Skip to main content
Version: On prem: 15.0.0

Standard access modifiers

This article describes the access modifiers that are included in the default system. However, they are not applied by default. You can implement your own access modifier classes.

The default access modifiers are as follows:

  • ActivityAccessModifier
  • CalculatedRolesAccessModifier (view only)
  • ContextAssignmentsAccessModifier
  • ContextIdentitiesAccessModifier
  • EmptyGroupsAccessModifier (view only)
  • IdentitiesAccessModifier
  • IdentitiesRequiringCalculation (view only)
  • IdentityContextsAccessModifier
  • IrrelevantRoleAssignmentsAccessModifier (view only)
  • ManagedIdentitiesAccessModifier (view only)
  • ManagedOrOwnedObjectsAccessModifier (view only)
  • MyContextsAccessModifier
  • ObjectsWithIdentityPropertyMatch (view only)
  • OrgUnitsAccessModifier (view only)
  • OwnedContextsAccessModifier (view only)
  • OwnedRolesAccessModifier (view only)
  • OwnedSystemsAccessModifier (view only)
  • PasswordResetAccessModifier
  • ProcessAccessModifier
  • ProcessTargetAccessModifier
  • ReferringObjectExistenceAccessModifier
  • RoleAssignmentsAccessModifier (Only users with admin permissions have access to the object. Users with all other permissions have access only to the VALIDFROM and VALIDTO values.)
  • SystemRolesAccessModifier (view only)
  • UsersAndRealGroups (view only)

Some access modifiers are designed for use only in views because they have no access calculation logic, only load-option modification. The PrepareAccessCalculation method and CalculateAccess method are not implemented for these access modifiers.

Several access modifiers use the parameter ACCESSMODE, which specifies whether access is permitted for MANAGER, SYSTEMOWNER, ROLEOWNER, or ALL. Other parameters are explained in the description of the specific access modifier.

info

The length of the access modifier's parameter field is 1024 characters.

The AccessModifierUtils class has queries that look for the accessible identity IDs for managers, resource owners, and system owners that are used in the implementations of access modifier classes that are not view only.

The access modifiers are located in the Omada.OE.AppLogic assembly or the Omada.OE.Solution.OIM.AppLogic assembly. Their namespaces are Omada.OE.AppLogic.AccessModifiers and Omada.OE.Solution.OIM.AppLogic.AccessModifiers.

info
on-prem

Due to security reasons, Omada Identity v14.0.6 (Update 6) introduced a change by disabling the FullReadAccessModifier. In consequence:

  • In the self-management resource "Identity Manager," the identity picker no longer allows users to access all identities, but only those allowed through the Identities Access Modifier.
  • In the self-management resource, "Org. Unit Manager," the org. unit picker no longer allows users to access all org. units, but only those allowed through the OrgUnits Access Modifier.
  • In the Delegation process, the identity picker no longer allows users to access all identities, but only those allowed through the Identities Access Modifier.
  • In the Survey reassignment screen, the user picker no longer allows users to access all users, but only those allowed though the Data Object Security Model.

It is possible to manually revert to the old behavior be re-applying the FullReadAccessModifier to the applicable reference views, but it is not recommended due to unrestrained exposure of data in these reference views.