Post Date: March 30, 2011
Posted By: Doug Bulkley
Question:
We would like to exclude inactive IIQ identities from appearing in most of the UI select lists, for example:
Answer: Filters for Identity Select Lists are maintained in the Configuration (type) object named "IdentitySelectorConfiguration".The first thing we need to do is create a new filter inside the identityFilters map of this "IdentitySelectorConfiguration" object.One needs to think of the filter in terms of what will be shown in the select lists.We only want to show active users, so we'll name this filter "Active" and the filter logic below makes sure the inactive Identity attribute is not set:
<entry key="Active">
<value>
<IdentityFilter name="Active" order="Ascending">
<FilterSrc>
<FilterSource>
<BasicFilter>
<Filter operation="EQ" property="inactive">
<Value>
<Boolean></Boolean>
</Value>
</Filter>
</BasicFilter>
</FilterSource>
</FilterSrc>
<OrderBy>
<String>firstname</String>
</OrderBy>
</IdentityFilter>
</value>
</entry>
Once we have our "Active" identity filter properly configured, we need to decide how best to apply this filter to the various identityIQ select lists.
If you look at the entire "IdentitySelectorConfiguration" object, you will notice there are several filters already pre-configured. Since we are mostly concerned with certification based select lists, these tend to be assigned the "Owner" filter:
<entry key="Owner">
<value>
<IdentityFilter name="Owner" order="Ascending">
<IncludedFilterReferences>
<String>IncludeWorkGroups</String>
</IncludedFilterReferences>
<OrderBy>
<String>firstname</String>
</OrderBy>
</IdentityFilter>
</value>
</entry>
I can choose to modify the "Owner" filter and include a reference to my "Active" filter like so:
<entry key="Owner">
<value>
<IdentityFilter name="Owner" order="Ascending">
<IncludedFilterReferences>
<String>IncludeWorkGroups</String>
<String>Active</String>
</IncludedFilterReferences>
<OrderBy>
<String>firstname</String>
</OrderBy>
</IdentityFilter>
</value>
</entry>
Note: Any changes made to this Configuration object will not be visible in the UI until you either:
If any Identity object has the following attribute set to true, then they will no longer appear in any UI select list that utilizes the "Owner" filter:
<entry key="inactive" value="true"/>
There may be occasion where you wish to override or change a specific select list filter.
If I go to the Analyze->Advanced Analytics page, "Access Review Search" sub-tab, my inactive user no longer appears in the "Certifier" select list. Because of this, I am unable to search for any historical certifications that this inactive user might have certified while it was active.
The first thing I need to do here is determine the "ID" for this particular select list. The easiest way to do that is to use Firebug (Firefox add-on), in combination with the Firefox web browser. If you are not familiar with Firebug and Firefox, both can be freely downloaded from the web. If you don't have access to these tools, you will most likely need some type of expert services assistance.
To obtain the "ID" for this particular select list, do the following:
Once we have the select list "ID", we can override this select list filter inside the "IdentitySelectorConfiguration" object like so:
<entry key="certifierSuggestCmp">
<value>
<IdentityFilter name="certifierSuggestCmp" order="Ascending">
<IncludedFilterReferences>
<String>IncludeWorkGroups</String>
</IncludedFilterReferences>
<OrderBy>
<String>firstname</String>
</OrderBy>
</IdentityFilter>
</value>
</entry>
Notice the key and name for this filter reference the actual ID of the select list: certifierSuggestCmp.
Since the original filter named "Owner" only included a reference to the "IncludeWorkGroups" filter, I simply use that filter here to allow my inactive Identity to appear.
Do not forget to click on the "Reset Configuration Caches" button via the debug pages to see these changes.
Simply repeat the above Firebug process to override any other desired select lists.
Note: When making a change to a default filter like "Owner" one must perform a complete examination of the identityIQ UI, to ensure that all Identity select lists display the desired information for your corporate needs.
I have struggled to find the right id with firebug since it was not sufficiently documented in the past, very good and useful explanation here.
This is good! I have a two questions.
Can I exclude a group of people based on some identity attribute. Is that correct?
Once you include or exclude your Identity select list, does even IIQ rules don't see them when assigning tasks?
I have a need to exclude some (a set of people) recipients from everywhere. They should not be assigned any tasks either directly or through certification.
Hey Binita,
This is a great question for the forums. Can you post it there so the community can respond?
-Lyndsay
I just posted it. Thanks for your note.
Currently we see only display name, userid and email id in drop down. Is it possible to configure it with additional identity attributes also e.g. department?
Thanks,
Gaurav
Great article! Is there a way to filter uncorrelated identites from the identityselector lists?
You can create your own key in IdentitySelectorConfiguration similar to the "Active" one on article.
<entry key="Correlated">
<value>
<IdentityFilter name="Correlated" order="Ascending">
<FilterSrc>
<FilterSource>
<BasicFilter>
<Filter operation="EQ" property="correlated">
<Value>
<Boolean>true</Boolean>
</Value>
</Filter>
</BasicFilter>
</FilterSource>
</FilterSrc>
<OrderBy>
<String>firstname</String>
</OrderBy>
</IdentityFilter>
</value>
</entry>
Then use this filter in required drop down. e.g.
<entry key="Owner">
<value>
<IdentityFilter name="Owner" order="Ascending">
<IncludedFilterReferences>
<String>IncludeWorkGroups</String>
<String>Correlated</String>
</IncludedFilterReferences>
<OrderBy>
<String>firstname</String>
</OrderBy>
</IdentityFilter>
</value>
</entry>
I did not try it but it should work.
Thanks,
Gaurav
Thank you!...Worked perfectly :smileyhappy:
Gaurav,
I have a similar requirement to change the userid to department in identitySelector. Can you please specify the key name which we can configure in the IdentitySelectorConfiguration for this.
Appreciate your help.
Regards,
Jeorly
Jeorly,
Unfortunately, it is not configurable.
Thanks,
Gaurav