gdrtx Absent Member.
Absent Member.
867 views

SSPR 3.3.1.0 Help Desk User Permissions


I have a need to have the SSPR Help Desk module restrict who can do what
basically. For example, I need one group of help desk users to be able
to change passwords for any user in IDM but I need another group of help
desk users to only be able to change passwords for a subset of users
(like users in a particular organization or employee type). I'm
assuming I can have both IDM groups configured in SSPR for the Help Desk
module but set up permissions in eDir for the restricted group to only
be able to view/edit users that fit the restricted criteria but would
like confirmation that my theory is valid. Thanks


--
gdrtx
------------------------------------------------------------------------
gdrtx's Profile: https://forums.netiq.com/member.php?userid=1660
View this thread: https://forums.netiq.com/showthread.php?t=55740

0 Likes
1 Reply
Knowledge Partner
Knowledge Partner

Re: SSPR 3.3.1.0 Help Desk User Permissions

gdrtx wrote:

>
> I have a need to have the SSPR Help Desk module restrict who can do what
> basically. For example, I need one group of help desk users to be able
> to change passwords for any user in IDM but I need another group of help
> desk users to only be able to change passwords for a subset of users
> (like users in a particular organization or employee type). I'm
> assuming I can have both IDM groups configured in SSPR for the Help Desk
> module but set up permissions in eDir for the restricted group to only
> be able to view/edit users that fit the restricted criteria but would
> like confirmation that my theory is valid. Thanks


You should be able to create two helpesk profiles with different matching
groups/filters (to define the helpdesk operators they apply to). Then specify
different helpdesk search filters and/or base DNs to limit the accounts each
helpdesk profile can operate on in the SSPR UI.
"Helpdesk Profile Match" defines the admins, "Helpdesk Search Filter" and "LDAP
Search Base" define the target accounts for each profile.

Of course you should also limit each admin group's edir rights so they cannot
bypass your imposed limitations by using other tools like ldapmodify, ApacheDS
or iManager to set passwords out of their intended scope.

--
http://www.is4it.de/en/solution/identity-access-management/
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.