CA IDM - Modification on User role/permission queries


Article ID: 141200


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite


As part of IDM console audit 2019, Permissions clean up for IDM portal is being performed at our end. 

There is a request to remove Read only/Read Write permission for few Rogers employee. While trying to remove read only roles from the user profile, it gets added up automatically as they are part of Administrator access. 

The employees appear to have two entries in IDM portal i.e. read/write + administrator. Our ask was to reduce down to one appropriate entry with correct level of access. Can you please assist on this.


Release : 14.1

Component : IdentityMinder(Identity Manager)


Basically you do not have access into the UID Administrator Read only admin role.
You only have adminitration:

Basicallywhat this means is that you cannot perform the tasks associated to the role, but you can add and remove members to the role so that they can perform the tasks.

your administration rule is set like this:

This means that by being a member of the system manager role you are automatically an administrator.

There are no string changes when you add and remove a user.

simply removing your self from the system maanger role will make you a basic user, you may or may not be able to make changes to themselves

My suggestion to fix this is to create another constraint attribute mirroring the admin role constraint and to mirror admin role administrator membership, the same as membership:

In this policy when a user is added or removed a string is added or removed from the admin role constraint.

You must do the same for administrators.