Skip to main content
Question

Expand user authorization for specific object - optimal method?

  • January 5, 2026
  • 3 replies
  • 36 views
B
Apprentice
Forum|alt.badge.img

Hi all, happy new year!  🎆

 

Is there a more efficient way to solve the user question below? 

User:

'I need access to "Invoice summaries"'


Okay, lets go:

  • Use SF "Translations" to find candidate entities, tasks and reports
  • Use SF "Menu --> shortest path" to find candiate screens where this property is found
  • use the provided screenshot and user impersonisation to find the actual screen in the end application
  • Use Alt-F1/"Location" in the end application to find the property name. It turns out not to be the screen "Invoice summaries", but the report that is generated via a task
  • The task name is task_summarize_invoices, it uses report invoice_overview
  • Use SF "Model rights", tab Tasks, and filter task_summarize_invoices
  • There are five roles that have this task: "all_rights", "invoicing_all_rights", "accounting_overview_all", "invoice_basic" and "create_invoice_summary"
  • I think I want to give the user access to "create_invoice_summary" or "invoice_basic", as they are not in accounting, and certainly don`t need all rights
  • Use IAM "User grous", put a filter "invoice" on the detail tab "Authorization" , to get a manageable list of twelve roles that contain %invoice% under "all_rights"
  • Next I go through all of 75 groups, created by another department in another language, to find a group that has as few extra roles as possible in addition to the roles that the user already has access to via the groups the user is member of.
  • Finally, make the user member of the found user group, apply rights to the database and, restart impersoniation to verify, and have the user restart their application. 

 

This is quite time consuming. 

 

It would be nice if there was a way in IAM to

  • Browse the complete authorisation model (as there is for example for the "all rights" role),
  • with the "Explain" button not listing just the first hit on a role, but
  • having it list all hits for
    • roles and especially
    • groups that give either read or read/write access to that property;
  • Bonus for having a task to give group membership to a user from there

In the meantime, do I overlook an obvious improvement to my workflow?

 

3 replies

Renée Evertzen
Moderator
Forum|alt.badge.img+4

Hey ​@Boudewijn-202

I think your workflow is quite accurate and currently there is no better solution to do this. This is due to the fact that part of the model and its corresponding rights are saved in the Software Factory but only together with the user settings as well as the user groups this creates the rights structure as a whole. Thus making is quite hard to reason from the perspective of a model object, especially when viewed from an IAM administrator viewpoint. 

However, I understand the origin of your question and if you can mold this into a coherent and understandable idea, feel free to do so, so it can be looked into.

Kind regards,

Renée 

    E
    Moderator

    @Boudewijn-202  i’m working on a script to tackle these kind of problems. Basically a search Deluxe. If the script works like I intend to I can share it with you. 

      B
      Apprentice
      Forum|alt.badge.img
      • Boudewijn-202Apprentice
      • Author
      • Apprentice
      • January 8, 2026

      Thanks for both of your thoughts. 

       

      @Renée Evertzen Yes, I’m aware it’s basically a one-way street from SF to IAM effective rights. Only functionality that is actually assigned a role is synced as model objects. Without an “all rights” group it would be impossible from an IAM perspective to even know whether a certain object exists or not. 

      It’s a nasty nut to crack, I don’t see myself coming up with an elegant proposal any time soon.

      @Erwin Ekkel That would be great!

      Terms & ConditionsCookie settingsAccessibility statement