 2023
How Can I Configure Role Assignment Criteria of NULL or Empty String ISC Discussion and Questions identity-security-cloud , roles	5	392	June 15, 2024
Role Membership Limitations ISC Discussion and Questions	2	895	July 19, 2023
Provisioning Criteria for entitlements ISC Discussion and Questions transforms , identity-security-cloud , provisioning , roles , access-requests	2	43	January 6, 2025

Role membership criteria

Related topics