How can users modify their own Active Directory group memberships in Identity Portal
search cancel

How can users modify their own Active Directory group memberships in Identity Portal

book

Article ID: 138940

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Portal CA Identity Suite

Issue/Introduction

On Version 14.3 after following the instructions below, the existing accounts and groups entitlements appear; but users are unable to add/search/remove group entitlements for their own accounts.  The 'imadmin' user can manage groups for users.

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-portal/14-5/administrating/identity-portal-administration/about-modules/create-direct-endpoints.html

Environment

Release : 14.x

Component : CA IDENTITY SUITE

Cause

The Self Manager admin role in IDM did not include necessary scoping.

Resolution

Modify scoping on Self Manager admin role in IDM as follows:


On the Tasks tab, add the "Modify Active Directory Account" task.


On the Members tab, edit the Member Rule to include Active Directory Group objects with a scope rule of "(all)" and Active Directory Account objects with a scope rule that will allow them to modify only their own accounts, for example the rule "where Account Name = admin's Login Id".