Skip to Content

Restricting access to Groups in IdM

Recently I came across an interesting question on how to deal with situations when you may have several companies or groups within your organization which are using the same Identity Store. In such cases, there would be requirements to prevent users of different companies/groups to see each other’s data.

Typically, there would be an administrator for Group A to manage the users and roles for Group A. This administrator would not be given access to view and manage details of Group B. In order to achieve this, you would need an attribute which can distinguish users and business roles. If you already have such an attribute in your system, that would be a perfect candidate for this. If not, you could create one as below.

Let’s consider the groups being referred to as countries (say France and Germany). Create a Multivalue attribute called Country as shown below.


Make sure it is selected for the Entry Types – MX_PERSON and MX_ROLE


Now, all the users and roles have to be populated with the attribute Country. You could either do it manually using the IdM UI (if entries are less) or use a file upload to update users and roles. Usually users would belong to one location. But a role could be reused for several locations. Hence, I had created the Country attribute as Multivalue.

I have added the country attribute to the Change Business Role UI task and provided both the country as values as this is a common role across all groups.


After the data is maintained, navigate to the Entry Type MX_PERSON and maintain the Access Limitations section. Repeat the same for MX_ROLE.


Navigate to the IdM UI and login as Group A Administrator. Under Manage Tab, you should be only able to see users/roles belonging to Group A. However, both the Administrators would be able to see the business role Accounts Payable as it has been populated with both the countries.

In this way you could restrict access within different groups. Hope you found this information useful.

Be the first to leave a comment
You must be Logged on to comment or reply to a post.