Skip to main content
Skip table of contents

Feature Access Policies

Definition

A Feature Access Policy is composed of a right which encompasses several Features.
Once this right is given to users, they will have access to all the listed Features in the Feature Access Policies.

Access Policy describes:

  • Who Accesses

  • Which Features

  • What Objects

Access Policy is configured with:

  • an Access Right Grant that identifies whom the policy applies to

  • a set of Features that identifies which Features are accessible

  • a set of Scopes that identify what Managed Objects are accessible (one scope for each kind of Object).

Several Access Policies can be configured in the system, some of them authorizing access to the same Features.

Configuration

You can access the Feature Access Policy configuration :

  • by clicking on "Portal" → “Feature Access Policies

  • by clicking on "System" → "Configurations" → "Business Model" and perform an import/export.

Global properties

Before configuring a Feature Access Policy, you must configure a right.

The right should be named as follows: "adm."name of the right".

Feature Access properties

Property name

Type

Mandatory

Description

id

String

YES

The id is the unique identifier of the Feature Access Policy.

It is case sensitive and no special characters (except - or _) are allowed.

name

String

YES

The Feature Access Policy name.

The name may be different from the identifier.Must be at least 4 characters long.

description

String

NO

Used to describe the FAP. It is possible to modify name property after the creation of the FAP.

right

String

YES

Used to indicate the id of the configured right.

features

-

YES

Allows to list the ids of the configured Features.

feature

String

YES

Used to indicate the id of Feature.

scope

-

NO

Allows to configure a restriction on Object kind that can be accessed by the listed Features.

If a Scope is also configured on a Feature listed in the FAP, both will match.
The Scopes must be consistent, otherwise an error on the user portal will be displayed.

Example

Feature Acces Policy Example
XML 
<?xml version="1.0" encoding="UTF-8"?>
<kit:DataSet xmlns:ctd="http://www.memority.com/citadel/1_0" 
xmlns:ctdbpmn="http://www.memority.com/citadel/bpmn/1_0" xmlns:ctdbum="http://www.memority.com/citadel/bum/1_0" 
xmlns:ctdcore="http://www.memority.com/citadel/core/1_0" xmlns:ctdidm="http://www.memority.com/citadel/idm/1_0" 
xmlns:ctdrule="http://www.memority.com/citadel/rule/1_0" xmlns:ctdtnt="http://www.memority.com/citadel/tnt/1_0" 
xmlns:kit="http://www.memority.com/toolkit/1_0" xmlns:rule="http://www.memority.com/toolkit/rule/1_0"
xmlns:ruleaddon="http://www.memority.com/toolkit/addons/rule/1_0" xmlns:search="http://www.memority.com/toolkit/search-expression/1_0" 
xmlns:security="http://www.memority.com/toolkit/security/1_0" xmlns:settings="http://www.memority.com/toolkit/addons/settings/1_0" 
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <ctdbum:FeatureAccessPolicy id="hierarchicalManager-featureAccessPolicy">
      <name>Hierarchical Manager</name>
      <description></description>
      <right>adm.hierarchical-manager-features</right>
      <features>
         <feature>identity-common-role</feature>
         <feature>identity-common-audit</feature>
         <feature>identity-common-scheduledOperations</feature>
         <feature>common-role-assignment</feature>
         <feature>common-mfa-enable</feature>
         <feature>common-mfa-disable</feature>
         <feature>common-password-enable</feature>
         <feature>common-mfa-self-enroll</feature>
         <feature>common-mfa-self-enroll-browser</feature>
         <feature>common-mfa-self-enroll-mobile</feature>
         <feature>identity-contractor-search</feature>
         <feature>identity-contractor-view</feature>
         <feature>identity-contractor-update</feature>
         <feature>identity-contractor-read</feature>
         <feature>identity-contractor-create</feature>
         <feature>identity-contractor-updateContract</feature>
         <feature>reporting-common-authentication</feature>
         <feature>reporting-common-identity</feature>
         <feature>reporting-common-access</feature>
         <feature>identity-internal-view</feature>
         <feature>identity-internal-update</feature>
         <feature>identity-internal-read</feature>
         <feature>identity-internal-create</feature>
         <feature>organization-common-search</feature>
         <feature>organization-common-create</feature>
         <feature>organization-common-update</feature>
         <feature>organization-common-read</feature>
         <feature>organization-common-view</feature>
         <feature>organization-common-users</feature>
      </features>
      <scope type="RULE" objectKind="IDENTITY">
         <searchExpression/>
         <rule>
            <script><![CDATA[
                //@ruleFlavor: citadel, toolkit
                static SearchExpression buildExpression(String id) {
                    return expr { securityOrganization.belowOrEquals(id) }
                }

                return SUBJECT.rights
                        .findAll { it.name == "adm.hierarchical-manager-features" }
                        .collect { it.target }
                        .flatten()
                        .collect { buildExpression(it as String) }
                        .inject { acc, expr -> acc | expr }
                ]]></script>
         </rule>
         <objectTypes/>
      </scope>
      <scope type="RULE" objectKind="ORGANIZATION">
         <searchExpression/>
         <rule>
            <script><![CDATA[
                //@ruleFlavor: citadel, toolkit
                static SearchExpression buildExpression(String tt) {
                    return expr { id.belowOrEquals(tt) }
                }

                return SUBJECT.rights
                        .findAll { it.name == "adm.hierarchical-manager-features" }
                        .collect { it.target }
                        .flatten()
                        .collect { buildExpression(it as String) }
                        .inject { acc, expr -> acc | expr }
                ]]></script>
         </rule>
         <objectTypes/>
      </scope>
      <scope type="EXPRESSION" objectKind="RESOURCE">
         <searchExpression/>
         <objectTypes/>
      </scope>
      <scope type="EXPRESSION" objectKind="ROLE">
         <searchExpression/>
         <objectTypes/>
      </scope>
      <scope type="EXPRESSION" objectKind="ROLE_PUBLICATION">
         <searchExpression/>
         <objectTypes/>
      </scope>
   </ctdbum:FeatureAccessPolicy>
</kit:DataSet>

Read Next

Business Policies — A Business Policy allows to configure how to trigger actions on Object Types through a Feature with an optional configured Workflow.
Object Policies — An Object Policy is an Identity Management Service Policy allowing to execute arbitrary actions on Managed Objects, either on a scheduled basis, or in reaction to an Object Operation.
Deduplication Policies — A Deduplication Policy describes how duplicates should be searched for when creating a managed object.
Feature Access Policies — A Feature Access Policy is composed of a right which encompasses several Features.
Manual Provisioning Policies — A Manual Provisioning Policy allows to define that manual provisioning or deprovisioning Workflow is launched when the Role assignment status changes.
Object Lifecycle Policies — An Object Lifecycle Policy allows to configure rules, on all Object Types, that will alter an Object attribute directly when certain lifecycle events occur.
Password Policies — A Password Policy determines how passwords should be composed and which rules apply to their lifecycle.
Role Request Policies — A Role Request Policy allows to define if a Role can be requested, for whom, by whom, and using which Workflow.
Workflow Administration Policies — A Workflow Administration Policy is composed of a right which encompasses several Features.
Memority MFA Account Policies — A Memority MFA Policy allows to configure how multi factor authentication should be applied to a population of user
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close