We want to limit Identity Manager tews call only for few authorized users/service accounts. SiteMinder(SSO) is not present at environment.
As a self service, if an user mentions its userid for both login and for impersonation in tews call request, any user can make tews call.
We want to make sure that, only few users/service accounts by the virtue of either admin role membership or some other rule/policy are able to make tews call. Don't want to open IME for making tews call for all users.
Following is an example to elaborate on this further. A tews soap call to execute an admin task with wss auth:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsdl="http://tews6/wsdl">
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"><WITH CORRECT PASSWORD></wsse:Password>
<UsernameToken Username USERID001> and <admin_id USERID001> are same values of an user 'USERID001'. Meaning, same user is trying to login into IME as well as submitting request on his own behalf (example of self-service).
This user is member of an Admin Role which is attached with 'EmployeeCreationTask' Admin Task. So user is authorized to execute 'EmployeeCreationTask' Admin Task.
Any user who is member of Admin Role can submit request like above by making soap call (say from postman/soap UI/curl).
We want the tews request to be submitted to IME only from authorized application/service accounts only.