• State Verified Answer
  • Replies 1 reply
  • Subscribers 95 subscribers
  • Views 1527 views
  • Users 0 members are here
Options
Related

Assign AERole to ADSGroup

wolfgang.kluge
over 3 years ago

I wonder if there's a way to assign AERoles to a ADSGroup. There seems no direct way. I could create a dynamic role and search for users with a specific group, but that seems really counter-intuitive to me.

I searched a bit and found in DialogValidDynamicRef that there is a way to assign QERAssign-Objects that can "hold" a AERole, (though there seems no way to create such an assignment with the manager). But since there's no ADSGroupHasESet or similar, I'm stuck at the same point..

What do I miss here?

Parents
  • +1 over 3 years ago

    Just for clarity, I think you want to assign AD Groups to Application Roles, so the table would be AERoleHasADSGroup.

    The answer is no, there is no option to assign AD Groups to Application Roles. Think of Application Roles as One Identity Manager internal roles, that allow you to control the abilities and permissions of an identity inside of OneIM. There is no need for assigning AD Groups to these roles as this assignment would mean that the members of the role are going to be a member of the AD Group which is the opposite of what you want to achieve.

    If you want to assign identities to the Application Role based on AD-group membership, you need to use a dynamic-role definition as you have already figured.

Reply
  • +1 over 3 years ago

    Just for clarity, I think you want to assign AD Groups to Application Roles, so the table would be AERoleHasADSGroup.

    The answer is no, there is no option to assign AD Groups to Application Roles. Think of Application Roles as One Identity Manager internal roles, that allow you to control the abilities and permissions of an identity inside of OneIM. There is no need for assigning AD Groups to these roles as this assignment would mean that the members of the role are going to be a member of the AD Group which is the opposite of what you want to achieve.

    If you want to assign identities to the Application Role based on AD-group membership, you need to use a dynamic-role definition as you have already figured.

Children
No Data