CA IDM - Modification on User role/permission queries

book

Article ID: 141200

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

As part of IDM console audit 2019, Permissions clean up for IDM portal is being performed at our end. 

There is a request to remove Read only/Read Write permission for few Rogers employee. While trying to remove read only roles from the user profile, it gets added up automatically as they are part of Administrator access. 

The employees appear to have two entries in IDM portal i.e. read/write + administrator. Our ask was to reduce down to one appropriate entry with correct level of access. Can you please assist on this.

Environment

Release : 14.1

Component : IdentityMinder(Identity Manager)

Resolution

Basically you do not have access into the UID Administrator Read only admin role.
You only have adminitration:

https://ent.box.com/shared/static/3dnhlghoid5dgrba8vflqdwrpl3tn0ez

Basicallywhat this means is that you cannot perform the tasks associated to the role, but you can add and remove members to the role so that they can perform the tasks.



your administration rule is set like this:

https://ent.box.com/shared/static/ebawgjy65uns0kuayhmhyfkpyxvwas3h

This means that by being a member of the system manager role you are automatically an administrator.

There are no string changes when you add and remove a user.



simply removing your self from the system maanger role will make you a basic user, you may or may not be able to make changes to themselves





My suggestion to fix this is to create another constraint attribute mirroring the admin role constraint and to mirror admin role administrator membership, the same as membership:



https://ent.box.com/shared/static/1rhhragsbdf1g6ltnjeb346lg4fo8o02

In this policy when a user is added or removed a string is added or removed from the admin role constraint.

You must do the same for administrators.