Limit role to access certain instances of Identity Manager client

This article is valid for Smart ID 20.11.2 and later.

This article describes how to use instance ID and role configuration to limit the access to a certain instance of Identity Manager Operator. For example, this can be useful if there are two instances which are intended for use on the internet and intranet, respectively.

Step-by-step instruction

Set instance ID property

On Docker deployment, Smart ID 20.06 or later

Update instance ID in docker-compose.yml

Navigate to the docker\compose folder of the Identity Manager client instance, for example:

Example: docker-compose.yml folder

\docker\compose\identitymanager\operator
Open the file docker-compose.yml for editing.

Add a system.properties.idmInstanceId entry with a unique and descriptive instance ID name:

services:
  idm-operator:
    ...
    labels:
		...
        - "system.properties.idmInstanceId=instanceName"

Save the file.

On legacy installation, 3.12.x or older

Update instance ID in system.properties

Navigate to the WEB-INF\classes folder of the Identity Manager client instance, for example:

Example: system.properties folder

\tomcat\webapps\prime_explorer\WEB-INF\classes
Open the file system.properties for editing.
Update idmInstanceId to a unique and descriptive name:
```
#In a multi-node env the instance ID is the value that uniquely identifies each Tomcat
idmInstanceId=instanceName
```
The old property detailedUserInformationCreator.explorerInstanceId also still works for the same setting.
Save the file.

Set available instance IDs in role

Update role configuration in Identity Manager Admin

To limit an Identity Manager role to only access certain instances, update the Instance Ids field in the Role configuration with one or more idmInstanceId values that were configured in system.properties.

For more information, see the section For roles: Limit access to certain instance IDs in Set permissions from Identity Manager users or roles.

Example use case: internet and intranet instances

Example use case: internet and intranet instances of Identity Manager Operator

Settings

Instances of Identity Manager Operator:

instanceId = Internet
instanceId = Intranet

Roles:

Administrator: limited to Intranet
User: all instances available.
This is set by leaving the Instance Ids field empty in the Role settings.

User:

admin, with assigned roles: Administrator, User

Resulting behavior

When the admin user logs into Identity Manager Operator using the Tomcat instance Intranet, they will have the role Administrator.
When the admin user logs into Identity Manager Operator using the Tomcat instance Internet, they will have the role User.

If no instanceId is set in system.properties, then a user that logs in to that instance will only be able to use roles that are available on every instance.

With the scenario above, this means:

When the admin user logs in to an instance without instanceId, they will have the role User.

Related information

Set permissions from Identity Manager users or roles