Environment
Identity Manager 4.7 Role Based Provisioning Module
Situation
How do you hide a Process Request / Workflow from particular users?
For example, how do I hide the DC-Test process Request in the image below from specific users?
Resolution
Seeing or not seeing process requests is controlled by object browse rights in the Identity Vault (eDirectory). So removing those browse rights, removes the object from being seen when a process request is being created. By default users have the right to browse objects in the Identity Vault. So you need to remove the browse object rights to the desired process request in order to hide the process request from users. This requires an inherited rights filter be placed on the process request. But before doing so you need to grant explicit rights at that level so the process request does not become hidden from everyone (including admin objects) in the tree. Once you have explicit desired rights at the process request, you can invoke an inherited rights filter to remove the rights from all the rest of the users.
Here are the steps to hide a process request / workflow.
1. Grant explicit administrative rights at the process request. This can be done by granting supervisor object rights to the process request.
Select Modify Trustees on the process request.
Add trustees you want to grant rights to the Process request. You should add at least one Admin user to the trustee list with all rights (Supervisor Object rights). It is recommended to add one admin user first, grant it supervisor object rights, then save the change. Then add other users. If you mistakenly grant yourself no rights, then you can remove the rights you are inheriting, and break rights. Make sure at least one user has rights supervisor object rights to the object before proceeding.
Supervisor Object rights gives all rights to the object and attributes, so that is all that is needed for your admin object(s).
Remove any trustees that grant explicit browse rights at process request / workflow. In this example above, the data container (where the user object resides below), is granted an explicit browse, read and compare rights. This needs to be removed, then click OK once the rights are correct. Additionally you will need to explicitly add users or groups that you want to see the process request. Grant those user / group objects Browse entry rights, Read and Compare attribute rights. This is because we will be filtering out all rights flowing down to this object, so you need to add rights back to objects you do want to see the object. Then click OK.
2. Add an Inherited Rights Filter on the process request / workflow you want to hide.
Add an inherited rights filter (IRF) on all attribute rights and all entry rights, then click OK. Unchecking the attribute says do NOT allow rights to that attribute to flow down.
3. Login as the user and they should no longer to see process request you have removed browse rights to.
