You can create a new authorization type by extending the existing TaskDefinition, TaskInstance, and TaskTemplate authorization types. You can use one of the following methods to add an authorization type:
Create a new authorization type using the <AuthType> element.
Edit the Authorization Types Configuration object in the repository by adding the new authorization type element (AuthType) for your task.
By setting an authorization type on a respiratory, you can restrict which users can see, modify, or delete particular object types. To define an authorization type for a repository type, set the authorization type name to the name of a repository type and omit the extends attribute.
Identity Manager implements the User Admin role and assigns it to all users by default. This role encapsulates the EndUser AdminGroup that provides two end-user authorization types (AuthTypes) and several list permissions for various object types.
These end-user authorization types include:
EndUserRule. Allows access to rule objects that have the EndUserRule AuthType specified in the object, as follows:
<Rule authType=’EndUserRule’ ...>
EndUserTask. Allows access to TaskDefinition objects that have the EndUserTask AuthType specified in the object, as follows:
<TaskDefinition authType=’EndUserTask’ ...>
EndUserLibrary. Allows access to the contents of a Library object.
To implement this AuthType, set the AuthType to EndUserLibrary and ensure the Library’s MemberObjectGroup is All. (The EndUser capability (AdminGroup) has List and View access to Libraries whose authorization type is EndUserLibrary.)
You can use authorization types to restrict visibility on resources on the resource level. Rather than move resources into special organizations, you can
Define an authorization type for each resource (for example, Resource-Corporate-LDAP)
Build capabilities with rights for those resource types
When assigning capabilities to users, do not assign a capability that includes rights to a generic resource type. Instead, assign users a capability with rights for a specific resource type.
For an example of stock authorization types defined in the system, see the admingroups.xml file.
Add an entry to Configuration:AuthorizationTypes object.
<AuthType name=’Resource-Corporate-LDAP’ extends=’Resource’/>
Derive a variant of one of the standard capabilities, such as Resource Administrator. Note that the only difference between this capability and the standard AdminGroup is the type name in the Permission, which is Resource-Corporate-LDAP instead of Resource.
<AdminGroup name=’Corporate LDAP Resource Administrator’ protected=’true’ displayName=’UI_ADMINGROUP_RESOURCE_ADMIN’ description=’UI_ADMINGROUP_RESOURCE_ADMIN_DESCRIPTION’> <AdminGroups> <ObjectRef type=’AdminGroup’ id=’#ID#Resource Group Administrator’/> <ObjectRef type=’AdminGroup’ id=’#ID#Resource Report Administrator’/> <ObjectRef type=’AdminGroup’ id=’#ID#Connect Organizations’/> <ObjectRef type=’AdminGroup’ id=’#ID#Connect Policies’/> </AdminGroups> <Permissions> <Permission type=’AttributeDefinition’ rights=’View’/> <Permission type=’Resource-Corporate-LDAP’ rights=’View,List,Create,Modify,Delete,Execute’/> <Permission type=’ResourceUIConfig’ rights=’Create,Modify’/> <Permission type=’Rule’ rights=’View’/> <Permission type=’User’ rights=’View,List’/> </Permissions> <MemberObjectGroups> <ObjectRef type=’ObjectGroup’ id=’#ID#All’ name=’All’/> </MemberObjectGroups> </AdminGroup> <ObjectRef type=’AdminGroup’ id=’#ID#Connect Resource Groups’/> |
You can also use authorization types to grant fine-grained administrative control of a very specific part of Identity Manager to a set of users.
You create an AuthType, assign objects to that AuthType, and then create a capability that grants that AuthType. When you assign this capability to a set of users, they can only see the area of the system that the authorization type and capability allow them to see.
The following example assigns the LimitedReportType authorization type to a TaskDefinition, and the Run Limited Report capability to a user. Consequently, that user can only execute reports where TaskDefinition is the LimitedReportType authorization type.
<AuthType name=’LimitedReportType’ extends=’TaskDefinition’/> <AuthType name=’LimitedReportType’ extends=’TaskInstance’/> <AdminGroup name=’Run Limited Report’ ...> ... <Permissions type=’LimitedReportType’ rights=’View,Execute’/> ... </AdminGroup> |