Capabilities Per User Rule

In the context of a Service Provider user Admin Role, capabilities specify which capabilities and rights the requesting user has on the Service Provider user for which access is being requested. The Capabilities Per User rule is evaluated when a request is made to view, create, modify, or delete an Service Provider user. It must be specified as a rule with authType CapabilitiesOnSPEUserRule.

The list of capabilities returned from the rule can include both existing Identity Manager capability names (such as “Service Provider Create User”) and Identity Manager right names (such as “Modify” and “Execute”).

The rule is passed the following arguments:

context — Specifies current user’s Identity context (session).

runAsUser — The User view of the user the rule will run as. This is a null argument if runAsIDMXUser is specified.

runAsIDMXUser — The IDMXUser view of the user the rule will run as. This is a null argument if runAsUser is specified.

object — Specifies the name of an object, if an object exists. Otherwise, null.

objectType — Specifies the type of object, such as IDMXUser, that the rule filters.

object.identity — Specifies the DN of the Service Provider user on which the request is being made.

object.attributes — Defines a map of attribute name/value pairs of the Service Provider user on which the request is being made. Sample name/value pairs include sn=Smith and cn=gsmith .