Possibilities IAM for Users/Modules and admins

Question

Hi,

A small question regarding IAM and what’s possible.

Say, the Client had several 100 employees and wants to manage the User Groups and users.

We have created all the Roles/User groups in SF.

HOWEVER, maybe my client bought the module ‘Managing goods’ but NOT the module ‘Manage Finance’.
The problem I now face is that since the Client can manage Roles/Groups and users, he can grant access to ‘Manage Finance’ to user X. Et voila, suddenly he can do stuff he is not paying for.

What I need/want is a layer where I as a dev/PO can set which User Groups the client can see/use. And when a new module is developed, I do not want to go visit all my clients and setup this new group, and manage rights and all. I want the least amount of work on this.

Any advice on how to manage this?

Thanks!

Alex

icon

Best answer by Anne Buit 11 May 2023, 15:34

View original

Anne Buit · Accepted Answer

Hi Blommetje,I’m assuming you are using tenants in IAM to separate the various customers.First off, the roles should be categorized into the various modules, such as Managing goods and Manage Finance in the Software Factory.Once synchronized to IAM, a specific application limited to certain modules should be made. A Main Administrator or Application Administrator can limit the available roles via module authorization on said application. (This application may use the same multi-tenant product database as other applications, but do note that system flow scheduling is done per application, not per database).The customer should have an Application ownerassigned for this specific application. This results in the customer only being able to assign roles made available via the module authorization.Naturally, for full self-care this customer should also have an User Administrator and a Group Administrator.

Sign up

Login to the Thinkwise Software Community

Scanning file for viruses.

This file cannot be downloaded