none
FilterScope and Filter Permissions RRS feed

  • Question

  • My team is aiming to provide permission levels in FIM that would allow our different users to have different usability in FIM.  Right now, they are split by default between administrator and non-administrator.  Is it possible to break that out into more than those two?  I've added a new filter permission but I can't for the life of me find a place to actually call out the FilterScope levels to make those levels apply.

    The idea is that we need normal users to be able to see contact information for anybody but have no edit rights to anything but their own phone number (this is already set up), admins need to see/edit anything they want (already set up as well), and we need our loss prevention folks to have read only rights to every attribute of every user and out service desk to have read only to all attributes and edit rights for a handful of the attributes (passwords, end dates, etc).

    Thanks in advance and I'll do my best to answer anything I left hanging.

    Monday, October 14, 2013 4:32 PM

Answers

  • Hello,

    it is not clear to me why you want to edit any filter permissions or scope to archive your goal.

    All you need is to setup some sets and MPRs for this to do:

    Create Set containing Normal Users (All People)
    Create Set containing Service Desk Users

    Create MPRs using this sets as Requestor and an approp. Target Set to grant permissions to only the attributes you need to read or edit.

    You need 2 MPRs for each "userclass", one for read permissions (here use All Attributes) and one for change permissions, scope only to the attributes you want to be edited.

    I've done this a couple of times in my solutions for Helpdesk and Team-Admins for example.

    Regards
    Peter


    Peter Stapf - Doeres AG - My blog: JustIDM.wordpress.com

    • Marked as answer by Geoff Evans Monday, October 14, 2013 5:02 PM
    Monday, October 14, 2013 4:46 PM

All replies

  • Hello,

    it is not clear to me why you want to edit any filter permissions or scope to archive your goal.

    All you need is to setup some sets and MPRs for this to do:

    Create Set containing Normal Users (All People)
    Create Set containing Service Desk Users

    Create MPRs using this sets as Requestor and an approp. Target Set to grant permissions to only the attributes you need to read or edit.

    You need 2 MPRs for each "userclass", one for read permissions (here use All Attributes) and one for change permissions, scope only to the attributes you want to be edited.

    I've done this a couple of times in my solutions for Helpdesk and Team-Admins for example.

    Regards
    Peter


    Peter Stapf - Doeres AG - My blog: JustIDM.wordpress.com

    • Marked as answer by Geoff Evans Monday, October 14, 2013 5:02 PM
    Monday, October 14, 2013 4:46 PM
  • Thanks so much for that.  I was definitely over-thinking the matter.  MPRs are easily the way to go. 
    Monday, October 14, 2013 5:04 PM