Example: Using Authorization Types to Restrict Visibility on Resources (Sun Identity Manager Deployment Guide)

Sun Identity Manager Deployment Guide

Example: Using Authorization Types to Restrict Visibility on Resources

You can use authorization types to restrict visibility on resources on the resource level. Rather than move resources into special organizations, you can

Define an authorization type for each resource (for example, Resource-Corporate-LDAP)
Build capabilities with rights for those resource types

When assigning capabilities to users, do not assign a capability that includes rights to a generic resource type. Instead, assign users a capability with rights for a specific resource type.

Note –

For an example of stock authorization types defined in the system, see the admingroups.xml file.

To Define a Resource-Specific Authorization Type

Add an entry to Configuration:AuthorizationTypes object.

<AuthType name=’Resource-Corporate-LDAP’ extends=’Resource’/>

Derive a variant of one of the standard capabilities, such as Resource Administrator. Note that the only difference between this capability and the standard AdminGroup is the type name in the Permission, which is Resource-Corporate-LDAP instead of Resource.

<AdminGroup name=’Corporate LDAP Resource Administrator’
           protected=’true’
           displayName=’UI_ADMINGROUP_RESOURCE_ADMIN’
           description=’UI_ADMINGROUP_RESOURCE_ADMIN_DESCRIPTION’>
   <AdminGroups>
       <ObjectRef type=’AdminGroup’ id=’#ID#Resource Group Administrator’/>
       <ObjectRef type=’AdminGroup’ id=’#ID#Resource Report Administrator’/>
       <ObjectRef type=’AdminGroup’ id=’#ID#Connect Organizations’/>
       <ObjectRef type=’AdminGroup’ id=’#ID#Connect Policies’/>
   </AdminGroups>
   <Permissions>
       <Permission type=’AttributeDefinition’ rights=’View’/>
       <Permission type=’Resource-Corporate-LDAP’ rights=’View,List,Create,Modify,Delete,Execute’/>
       <Permission type=’ResourceUIConfig’ rights=’Create,Modify’/>
       <Permission type=’Rule’ rights=’View’/>
       <Permission type=’User’ rights=’View,List’/>
   </Permissions>
   <MemberObjectGroups>
       <ObjectRef type=’ObjectGroup’ id=’#ID#All’ name=’All’/>
   </MemberObjectGroups>
</AdminGroup>
<ObjectRef type=’AdminGroup’ id=’#ID#Connect Resource Groups’/>