Create custom permission group to see a subset of system roles on Angular web portal

Hi,

This is achieved with permissions.  Specifically permission groups with specified table and column permissions.

Take a look at the documentation here for guidance:  https://docs.oneidentity.com/bundle/one-identity-manager_authentication_9.3/page/sources/config/permissions/dbmdialogtableandcolumnrightrule.html

Note:  There is a 'free' variable you can use in your filters to access the current user %useruid%.  This can be used in your SQL filter to scope it down to the current logged in user.

HTH, Barry.

Hello, thanks for your answer.

I created a permission group with complete permissions on tables ESet and PersonHasESet.

When I log in to the Web Portal with a user with that permission group, he doesn't see the Data Administration tab. How should I do?

Lucrezia

Admin portal > Configuration > Web project > Search: VI_Roles_Responsibility_ESet
Responsibility SQL WHERE clause for system roles
Extend the SQL query

Admin portal > Configuration > Web project > Search: VI_Roles_Responsibility_ESet
Responsibility SQL WHERE clause for system roles
Extend the SQL query

How do you suggest of setting up this query in order to have 2 roles: first role can view one set of ESets, second role can view another set of ESets?

In addition: how can I manage CRUD permissions with it?

Lucrezia 

I'm not sure I understand your use-case exactly, because OOTB everyone can view the ESet's based on the V_4_ALLUSER_LOOKUP.
So you should not need extra permissions (groups) for that.

The API config option VI_Roles_Responsibility_ESet is used to filter out the ESet's you can already see based on your DB level permissions.

If you put in 1 = 1 nothing will be filtered.

Or you could extend the query so only users in a specific AERole can see the ESet's

OR EXISTS (
SELECT 1
FROM PersonInAErole
WHERE UID_AERole = 'UID...'
AND UID_Person = '%useruid%'
)

Or you can combine this with some attribute of the ESET by which you can group them.

OR (EXISTS (
SELECT 1
FROM PersonInAErole
WHERE UID_AERole = 'UID...'
AND UID_Person = '%useruid%'
) AND Ident_ESet LIKE 'TEST%')

Or you can extend the schema of the ESET so you can assign an AERole
so you can show the ESet's by AERole group membership

OR (
CCC_UID_AERole IN (
SELECT UID_AERole
FROM PersonInAERole
WHERE UID_person = '%useruid%'
))

Hello Niels,

ok got it. But it is impossible to handle CRUD permissions. 

Let's say that my user have to view ONLY system role A and system role B, but with write permission on A and read-only permissions on B. This is impossible as far as I understood your comment.

Lucrezia

You get view permissions (aka read-only) via VI_4_ALLUSER_LOOKUP. And for the edit-permissions you change the responsibility query as proposed by Niels.
You can even go for new permission groups where you can define your CRUD options on the object or property level as you please.