Idea ID: 2873891

Technical Role - Add Permission with dynamic value (resource)

Status: Needs Clarification

Would like to go over this idea with you, please suggest some time slot to have the discussion around this. Thanks

See status update history

Hello,

please add the possibility to add permissions with dynamic values (for example an group membership resource/entitlement) to technical roles. Currently you can request the permission, but you can not add the permission to a technical role.

BR

Tobias

  • Hello,
       "Dynamic" Permissions (for example an IDM Resource that is associated to an Entitlement that is configured for the value to be set at assignment time), currently can not be utilized with at least the following areas:

    Business Roles
    Technical Roles,
    Separation of Duties (SoD)


    Only "Static" Permissions can be utilized in the above areas (and a few more).

    One can request a "Dynamic" Permission in Access Request, because at Request time we present the necessary fields to be populated.


    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

  • Technical it is possible, but one of our customers has more than 30 roles with 3-4 different AD Groups each and I don't want to create static ressources for each AD group to only use them in the Identity Governance. So yes, as a workaround this would work even this could be a pain to monitor and manage.

    Since there is an option to request dynamic ressource I thought it would also be possible to add dynamic ressource (of course the assignment itself would be static) to a technical role

  • Thank you for the clarification. If the configuration is known is there a possibility to create it as static resource and assign 

  • In the IDM we have one dynamic resource for ActiveDirectory Groups. In the IG (we are using the IDM AE Permission Collector) we have this resource as a permission.

    If I request this permission in the self service I can select which specific ActiveDirectory group I want to request (as it should be)

    But it is not possible (checked again with version 3.7.3) to assign this AD group permission to a technical role. The permission doesn't show up in the search window and from that I can tell all the permissions with dynamic values are not shown and therefore can't assigned to a technical role.

    Regarding the use case: We only wanted to assign a ActiveDirectory group to a technical role , so when an user will request this role he also will get a specific AD group.

  • Thank you for submitting the idea. We need more clarity on exact use case to be able to evaluate it further. 

    We will await your input regarding the same.