000030087 - Unable to use the User Scope Restriction in RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jan 3, 2020
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000030087
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
IssueWhen trying to use use the User Scope Restriction feature of RSA Authentication Manager 8.x for defining an attribute-based administrative role, the following error is triggered:
There was a problem processing your request. Specified scope restriction condition PRINICIPAL.<attributename> IN
{“<myvalue>”} is invalid.

The User Scope Restriction allows you to restrict which users the administrator can manage within the administrative scope of this role. To restrict user scope, you must specify an attribute condition.
CauseUser have not created an Identity Attribute Definition or the option of Use to define conditions on administrative user management permission in the Security Console is not checked as shown below:
ResolutionTo use the User Scope Restriction, first create Identity Attribute Definitions via the Security Console (Identity > Identity Attribute Definitions  > Add New).
Confirm that the User to define conditions on administrative user management permission is checked as shown above.

Once you have an attribute defined to use for scope restriction and this option checked then you will be able to use User Scope Restriction in Administrative roles.

In this instance, this option was not checked, triggering the error.
  • The syntax is PRINICIPAL. IN {“”}
  • The syntax is case sensitive. PRINCIPAL and IN are always uppercase. The attribute name should be exactly what you mentioned when creating the attribute above.
    • For example, if you create an attribute name called Department, then your syntax will look something like PRINCIPAL.Department IN { "RESEARCH"}.
    • Using PRINCIPAL.DEPARTMENT IN { "RESEARCH"} will fail.
    • The working syntax here will give the administrative role to admin who can manage users from research department.