Applies To:
GroupID 8.x - Self-Service & Automate
Business Use Case:
With the GroupID 8 new role-based architecture, we can apply the New Object policy differently for different roles. For example, we can:
- Limit users to create objects in one or more specified containers.
- Configure a default container for creating new objects. With this, you can apply any of the following scenarios:
- Allow users to create an object in the default container or select another container.
- Enforce the default container and disable container selection.
- Enforce the default container and hide the container option completely from users.
This article offers a discussion on how to limit users to create new objects only in specific container(s).
Steps:
- In GroupID Management Console, click the Identity Stores node.
- On the Identity Stores tab, double-click the required identity store to open its properties.
- On the Security Roles tab, select a role to manage the policies that apply to it and click Edit.
The Role Properties page opens with the General tab in view. - Click the Policies tab and then click New Object in the left pane.
- You can do one of the following:
- Limit a role member to create directory objects in the same OU that he or she resides in. Select the Users can create objects only in their own containers check box to achieve this.
As a result, the Select Container option will be disabled when role members create new objects. - Specify one or more containers for role members to create objects in.
- Click Add in the Containers area.
- On the Select Container dialog box, select multiple containers that role members can create objects in. If the selected container is a parent, child containers will automatically be selected; you can unselect child containers, if required.
Role members will only see the selected containers when they create new objects, and they can choose the desired container. - Click OK.
- Click Apply and then OK on the New Object page.
Notes: | The New Object policy applies to Automate and the Self-Service portals for all type of objects.
When a user has multiple roles within an identity store and a different New Object policy has been configured for each role, then the policies configured for all roles simultaneously apply to the user. Hence, a user with three roles (where a different OU for object creation is specified for each role) can create objects in any of the three role-specific OUs. |
Expected Results:
With the New Object policy applied, role members can create new objects only in the specified container(s).
By default, and in the absence of this policy, role members can select any organizational unit in the particular identity store for creating new objects.
In Automate
On the Group Options page of the New Group wizard, the user can view only the specified OUs, and can create a new group in any of these.
In the Self-Service portal
On the General page of the Create Group wizard, the user can view only the specified OUs, and can create a new group in any of these.
Similarly, on the Account page of the Create Contact wizard, the user can view only the specified OUs, and can create a new contact in any of these.
References:
GroupID Online Help Topic: New Object policy
Comments
0 comments
Please sign in to leave a comment.