Scoped administration

Scoped administration allows organizations to protect sensitive application data by restricting how users acquire application-specific roles.

Application developers and application administrators can use scoped administration to:
  • Prevent unauthorized users from accessing sensitive data such as financial records or personally identifiable information.
  • Restrict who can assign application roles.
  • Prevent admin users from:
    • Assigning themselves a protected application role.
    • Assigning themselves to a group containing a protected application role.
    • Bypassing existing access controls to a protected application by creating new access controls.
    • Changing the password of users who have a protected application role.
    • Impersonating a user who has a protected application role.
    • Inheriting a protected application roles.
    • Overriding existing access controls to a protected application.
    • Running scripts that access protected application records.

You can enable scoped administration from the application record and restrict the assignment of application roles from the user role record. Application developers should enable scoped administration after completing application development and before adding application records.

To prevent accidental lockout, the system displays a warning if you enable scoped administration for an application and there are no users who can assign application roles. For convenience, application developers can use the following related links to provide and remove application roles from all admins.
  • Grant scope administration to all admins
  • Remove scope administration from admins