Please note that there is more than one method to accomplish this. Knowledge Article 126429, How to set-up Read-Only access for Employees, outlines how to accomplish the same result by creating a new permissions group. The following steps outline how to accomplish this by making a copy of an existing permissions group.
1. In Designer create a new permissions group with "View" permissions on the Person table, or copy an existing group that already has these permissions ("View" should also be assigned to each of the columns for the table).
Copying a group simplifies matters because the user interface parameters already exist. Thus a permissions group assigned to an existing application role that already has the correct view permissions in both IT Shop and Manager can be used, and then the permissions modified to allow for "View" only on the Person table.
To copy an existing group:
- Select the "Permissions" tab then expand "Permissions groups".
- Select the group you would like to copy, and in the "Tasks" pane (View | Tasks) select "Edit permissions group 'group_name'".
- Then from the "Permissions groups" menu at the top choose "Copy permissions group..." A wizard will start with the permissions group to copy selected. The copy name will append CCC to the existing group name, e.g.:
- On the "Select copy options" page of the wizard select "Permissions" and "Navigation":
- Then complete the wizard. Once the wizard is complete you will need to "Commit to database" to save the changes.
2. Create a Custom Application Role:
Using Manager select the "One Identity Manager Administration" tab. Then expand Identity Management | Employees | Administrators and create a custom role directly under "Administrators":
The permissions group you created or copied should be assigned to this custom application role:
3. Once the new application role has been created, assign the role to the Employee(s) that should have read-only access to other Employee objects either through IT Shop or Manager:
Test the new role by logging in to Manager as an Employee, with the role assigned, or IT Shop.