Scopes

Scope is used to determine the objects to which a user has access. If scoping is active, identities can only see objects that they created or that are within the scopes they control. IdentityIQ capabilities control the components within the product to which a user has access. Scope controls access to the individual objects within those components. For example, a user might be able to access the Identity Search page, however, the Application and Role dropdown lists only display application and roles that are contained within a scope they control.

Scope is referred to in two ways, Controlled Scope and Assigned Scope. Assigned scope is the scope assigned to an identity or object manually, automatically, or through aggregation and correlation. Controlled scopes refer to the scopes to which an identity has access. You can only see objects that are within your controlled scopes, that you created, or possibly that have no scope assigned. Controlled scope is hierarchical. If you control a parent scope, you control any child scopes contained within.

Use the Configure Scoping page to create new scopes, edit existing scopes, and configure scoping for your enterprise.

Note: If you manually create scopes they should be associated with existing identity attributes or be defined in a scope correlation rule.

To create a new scope, right-click Scopes and select New to display the Create Scope page. Enter the scope name and click Create to return to the Scope page. Use the Scope Correlation Rule to correlate identities with the correct scopes.

To edit an existing scope, right-click the scope and select Edit to display the Edit Scope page. You can only edit the display name.

Drag and drop existing scopes to create a scope hierarchy.

To delete a scope, right-click the scope and select Delete to display the Delete Scope page. The Delete Scope page contains the following:

Assigned Scope Replacement

Reassign objects to a different scope upon deletion.

Authorized Scope Replacement

Assign an authorized scope to replace the one to be deleted.

Delete Child Scopes

Delete all child scopes in the scope hierarchy.

Use the Configure Scoping page to configure scope assignment and correlation. The Configure Scoping page contains the following:

Note: You must run an identity refresh task with the refresh scope option enabled before scope configuration changes are visible.

Note: Deselecting this option is useful in troubleshooting performance issues.

When checked, scoping mechanisms are enabled. Scopes do not take effect until this is enabled, even if the scopes are already defined and assigned.

Select an identity attribute from the drop-down list to use for scoping.

A scope is created for each value of the selected attribute aggregated during the identity refresh task. This attribute is used to correlate identities to assigned scope.

Select a rule to use to correlated scopes and identities during aggregation and refresh task. If a scope is not found that correlates to the value returned by an attribute, one is created.

Scope correlation rules enable more flexibility in scope assignment than specifying a single identity attribute.

Click the [...] icon to launch the Rule Editor to make changes to your rules if needed.

See Using the Rule Editor.

Select a selection rule to use if the identity attribute or scope correlation rule return more then one value for the assigned scope of an identity.

For example, if department is specified as the scope identity attribute and the identity aggregation task returns more then on value for department for an identity, this rule determines which value to use as the assigned scope.

Click the [...] icon to launch the Rule Editor to make changes to your rules if needed.

See Using the Rule Editor.

When selected, all objects that do not have an assigned scope are available to all users.

When cleared, all objects that do not have an assigned scope are only available to system administrators.

When selected, identities automatically control the scope to which they are assigned.