Can I use use AD groups pushed from OTDS in OPA directly bypassing Roles?

Using a synchronized partition, I see the AD groups have been pushed to OPA. I can open the user experience Identity Framework and see the AD groups, and members of the group are populated, so I know OPA is aware of the AD group and the users who are in that group.

I have lists on my Entity and use Security to limit users who are able to see the list. I created OPA Roles and assign membership to the AD Group in OTDS so the users are able to see the lists, but this has created an extra administrative step when a new AD group is needed, I must create another Role in OPA, set security and manage the assignment in OTDS.

Preferred solution would be to use the AD group that is pushed from OTDS to OPA directly.

Any suggestions?

Find more posts tagged with

AppWorks Platform

OTDS

Note:

If there are Accepted Answers, those will be shown by default. You can switch to 'All Replies' by selecting the tab below.

Accepted answers

All comments

AppWorks Tips

Hi @tcarreon9805,

You can add an extra expression/condition to your 'List' from a 'Security' building block perspective (next to the role you probably added already). The condition can be like this:

isInGroup('all_developers')

You can even do these kinds of things in such conditions (just as an example):

(((isInGroup(optional(item.Properties.case_department) + "_reviewer") && 

   	item.Lifecycle.CurrentState == "For review"

  ) || (isInGroup(optional(item.Properties.case_department)+"_manager") &&

   	item.Lifecycle.CurrentState in list["For approval", "Finished"]

  )) && item.Lifecycle.InstanceStatus != "Complete"

) || item.Identity.ItemStatus == 0

I can also recommend that you read this blog post about these types of expressions.

BR, //Antal