• State Suggested Answer
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 94 subscribers
  • Views 2228 views
  • Users 0 members are here
Options
Related

Employee's manager with no editing rights in the web shop

giuseppe denora_57852
over 3 years ago

Hello everyone,

in the web portal, by default, each employee's manager can add, edit and assign a new manager to an employee.

Is it possible  for manager only view their employees while only some specific employees can add, edit (all) employees and assign a new manager?

Thanks

Giuseppe

Parents Reply Children
  • 0 over 3 years ago in reply to Trevor Pike

    Hello Trevor,

    thank you for you answer.

    I tested the KB262293 with success but now, on the overview page for the person, his manager cannot see the tiles of Requests, Entitlements, Attestation Risk anymore.

    This way the manager cannot revoke employee's entitlements anymore. It seems not correct to me.   

    Thanks

    Giuseppe

  • 0 over 3 years ago in reply to giuseppe denora_57852

    So I assume you changed the value for "Employees which can be edited by the current user" and this does not include Managers?

    Can you tell me what you changed exactly?

    You said you want "manager only view their employees while only some specific employees can add, edit (all) employees and assign a new manager?"

    So I assume you did not add the Managers to "Employees which can be edited by the current user"?

    Depending on your where clause you may need to edit the actual permissions so that managers can view only, while other users can actually edit.

    Trevor

  • 0 over 3 years ago in reply to Trevor Pike

    Yes, for

    Employees which can be edited by the current user the query is:

    "EXISTS (
    select 1 from personinaerole
    where UID_Person = '%useruid%'
    and UID_AERole in (select UID_AERole from AERole where Ident_AERole = 'HR Specialist'))"

    The HR Specialist is an custom application role under Identity Management/Employees with permission group "VI_4_ALLMANAGER".

    For Employees authorized to add and edit employees the query is:

    "EXISTS (select 1 from (select uid_person from personinaerole where exists (select 1 from (select UID_AERole from AERole where Ident_AERole = 'HR Specialist') as x where x.UID_AERole=personinaerole.uid_aerole)) as X)"

    The link https://support.oneidentity.com/identity-manager/kb/121994/internal-how-to-set-up-read-only-access-to-it-shop takes me to page not found.

    Regards.

    Giuseppe

  • 0 over 3 years ago in reply to Trevor Pike

    Well, after some testing I think I satisfied my requirements:

    1) A manager doesn't have to modify employee's data: LastName, FirstName, mail address etc. or assign new manager

    2) A manager doesn't have to add a new employee

    For requirement 1)

    I created a custom application role called HR Specialist with Permisions group VI_4_ALLMANAGER

    For My web application I create the component CCC_Common_ObjectSheet_Person,  copy of VI_Common_ObjectSheet_Person, where the container15, containing the tile Master data, must be visible only to an HR Specialist or an admin, for this the viewing condition is:

    "from object select current isHrSpecialistOrAdmin"

    isHrSpecialistOrAdmin is an Boolean identifier under  ComponentInterface1/VirtualTableExtension1, with the following rule:

    Exists(
       "Person",
       SqlAnd(
          SqlCompareUid("UID_Person", GetUser()),
          Format("UID_Person in (select piae.UID_Person from personinaerole piae join AERole aer on aer.UID_AERole = piae.uid_aerole where aer.Ident_AERole = 'HR Specialist')")
       )
    )
    or
    Exists(
       "Person",
       SqlAnd(
          SqlCompareUid("UID_Person", GetUser()),
          Format("UID_Person in (select piae.UID_Person from personinaerole piae join AERoleCollection aec on aec.UID_AERole = piae.uid_aerole where aec.UID_ParentAERole = 'QER-AEROLE-PERSONADMIN-ADMIN')")
       )
    )

    For requirements 2)

    In my web application a created the module CCC_Employee_Overview, copy of VI_Employee_Overview, where the Container4, containing the button Add a new employee, is visible only to an HR Specialist or an admin. The viewing condition is the same query as for isHrSpecialistOrAdmin.

    Regards

    Giuseppe