Service items have a property Attestors (UID_OrgAttestator) that is a foreign key to AERole.
Manager
When I'm editing a service item in Manager I can see that the available AERoles are limited to a specific branch using the condition:
(UID_AERole in (select UID_Org from BaseTreeCollection where UID_ParentOrg in (N'ATT-AEROLE-ITSHOPADMIN-ATTESTATOR')))
Object Browser
When I'm editing a service item in Object Browser the I can select any AERole, but the customizer will raise an exception if it isn't in the specific branch. I.e. I get the error:
Error while running 'CheckValues' in logic module 'ATT.Customizer.AccProductGroup'.
The selected One Identity Manager application role is not a child of 'Attestors'.
New Custom Column
I want to duplicate Attestors but limit it to a different branch of AERole, but I can't see where/how to specify the condition to enforce the limit.
Any ideas?