The scope of control for the service provider user admin role specifies which service provider users a given Identity Manager administrator, Identity Manager end user, or Identity Manager service provider end user is allowed to see. It is enforced when a request is made to list Service Provider Users in the directory.
You can specify one or more of the following settings for the Service Provider User Admin Role scope of control:
User search context. Specify whether a rule or text string is to be used to begin a search.
If None is specified, the default search context will be the base context specified in the Identity Manager Resource configured as the Service Provider User directory.
User search filter. Specify whether a rule or a text string that is to be applied for the search filter.
The text string specified or returned by the selected rule should be an LDAP-compliant search filter string that represents the set of users, within the search context, that will be controlled by users assigned this Admin Role. The specified filter will be combined with the user specified search filter to ensure that users returned from the search do not include any users that users assigned this AdminRole are not authorized to list.
After user search filter rule. Select a rule that will be applied after the User search filter is applied.
This rule is run after the initial LDAP search is performed against the Service Provider User directory and evaluates the results to determine which distinguished names (dn) the requesting user is allowed to access.
This type of rule can be used when you need to determine if a user should be in the requesting user’s scope of control using non-LDAP user attributes (for example, group membership), or when the filter decision needs to be made using a repository other than the Service Provider User directory (for example, an Oracle database or RACF).