From 15390c7f9815eb7d47938904ea0216db0cebb18c Mon Sep 17 00:00:00 2001 From: Daniel Aniszkiewicz Date: Thu, 28 Dec 2023 19:21:10 +0100 Subject: [PATCH] Fix link last time --- .../_bestpractices/bp-implementing-roles-attributes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/collections/_bestpractices/bp-implementing-roles-attributes.md b/docs/collections/_bestpractices/bp-implementing-roles-attributes.md index b71df83..517612a 100644 --- a/docs/collections/_bestpractices/bp-implementing-roles-attributes.md +++ b/docs/collections/_bestpractices/bp-implementing-roles-attributes.md @@ -8,7 +8,7 @@ has_children: false # Adding attribute-based conditions -[The approach described in the previous section](bestpractices/bp-implementing-roles-groups.html) requires that you add a new user group in your identity provider (IdP) and create a new policy for each group of resources. In the previous examples, the resource groups reflect countries: `Approver-France`, `Approver-Germany`, `Approver-UK`, and so on. There is a finite number of countries, and they don’t change very often. The company might expand into five new countries per year, and so creating new user groups in the IdP and new policies to support this expansion might not represent a significant overhead. +[The approach described in the previous section](bp-implementing-roles-groups.html) requires that you add a new user group in your identity provider (IdP) and create a new policy for each group of resources. In the previous examples, the resource groups reflect countries: `Approver-France`, `Approver-Germany`, `Approver-UK`, and so on. There is a finite number of countries, and they don’t change very often. The company might expand into five new countries per year, and so creating new user groups in the IdP and new policies to support this expansion might not represent a significant overhead. However, consider instead a scenario where the resource groups represent projects instead of countries. Each time a project is kicked off one or more approvers must be assigned to review and approve timesheets for that project. A large global company might be starting and stopping hundreds of projects a year. With the previous approach, for every project that is kicked off a new user group representing the approver role for that project’s timesheets needs to be created in the IdP: `Approver-project03344`, `Approver-project03345`, `Approver-project03346`, and so on. This could have an impact on management of your directory, adding thousands of roles.