Skip to main content
Skip table of contents

Limit role to access certain instances of Identity Manager client

This article is valid for Smart ID 20.11.2 and later. 

This article describes how to use instance ID and role configuration to limit the access to a certain instance of Identity Manager Operator. For example, this can be useful if there are two instances which are intended for use on the internet and intranet, respectively. 

Step-by-step instruction

Set instance ID property

On Docker deployment, Smart ID 20.06 or later
Update instance ID in docker-compose.yml
  1. Navigate to the docker\compose folder of the Identity Manager client instance, for example: 

    Example: docker-compose.yml folder

    \docker\compose\identitymanager\operator

  2. Open the file docker-compose.yml for editing.
  3. Add a system.properties.idmInstanceId entry with a unique and descriptive instance ID name: 

    Example: instance ID in system.properties

    CODE
    services:
      idm-operator:
        ...
        labels:
    		...
            - "system.properties.idmInstanceId=instanceName"
  4. Save the file.

On legacy installation, 3.12.x or older
Update instance ID in system.properties
  1. Navigate to the WEB-INF\classes folder of the Identity Manager client instance, for example: 

    Example: system.properties folder

    \tomcat\webapps\prime_explorer\WEB-INF\classes

  2. Open the file system.properties for editing.
  3. Update idmInstanceId to a unique and descriptive name: 

    Example: instance ID in system.properties

    CODE
    #In a multi-node env the instance ID is the value that uniquely identifies each Tomcat
    idmInstanceId=instanceName
    The old property detailedUserInformationCreator.explorerInstanceId also still works for the same setting.
  4. Save the file. 

Set available instance IDs in role

Update role configuration in Identity Manager Admin

To limit an Identity Manager role to only access certain instances, update the Instance Ids field in the Role configuration with one or more idmInstanceId values that were configured in system.properties.

For more information, see the section For roles: Limit access to certain instance IDs in Set permissions from Identity Manager users or roles.

Example use case: internet and intranet instances

Example use case: internet and intranet instances of Identity Manager Operator

Settings

Instances of Identity Manager Operator:

  • instanceId = Internet
  • instanceId = Intranet

Roles: 

  • Administrator: limited to Intranet
  • User: all instances available.
    This is set by leaving the Instance Ids field empty in the Role settings.  

User:

  • admin, with assigned roles: Administrator, User

Resulting behavior

  • When the admin user logs into Identity Manager Operator using the Tomcat instance Intranetthey will have the role Administrator.
  • When the admin user logs into Identity Manager Operator using the Tomcat instance Internet, they will have the role User.


If no instanceId is set in system.properties, then a user that logs in to that instance will only be able to use roles that are available on every instance. 

With the scenario above, this means:

  • When the admin user logs in to an instance without instanceId, they will have the role User.

 

Related information

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.