moldin Absent Member.
Absent Member.
327 views

Rights to see attributes in a PRD

I have a PRD with a pick list that shows a list of roles.
When a user is selected (in another field) we use Role.Vault.getRolesToUserAssignemt() to select the roles in the list that the user is assigned.

If the operator has Read,Compare on All Properties on the user container it works.
If the operator has Read,Compare on nrfAssignedRoles and nrfMemberOf it does not.

Which attributes do we need to assign rights for?
Labels (1)
0 Likes
3 Replies
Knowledge Partner
Knowledge Partner

Re: Rights to see attributes in a PRD

On 2/4/2019 8:34 AM, moldin wrote:
>
> I have a PRD with a pick list that shows a list of roles.
> When a user is selected (in another field) we use
> Role.Vault.getRolesToUserAssignemt() to select the roles in the list
> that the user is assigned.
>
> If the operator has Read,Compare on All Properties on the user container
> it works.
> If the operator has Read,Compare on nrfAssignedRoles and nrfMemberOf it
> does not.
>
> Which attributes do we need to assign rights for?


There is a series of pseudo attributes where they are not part of a
class, nor ever instantiated.

Conviently I wrote about this issue here;

https://www.netiq.com/communities/cool-solutions/different-permissions-user-application/

The set of permissions are:

nrfAccessAttribute
nrfAccessAvailabilitySet
nrfAccessBindEntitlement
nrfAccessBindResource
nrfAccessConfigResourceSub
nrfAccessConfigRoleSub
nrfAccessCreateResource
nrfAccessCreateRole
nrfAccessCreateSoD
nrfAccessDelegateConfigure
nrfAccessDeleteResource
nrfAccessDeleteRole
nrfAccessDeleteSoD
nrfAccessExecuteReport
nrfAccessListNavItem
nrfAccessMgrAssignResource
nrfAccessMgrAssignRole
nrfAccessMgrAssignRoleImpl
nrfAccessMgrInitiatePRD
nrfAccessMgrRetractPRD
nrfAccessMgrRevokeResource
nrfAccessMgrRevokeRole
nrfAccessMgrRevokeRoleImpl
nrfAccessMgrTaskAddressee
nrfAccessMgrTaskRecipient
nrfAccessMgrViewRunningPRD
nrfAccessModifyPRD
nrfAccessProxyConfigure
nrfAccessReportOnEntitlements
nrfAccessReportOnResource
nrfAccessReportOnRole
nrfAccessReportSoD
nrfAccessScheduleAttestation
nrfAccessUpdateResource
nrfAccessUpdateRole
nrfAccessUpdateSoD
nrfAccessViewAttestationStatus
nrfAccessViewResource
nrfAccessViewRole
nrfAccessViewSoD

So you would need W access to proably:
nrfAccessMgrAssignResource
nrfAccessMgrAssignRole
nrfAccessMgrRevokeResource
nrfAccessMgrRevokeRole

But you can test with these permissions. The names are usually pretty
specific, but I am not sure if the Mgr in there matters or not.



0 Likes
rrawson Honored Contributor.
Honored Contributor.

Re: Rights to see attributes in a PRD

Right in a PRD depend on where you are trying to read them.

In the form or in most workflow activities, the rights are the user that is authenticated to the Identity Apps. The exception is in the Start activity, in that one place, the rights are the user application administrator, so you could read something the user doesn't have rights to to populate a form.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Rights to see attributes in a PRD

On 2/4/2019 12:44 PM, rrawson wrote:
>
> Right in a PRD depend on where you are trying to read them.
>
> In the form or in most workflow activities, the rights are the user that
> is authenticated to the Identity Apps. The exception is in the Start
> activity, in that one place, the rights are the user application
> administrator, so you could read something the user doesn't have rights
> to to populate a form.


Oh, I see your point. I misread the question.

I focussed on the rights to manage ROles. But he wants to read the roles
from the directory, which is eDir permissions.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.