Anonymous_User Absent Member.
Absent Member.
281 views

How do I limit administrator assignments?


The scenario is this... I have hundreds of groups in eDirectory that are
exposed to UA as entitlements using a loopback driver.
For each group, a resource has been created.
Then, dozens of roles have been created, that grant anywhere from 10 to
50 of these resources.

So far, no problem.

Over in iManager land, I have groups of users that get roles that allow
them to manage users in specific OUs.

Again, no problem.

Now, I have delegated View Role, Assign Role to User, and Revoke Role
from User to for the roles that are specific to each group of users.

Basically... "Dept A Admins" can manage users in the "DeptA" OU in
iManager... and have rights to see, assign, and revoke the "DEPTA-*"
Roles.

However... while they can only see their roles, they have the ability to
assign these roles to any user in the tree. ruh-roh!

Is there any way to limit WHO these delegated administrators can assign
roles to? One initial thought is to assign a custom approval workflow
that just looks to see if the recipient is in an OU whose users are
allowed to get the role...

However, I have no idea at all how to effect that since I have zero
experience with expressions in the PRD editor.


--
kbuley
------------------------------------------------------------------------
kbuley's Profile: https://forums.netiq.com/member.php?userid=489
View this thread: https://forums.netiq.com/showthread.php?t=51195

Labels (1)
0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: How do I limit administrator assignments?

On 06/26/2014 06:34 PM, kbuley wrote:
>
> The scenario is this... I have hundreds of groups in eDirectory that are
> exposed to UA as entitlements using a loopback driver.
> For each group, a resource has been created.
> Then, dozens of roles have been created, that grant anywhere from 10 to
> 50 of these resources.
>
> So far, no problem.
>
> Over in iManager land, I have groups of users that get roles that allow
> them to manage users in specific OUs.
>
> Again, no problem.
>
> Now, I have delegated View Role, Assign Role to User, and Revoke Role
> from User to for the roles that are specific to each group of users.
>
> Basically... "Dept A Admins" can manage users in the "DeptA" OU in
> iManager... and have rights to see, assign, and revoke the "DEPTA-*"
> Roles.
>
> However... while they can only see their roles, they have the ability to
> assign these roles to any user in the tree. ruh-roh!
>
> Is there any way to limit WHO these delegated administrators can assign
> roles to? One initial thought is to assign a custom approval workflow
> that just looks to see if the recipient is in an OU whose users are
> allowed to get the role...
>
> However, I have no idea at all how to effect that since I have zero
> experience with expressions in the PRD editor.
>
>

Greetings,

If you created them as "delegated admins" (Administration -> RBPM
Provisioning and Security -> Administrator Assignments) of the Role or
Resource domain then you can not limit who they can assign or revoke to
if you gave those ACLs.


From what you want, I would suggest that you utilize Teams instead of
Delegated Admins. With a Team, you set the "manager", the realm,who is
a member of the team, and then what the manager can do.

Please review the documentation on Teams


--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How do I limit administrator assignments?


This was considered, but if I remember correctly the people involved
balked because of the steps that would have to be gone through in order
to do what they want to do. Instead of assigning a role, they'd have to
manage another user and make the request on their behalf, etc.

With the assignment, they can mass-assign, etc.

How about the custom approval? I would think it should be easy to look
at the DN of the recipient and see if they're in one of the "allowed"
OUs.


--
kbuley
------------------------------------------------------------------------
kbuley's Profile: https://forums.netiq.com/member.php?userid=489
View this thread: https://forums.netiq.com/showthread.php?t=51195

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How do I limit administrator assignments?

On 06/27/2014 09:24 AM, kbuley wrote:
>
> This was considered, but if I remember correctly the people involved
> balked because of the steps that would have to be gone through in order
> to do what they want to do. Instead of assigning a role, they'd have to
> manage another user and make the request on their behalf, etc.
>
> With the assignment, they can mass-assign, etc.
>
> How about the custom approval? I would think it should be easy to look
> at the DN of the recipient and see if they're in one of the "allowed"
> OUs.
>
>

Greetings,
Yes, you could create a custom WF for Approval and have to utilize
that for all of these roles/resources. With the WF you can then look at
the passed information from the Request object and make different decisions.

