Permission conditions

Early Access release. See Manage Early Access and Beta features.

To better meet your org's security needs, you can modify the view and edit profile attributes permissions in a custom admin role by adding conditions.

When you expand the Add conditions section for the View users and their details and Edit users' profile attributes permissions, Operator and Attribute fields appear. You can use the Attribute field to select one or more profile attributes. The Operator field allows you to include or exclude those attributes from the role.

There are several important things to note when using permission conditions:

  • Admins with conditioned permissions can't run imports or preview mappings in the Profile Editor.

  • You can't restrict admins from viewing the First name, Last name, Username, Primary email, or Mobile phone attributes.

  • Excluded attributes can still be viewed in SAML-based API responses.

  • Admins can only search using the profile attributes they have access to. If they're assigned one role that includes an attribute and another role that excludes it, the attribute is granted to the admin.

    • For an admin to search for a user by profile attribute, they must be able to access that attribute on all users in the org.

Related topics

About role permissions

Work with the role component