We're using OIM 11.1.2.3.
I have an admin role that has some kind of User capability, e.g. "User - Change Password" and has scope of control over user_org_1.
I assign a manager from user_org_2 to this admin role.
When this manager goes to Manage > Users a list is displayed with everyone from user_org_1 and they have the ability to change the passwords of these users (as expected).
However, the list also contains 'self' (the manager themselves), plus anyone who reports to them, plus their manager, all from user_org_2. All of these user_org_2 people can be fully edited.
We can lock down 'self' but can't find a way to prevent them changing other non-user_org_1 people.
Ideally we would like to prevent any non-user_org_1 people from being displayed in the list. (We don't want manager changing user info in OIM - it should all be done in the HR system and reconciled into OIM).
Anyone know how we can configure this?
Thanks in advance
- Louise