Skip to main content

Hello,

 

We have a use case in which we want users of our developed end applciation to be able to add new users and manage the access level of those users. We would not like to give those users access to IAM, because there is a possibility we want users from our customers to be able to do this. 

We know of the IAM API layer which you can use to:

  • Add users to IAM
  • Add a new user group
  • Assign roles to a user group

We are interested to know how far we can go with this API layer. Can we for example also create a new role in which we can grant access to very specific columns in a table? Or do those roles always have to be predefined in the SF, whereas we can only assign those predefined roles to existing or newly created user groups?

 

Thanks in advance. If the question needs more clarification please let me know.

Roles are always constructed in the SF. There are some customers who have build micro roles and by adding these micro roles to a group you sort of mimic the roles creation from the sf. You could automate this role creation using the dynamic model. However this will lead to an abundance of roles in the sf and IAM. You could also create a system like this within the application it self. But i'm not sure how secure that would really be, since you would still need to have access to more columns then assigned. 

If someone who actually has build a system like this can provide additional information that would be greatly appreciated. 

Note that IAM supports multi-tenancy. Because of this, an environment with multiple customers administrating their own user base shouldn’t be a problem.

User Administrators, User Group Owners and User Group Administrators can only see, manage and add users within their own tenant. In your scenario, a tenant would be a specific customer.

Reply


Terms & ConditionsCookie settings