Hello,
We need to prevent role owners from adding new members for their roles via standard Role Page.
For this purpose we tried to leverage on SecurityContext file functionality of VIA. However we could not decide which is the correct action to set in custom SecurityContext.csv that would enable Role Owners to
- change entitlements and meta data
- not to add/remove members from role
There is “Edit Entitlements” attribute but this does not provide privileges to modify role attributes.
Moreover, when we try to upload securityContext.csv file with below data we get warning “invalid action”. What are we doing wrong?
SECURE_OBJECT_TYPE,NAME,ACTION,IMPLICIT_HAS_QUERY,IMPLICIT_BS_CHANGE,IMPLICIT_BU_CHANGE,SCOPE_TABLE,SCOPE_FILTER
Role,Owner,Edit Entitlements,scope,,,t_av_roles,owner_id=${id}
Any one has any idea?
Can we achieve required behavior with SecurityContext files? How?
Just curious- are you attempting to lock down just the role owner from manging members, or are you attempting to force ALL membership changes to go through a normal ARM request (admin or not)?
One setting you could do would be to change the roleset policy to "deny users as members"- this would effectively restrict anyone from adding a member through the role screen, but they can still request the role using an ARM form (add access, etc). You can also still enforce the membership rule.
I think this may be your best/only option- the problem is that, even if you get the "edit entitlements" working- then you still also need to assign "edit" to allow to edit the description/name/etc., which would then give you members again.