Under IdentityIQ we would like to be able to restrict who makes LCM requests for whom, based on the Company someone works for. If we have a Company as a field on the Identity, is this possible? Assuming it takes a rule to set up, has anyone got some sample code that they are willing to share?
Configuring this setup under IdentityIQ 5.2 and latter versions is relatively easy to do. There are out of the box settings for restricting who can make requests for whom in the LCM interfaces. There are also out of the box configuration settings that allow you to configure IIQ to restrict what Roles (Bundles), Applications (for new account requests), and Entitlements can be requested by any specific user. This second item is related to what access can be requested, and is noted here because these two features are often configured at the same time. Configuring these settings does not necessarily require creation of a rule but the option of specifying a rule is provided in case your specific deployment has complex needs for filtering what is request-able for a user.
IIQ has basically 4 groups of configuration for LCM request: Self Service, Manager Request, Help Desk request, and All Users. These can be seen in your browser, logged into IIQ as 'spadmin', browse to: System Setup -> LCM Configuration. (Note: IdentityIQ systems without the LCM package installed will not be able to see these options; speak with your Account Manager if you are interested in a demonstration of these features.) There are several sections that govern different parts of who can request what. For Managers, see "Population Managers request authority" section, specifically the "Share attributes with the Requester" option. This is where you can configure a company-attribute match on your system. The attached screen capture shows this option highlighted in an oval.
The default behavior is for parties to have self-service request rights and for Managers to have request permissions for people who report to them in their managerial hierarchy. For Manager's or Help Desk personnel making "on behalf of" requests for their reporting employees there is the option to filter the people that the person can make requests of by the the Company (or any identity attribute that you specify). The default behavior is to filter the Applications and Roles to present only the apps and roles that are part of the requester's controlled scopes list. Often Scopes are all that is needed to configure this. If you wan to use rules to filter what Applications or Roles are request-able see the following:
1) Self Service :: Object Request Authority :: Roles rule, Applications Rule, Managed entitlements Rule
2) Managers :: Managers Request Authority :: Roles rule, Applications Rule, Managed entitlements Rule
3) Help desk... same settings you get the idea
These rules are called " RequestObjectSelector" rules and there are examples both in "examplerules.xml" that ships with the product.