000030087 - Unable to use the User Scope Restriction in AM8.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000030087
Applies ToRSA Product Set SecurID
RSA Product/Service Type RSA Authentication Manager
RSA Version/Condition 8.1 SP1
Platform SUSE Enterprise Linux
Product Description SecurID Appliance
IssueWhen trying to use use the "User Scope Restriction" feature of Authentication Manager 8.1 for defining an attribute-based administrative role, the following error is triggered :
"There was a problem processing your request. Specified scope restriction condition PRINICIPAL.<attributename> IN {“<myvalue>”} is invalid"
 "User Scope Restriction" allows you to restrict which users the administrator can manage within the administrative scope of this role. To restrict user scope, you must specify an attribute condition.
CauseUser may haven't created an Identity Attribute Definition in > Identity Attribute Definitions > Add new in Security console or the Option "User to define conditions on administrative user management permission" in the Security Console is not checked as shown below:
ResolutionTo use the User Scope Restriction, you will have to first create Identity Attribute Definitions simply by going to Identity=> Identity Attribute Definitions =>Add new in Security console.
Then make sure the "User to define conditions on administrative user management permission" in the Security Console is checked as shown above.
Once you have an attribute define to use for scope restriction and this option checked then you will be able to use User Scope Restriction in Administrative roles.
In this instance this option wasn't checked thus triggering the error "Specified scope restriction condition PRINICIPAL.<attributename> IN {“<myvalue>”} is invalid"
NotesThe syntax is PRINICIPAL. IN {“”}
The syntax is case sensitive. PRINCIPAL and IN are always uppercase. The attribute name should be exactly what you mentioned when created the attribute above.
For example, if you create an attribute name called Department then then your syntax will look something like this:
PRINCIPAL.Department IN { "RESEARCH"}
PRINCIPAL.DEPARTMENT IN { "RESEARCH"} will fail
The above working syntax will basically give administrative role to admin who can manage users from research department.

Attachments

    Outcomes