Restrict Manual Provisioning of Sensitive Roles/Groups
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi Community,
We have a requirement to prevent users with "admin" or "user_admin" roles from manually provisioning certain sensitive groups. only "security_admin" role users should able to the groups.
For example below are the 2 groups
Group A
Group B
Expected Behavior:
- If a user with "admin" or "user_admin" tries to manually assign any of the above roles/groups, the system should block the action and show a message like:
“Only users with the 'security_admin' role can provision this role/group manually.” - Users with "security_admin" should be allowed to assign these roles/groups, and the action should be logged for audit.
- ACLs should enforce restrictions on group membership changes for these sensitive groups.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi @VALLUB ,
Yes you can achieve this , follow the mentioned steps:
Mark sensitive groups (like Group A and Group B) either by adding a custom Boolean field u_sensitive_group on the sys_user_group table, using the existing type field with a new “Sensitive” type, or by hardcoding their identification in Business Rules or ACL scripts.
Create a Before Insert/Update Business Rule on sys_user_grmember to block changes if the group is sensitive and the user lacks security_admin.
Show an error: “Only users with the 'security_admin' role can provision this group manually.” and abort the action.
Allow and log changes(add worknotes/comments) if the user has security_admin.
Optionally, add ACLs on sys_user_grmember to restrict create/delete for sensitive groups.
Test with admin, user_admin, and security_admin roles to ensure only security_admin can manage sensitive groups.
Mark this answer as helpful and correct, if this helps you.
Thanks,
Yaswanth.
