What is a one sentence summary of your feature request?
Allow dimension values to be forced in composite role and single role rule
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
To address several of our client needs, we are facing certain constraints and limitations in the use of parametric roles. Although we can create single non-parametric roles as a workaround, it adds complexity (more single roles/single role rules).
Here is the list of use cases we have:
- A Single Role grants permission for an application on a specific scope (e.g., per Country).
- A Role that needs to grant permission for a larger scope (e.g., per Region).
We can either:
-
Create a non-parametric single role for the region and map it to all corresponding resources. Doing so would lead to having a resource linked to multiple single roles (loss of governance).
-
Create a single role for each country and mapped them to their resource. Then, create a composite role for each region and link them to the single roles.
Therefore increasing the number of roles.
A potential improvement for NIM could be:
On single role rules (and composite role rules) to provide an option to “force” the parameter (e-g dimension) to be sent to the linked single role.
As a result, the composite role “region” is linked via multiple single role rules, each linked to the single role “country” and forcing the parameter of the corresponding country.
Added value:
Limit the number of Single Roles.
Provide visibility on linked roles.
Avoid selection of irrelevant values as parameters.
How do you currently solve the challenges you have by not having this feature?
Flatten the role model.
