We have few roles in which membership rule is specified.
Is there any way we can disable membership rule edit option for Role owners.
You mention a 'few' roles, does this mean you require different capabilities for different roles? What is the purpose of the Role Owner, are they required to Edit any part of the Role or simply used for Approval purposes?
You may find the following post useful - How to remove the edit option for Role Owners however, please consider the OOTB approaches first.
Please read and understand the following if using Security Context - Security Context
Hi Clive Morrish,
Thank you for your update.
There are two types of roles we have created, one is using the membership rule the members will be automatically pulled into the roles.
One more is manual, Role owner will add/remove the members.
Role owners who are part of automated roles shouldn't be able to edit the membership rule.
As in-order to keep track of the role owners we have specified role owners and backup owners in automated roles
So we are looking for disabling membership edit option for role owners.
Sorry if I've not quite understood, but what is the job/function of Role owners of the automated roles (e.g. are they used for approval or reviews)?
If you were to remove them as Role Owners, what would be the impact?
Were you able to resolve this issue or do you still require assistance?
This thread is idle so I am marking it as assumed answered.
I think it is a valid point. Owners of a role set or role can change all aspects of that object. in some cases you don't want that as owner of the IAM System. The system should allow for policies that can not be changed by the owner of the object.
for roles you can now only set the option to allow or disallow users as members. disallowing disables the role owner the ability to add members to the role and change the membership rule. a more fine grained option like adding users, Changing the rule and enable automatic creation of the changes would greatly enhance the system.
As i recall correctly i have created an enhancement request for this in the past but can not find it any more so i will create a new one.
Retrieving data ...