This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Unable to use the User Scope Restriction in RSA Authentication Manager 8.x

Article Number

000030087

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
 

Issue

When trying to use use the User Scope Restriction feature of RSA Authentication Manager 8.x for defining an attribute-based administrative role, the following error is triggered:
 
There was a problem processing your request. Specified scope restriction condition PRINICIPAL.<attributename> IN
{“<myvalue>”} is invalid.

The User Scope Restriction allows you to restrict which users the administrator can manage within the administrative scope of this role. To restrict user scope, you must specify an attribute condition.

Cause

User have not created an Identity Attribute Definition or the option of Use to define conditions on administrative user management permission in the Security Console is not checked as shown below:
 
Image descriptionImage description

Resolution

To use the User Scope Restriction, first create Identity Attribute Definitions via the Security Console (Identity > Identity Attribute Definitions  > Add New).
Confirm that the User to define conditions on administrative user management permission is checked as shown above.

Once you have an attribute defined to use for scope restriction and this option checked then you will be able to use User Scope Restriction in Administrative roles.

In this instance, this option was not checked, triggering the error.

Notes

  • The syntax is PRINICIPAL. IN {“”}
  • The syntax is case sensitive. PRINCIPAL and IN are always uppercase. The attribute name should be exactly what you mentioned when creating the attribute above.
    • For example, if you create an attribute name called Department, then your syntax will look something like PRINCIPAL.Department IN { "RESEARCH"}.
    • Using PRINCIPAL.DEPARTMENT IN { "RESEARCH"} will fail.
    • The working syntax here will give the administrative role to admin who can manage users from research department.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 12:40 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.