Please do keep in mind that an "admin" can remove the requirement for a
Workflow to be used.



--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How do I limit administrator assignments?


The admins have only been delegated Assign Role to User, Remove Role
from User, and View role.

I know -what- the workflows can do... I'm asking -how- to do it.


--
kbuley
------------------------------------------------------------------------
kbuley's Profile: https://forums.netiq.com/member.php?userid=489
View this thread: https://forums.netiq.com/showthread.php?t=51195

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How do I limit administrator assignments?


Don't have the exact details but this is how I would go about it.

First, make a decision on if I want to make a user member of a role
(pick the user first) or add a role to the user (pick the role first).
This is important if you want to be able to add the same user to several
roles simultaneously or if you rather ad a role to several different ppl
at the same time. You might not want to do any of it at first, just good
to think about if for next improvement.

Now it all depends on how you filter your Roles/rights/users.

First create a workflow that only the administrators can see.
Then have a dn-lookup for them to choose a user.

Than I would create a dn picklist of all the possible roles for the
administrator to choose from to add to that user.

The list could be filtered based on information from the administrator
or/and user that is chosen.
The filtering can be done via a query.

So create the query you have in mind and depending on how you can create
it you might find that it is better to start with the user and list
relevant roles ore the other way around.
Then you add an event, maybe onchange to the dn-lookup where you add the
user, something like field.fireEvent("availableRoles");
On the list, add the event availableRoles and do
IDVault.globalQuery("put in relevant info from the user here", "your
created query");
You want to read some stuff from the user first, I would do that in the
same event and put it in a variable.

The query would have a search root of the role container you have in
mind but you need to create a condition for it.

These things are unique to every situation so you have to make an
attempt at creating it first before anyone really can tell what to do or
not.


--
joakim_ganse
------------------------------------------------------------------------
joakim_ganse's Profile: https://forums.netiq.com/member.php?userid=159
View this thread: https://forums.netiq.com/showthread.php?t=51195

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How do I limit administrator assignments?


I'm assuming from the original post that your admins want to simply use
the Roles and Resources tab, click a Role, Assignments and assign/revoke
a user, but you want to limit who they can assign to particular OUs
only. This is what works for me:

I have my roles in several sub-containers. I create a Team with View
Role, Assign Role to User, Revoke Role From User and View Role to the
sub-container with the roles I want them to administer. I put either the
individual users or a group in the team as Managers and use Select
Members under Members and select the OUs where the users are that they
need to manage.

Teams are missing the Report on Role permission though, so I also give
them an Administrator Assignment to the same role sub-container and give
them only Report on Role.

In Navigation Access Permissions, for Roles and Resources, the only
Trustees are the standards, Security Administrator, Resource
Administrator, Role Administrator, Resource Manager and Role Manager.

When one of the role admins login, they see the Roles and Resources tab.
They can see Role Catalog, Role Reports, SoD Reports, User Reports and
Configure Roles and Resource Settings. Settings are read only and they
can't make changes. In the Role Catalog, they only see the roles in the
sub-container that was assigned to the Team and to themselves as
Administrators.

The worst part is that all settings in the role and on the tabs appear
to be editable. However, when they make changes anywhere except the
Assignments tab and click Save, they get an error that they don't have
permission. When making an assignment, that part goes through and the
assignment or revocation happens. The only way they can close the role
without an error is with the Cancel button. Either way (Save with error
or Cancel), the assignment goes through. It's a training issue and a
minor gripe, but I only have a handful of role admins.

I haven't found a way to prevent them from finding a user in a wrong OU
when browsing in Assignments. WHen assigning, they can choose someone
from an unauthorized OU, but when they click 'Assign', they get 'Error:
Failed to create 1 role assignment request(s). You are unauthorized for
this operation.'

It's a little clunky with the errors, but still better than needing to
manage another user and request for them. There was less griping from
the admins. This is on 4.0.2. I haven't fully tested this method through
HPD.


--
stober
------------------------------------------------------------------------
stober's Profile: https://forums.netiq.com/member.php?userid=5986
View this thread: https://forums.netiq.com/showthread.php?t=51195

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.