IdentitiesAccessModifier Class

The access modifier controls access to identity data objects. An identity is accessible for a user if:

* It is his own identity (if ACCESSMODE contains SELF)

* He is the manager of the identity (if ACCESSMODE contains MANAGER). An identity is managed if:

* He belongs directly or indirectly (a child org. unit) to an org. unit which the user is manager of AND the identity doesn't have a specific manager stated.

* The user is specified as specific manager of the identity

* The user is owner of a context which the identity has a (valid) context assignment for. (requires that the context fearure is installed)

* He is the owner of a system which the identity has a resource for (if ACCESSMODE contains SYSTEMOWNER)

* He is the owner of a resource which is assigned to the identity (if ACCESSMODE contains ROLEOWNER). A resource is owned if:

* The resource is located (directly) in a resource folder which the user is a role owner of AND the resource doesn’t have a specific resource owner specified.

* The user is specified as specific owner of the resource.

* He is in the same OrgUnit as the identity (if ACCESSMODE contains ORGUNIT)

* He is specified as owner in the property IDENTITYOWNER and the identity is of type non-primary. (if ACCESSMODE contains IDENTITYOWNER or ALL)

* He is a service desk agent for a business context the identitiy belongs to (if ACCESSMODE contains SERVICEDESKAGENT or ALL)

* He is a service desk agent for a business context the identitiy belongs to and the service desk agents are allowed to request access (Service desk auth.role) (if ACCESSMODE contains SERVICEDESKAGENT_ACCESSREQ or ALL)

The following only applies if ACCESSMODE=ALL: The SYSTEM user have READ+UPDATE access to all identities. Members of the built-in Administrators group by default have READ+UPDATE access to all identities as well. This can, however, be changed by using the ADMINGROUPS parameter. All others (non-admins) have only READ access (in case they have access at all).

The access modifier supports the parameter ACCESSMODE. The value of ACCESSMODE must be a comma delimited string with one or more of these values: MANAGER, ROLEOWNER, SYSTEMOWNER, ORGUNIT, SELF, IDENTITYOWNER, SERVICEDESKAGENT, SERVICEDESKAGENT_ACCESSREQ, ALL If ACCESSMODE is not specified it is treated as ALL.

--- ADMINGROUPS is deprecated! Use the IdentitiesAccessModifier authorization element to control permissions --- The following only applies if ACCESSMODE=ALL: The access modifier supports the parameter ADMINGROUPS which can be used to specify a number of user groups who's members should have READ+UPDATE access to all identities. The value of ADMINGROUPS must be a comma delimited string with user group uids. If ADMINGROUPS is not specified then the value defaults to the built-in Administrators group. If ADMINGROUPS is specified then the built-in Administrators group must be included in order to have READ+UPDATE access. --- ADMINGROUPSKEY is deprecated! Use the IdentitiesAccessModifier authorization element to toggle Admin permissions --- The access modifier also supports the parameter ADMINGROUPSKEY which works in the same way except that the value must be the key of a customer setting which holds a comma delimited string with user group uids.

--- READERGROUPS is deprecated! Use the IdentitiesAccessModifier authorization element to control permissions --- The following only applies if ACCESSMODE=ALL: The access modifier supports the parameter READERGROUPS which can be used to specify a number of user groups who's members should have READ access to all identities. The value of READERGROUPS must be a comma delimited string with user group uids. --- READERGROUPSKEY is deprecated! Use the IdentitiesAccessModifier authorization element to toggle Read permissions --- The access modifier also supports the parameter READERGROUPSKEY which works in the same way except that the value must be the key of a customer setting which holds a comma delimited string with user group uids.

The access modifier supports the parameter EXCLUDEINDIRECTMANAGED (TRUE/FALSE) which controls whether it is both directly and indirectly managed identities (default) which are allowed - or only directly managed. An indirectly managed identity is an identity which belongs to a context which is child or grand child of a managed context. Regardless of the setting, personal context assignments are still included if their parent is directly assigned. E.g. an employment (where type is personal) to a directly assigned org unit is included. The parameter is only considered if ACCESSMODE contains MANAGER.

The access modifier supports the parameter UNFOLDHIERARCHYFORSERVICEDESK (TRUE/FALSE) which controls whether it is both directly (default) and indirectly managed identities - or only directly managed which are allowed for service desk agents. An indirectly managed identity is an identity which belongs to a context which is child or grand child of a managed context. Regardless of the setting, personal context assignments are still included if their parent is directly assigned. E.g. an employment (where type is personal) to a directly assigned org unit is included. The parameter is only considered if ACCESSMODE contains SERVICEDESKAGENT or SERVICEDESKAGENT_ACCESSREQ.

The access modifier supports the parameter SERVICEDESKAGENTSGROUPSUIDS which can be used to specify a number of user groups whose members should have service desk access to identities. The value of SERVICEDESKAGENTSGROUPSUIDS must be a comma delimited string with user group uids. If parameter is not provided, standard "Service desk agents" user group is assigned by default. The parameter is only considered if ACCESSMODE contains SERVICEDESKAGENT or SERVICEDESKAGENT_ACCESSREQ.

The access modifier has a configuration object xml (AccessModifierConfig_IdentitiesAccessModifier) which can be used to control field-level security for three scenarios: 1. When the active user updates his own identiy (myOwnidentity) 2. When a supervisor updates his contractor (contractorSupervisor) 3. When a technical identity owner updates his technical identity (techIdentOwner)

The access modifier supports the parameter DELEGATEACCESS (TRUE/FALSE) which controls whether it is both directly and indirectly managed identities - or only directly managed which are allowed for delegator and delegates in the delegate access. It respects to "DelegOnBehalfAnyLvl" customer setting to show subordinate managed identities for a manager.