The scenario is this... I have hundreds of groups in eDirectory that are
exposed to UA as entitlements using a loopback driver.
For each group, a resource has been created.
Then, dozens of roles have been created, that grant anywhere from 10 to
50 of these resources.

So far, no problem.

Over in iManager land, I have groups of users that get roles that allow
them to manage users in specific OUs.

Again, no problem.

Now, I have delegated View Role, Assign Role to User, and Revoke Role
from User to for the roles that are specific to each group of users.

Basically... "Dept A Admins" can manage users in the "DeptA" OU in
iManager... and have rights to see, assign, and revoke the "DEPTA-*"

However... while they can only see their roles, they have the ability to
assign these roles to any user in the tree. ruh-roh!

Is there any way to limit WHO these delegated administrators can assign
roles to? One initial thought is to assign a custom approval workflow
that just looks to see if the recipient is in an OU whose users are
allowed to get the role...

However, I have no idea at all how to effect that since I have zero
experience with expressions in the PRD editor.

kbuley's Profile:
View this thread: