Hierarchical access control filter

Products Identity Manager Ideas
,
1

What is a one sentence summary of your feature request?

hierarchical access control filter

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

Currently, the filters within the ACRs do not take into account the hierarchical aspect of the dimensions. For example, departments are often hierarchical, but to allow department managers to perform specific workflows on their subordinates, we are forced to declare the filters for each level (N-1, N-2, etc.).

For large organizations, it is therefore not maintainable to configure these ACRs.

The desired behavior would be for the ACRs to operate in the same way as the “Role Officer By Category” who can validate role assignment in their categories and sub-categories.
Ideally, an additional parameter “IsHierarchical” on the filters could be used to enable or disable the hierarchical feature.

How do you currently solve the challenges you have by not having this feature?

Manually set the filters for a couple of hierarchical levels

2

Hi @Cedric. Thanks for the submission. I’ve moved the idea to “under review” to discuss with the team.

2 Likes
3

Hi @Cedric This feature was implemented in the past, and we removed it after too much negative feedback from clients. The feedback was:

  • This does not respect the principle of Least Privilege if we give users access to all sub categories. For example, the CEO would be able to perform actions on all users.
  • Users were getting all email notifications for all users in sub categories, so they blocked email notifications from the app
  • Applying the filter N-1 allows for better control of how many users can be managed in workflows and respects Least Privilege security principles.

I’m open to hearing more of your feedback. There is still maybe a possibility for a better solution. :slight_smile:

1 Like