Permission conditions
To better meet your org's security needs, you can modify the view and edit profile attributes permissions in a custom admin role by adding conditions.
When you expand the Add conditions section for the View users and their details and Edit users' profile attributes permissions, Operator and Attribute fields appear. You can use the Attribute field to select one or more profile attributes. The Operator field allows you to include or exclude those attributes from the role.
There are several important things to note when using permission conditions:
- Admins with conditioned permissions can't run imports in the Profile Editor.
- In addition to any included attributes, admins with conditioned permissions can only view the First name, Last name, Username, Primary email, or Mobile phone base profile attributes. You can't restrict admins from viewing these attributes.
- Excluded attributes can still be viewed in SAML-based API responses.
- Admins can only search using the profile attributes they have access to. If they're assigned one role that includes an attribute and another role that excludes it, the attribute is granted to the admin.
- For an admin to search for a user by profile attribute, they must be able to access that attribute on all users in the org.
- If you disable the functionality, your configured permission conditions are removed.