Applies To:
GroupID 8 & above – Self-Service
Business Case:
In the GroupID Self-Service portal, a security role with the ‘Manage any group’ permission in the identity store can change the query of a Smart Group.
Since groups provide permissions and access to important resources, group membership is a crucial aspect. So, only limited users should be allowed to alter a group’s query. Is there a way to achieve this?
Solution:
GroupID enables administrators to control visibility and access on a Self-Service portal page.
- Visibility level: determines the security roles who can view a web page in the portal.
- Access level: determines the security roles who can update the values of fields on a web page.
These controls can also be applied to individual fields on a web page.
More Information:
Using the above mentioned controls, you can allow authorized users only to view and change group queries. Simply set access and visibility levels for the Smart Group tab in group properties and for individual fields on the tab.
The Smart Group tab has two fields:
- Smart Group query: displays the query used to fetch and update group membership.
- Scheduled job: displays the Smart Group update job associated with the group. The query is executed when the job runs.
Steps:
-
In GroupID Management Console, select Self-Service > Portals > [required portal] > Designs.
-
Select an identity store.
-
Click the Properties tab.
-
From the Select Directory Object drop-down list, select Smart Group.
-
In the Name list, select Smart Group and click Edit.
The Name list shows the tabs on the Smart Group’s properties page.
Control Visibility
-
From the Visibility level drop-down list, select a security role. The Smart Group tab in group properties would be visible to users of this role and roles with a priority value higher than this role.
You are recommended to select one of the following options:- Administrator: to make the Smart Group tab visible to the Administrator role only (it is the highest priority role by default). The tab would not be visible to the group owners if they fall in a lower priority role.
- Manager and Owner: to make the tab visible to the group owners for their respective groups. It would not be visible to any other user, such as higher priority roles and roles with the ‘manage any group’ permission in the identity store.
Control Access
-
From the Access level drop-down list, select a security role. Users of this role and roles with a priority value higher than this role would be able to add/update the values of the fields on the Smart Group tab.
You are recommended to select one of the following options:- Administrator: to enable only the Administrator role to update the query and select a Smart Group scheduled job for the group (the Administrator role is the highest priority role by default). If group owners fall in a lower priority role, they would not be able to update the values for their respective groups.
- Manager and Owner: to enable only the group owner to update the query and select a Smart Group scheduled job for the group. The tab would be read-only for other users, including higher priority roles and roles with the ‘manage any group’ permission in the identity store.
-
To apply the visibility and access controls on a field, select the respective field and click Edit.
Set the access and visibility levels as required and click OK.
-
Click OK to close the dialog box.
-
On the toolbar, click Save.
Reference:
GroupID Online Help topic: Customize Object Properties