Skip to main content

Hi, 

A small question regarding IAM and what’s possible. 

Say, the Client had several 100 employees and wants to manage the User Groups and users. 

We have created all the Roles/User groups in SF. 

HOWEVER, maybe my client bought the module ‘Managing goods’ but NOT the module ‘Manage Finance’. 
The problem I now face is that since the Client can manage Roles/Groups and users, he can grant access to ‘Manage Finance’ to user X. Et voila, suddenly he can do stuff he is not paying for. 


What I need/want is a layer where I as a dev/PO can set which User Groups the client can see/use. And when a new module is developed, I do not want to go visit all my clients and setup this new group, and manage rights and all. I want the least amount of work on this. 


Any advice on how to manage this? 

Thanks!

Alex 
 

 

 

Hi Blommetje,

I’m assuming you are using tenants in IAM to separate the various customers.

First off, the roles should be categorized into the various modules, such as Managing goods and Manage Finance in the Software Factory

Once synchronized to IAM, a specific application limited to certain modules should be made. A Main Administrator or Application Administrator can limit the available roles via module authorization on said application. (This application may use the same multi-tenant product database as other applications, but do note that system flow scheduling is done per application, not per database).

The customer should have an Application owner assigned for this specific application. This results in the customer only being able to assign roles made available via the module authorization.

Naturally, for full self-care this customer should also have an User Administrator and a Group Administrator.