Register Sign in Need help? FAQ SailPoint directory
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Customizing identity select lists

Customizing identity select lists

Post Date: March 30, 2011
Posted By: Doug Bulkley

 

Question:

We would like to exclude inactive IIQ identities from appearing in most of the UI select lists, for example:

  1. Certification owner
  2. Forwarding of a certification

Answer: Filters for Identity Select Lists are maintained in the Configuration (type) object named "IdentitySelectorConfiguration".The first thing we need to do is create a new filter inside the identityFilters map of this "IdentitySelectorConfiguration" object.One needs to think of the filter in terms of what will be shown in the select lists.We only want to show active users, so we'll name this filter "Active" and the filter logic below makes sure the inactive Identity attribute is not set:          

 

          <entry key="Active">

              <value>
                <IdentityFilter name="Active" order="Ascending">
                  <FilterSrc>
                    <FilterSource>
                      <BasicFilter>
                        <Filter operation="EQ" property="inactive">
                          <Value>
                            <Boolean></Boolean>
                          </Value>
                        </Filter>
                      </BasicFilter>
                    </FilterSource>
                  </FilterSrc>
                  <OrderBy>
                    <String>firstname</String>
                  </OrderBy>
                </IdentityFilter>
              </value>
            </entry>

 

Once we have our "Active" identity filter properly configured, we need to decide how best to apply this filter to the various identityIQ select lists.

 

If you look at the entire "IdentitySelectorConfiguration" object, you will notice there are several filters already pre-configured. Since we are mostly concerned with certification based select lists, these tend to be assigned the "Owner" filter:          

 

          <entry key="Owner">
              <value>
                <IdentityFilter name="Owner" order="Ascending">
                  <IncludedFilterReferences>
                    <String>IncludeWorkGroups</String>
                  </IncludedFilterReferences>
                  <OrderBy>
                    <String>firstname</String>
                  </OrderBy>
                </IdentityFilter>
              </value>
            </entry>

 

I can choose to modify the "Owner" filter  and include a reference to my "Active" filter like so:          

 

          <entry key="Owner">
              <value>
                <IdentityFilter name="Owner" order="Ascending">
                  <IncludedFilterReferences>
                    <String>IncludeWorkGroups</String>
                    <String>Active</String>
                  </IncludedFilterReferences>
                  <OrderBy>
                    <String>firstname</String>
                  </OrderBy>
                </IdentityFilter>
              </value>
            </entry>

 

Note: Any changes made to this Configuration object will not be visible in the UI until you either:

  • Restart the application server
    or
  • Click on the "Reset Configuration Caches" button via the debug pages

If any Identity object has the following attribute set to true, then they will no longer appear in any UI select list that utilizes the "Owner" filter:   

 

           <entry key="inactive" value="true"/>

 

There may be occasion where you wish to override or change a specific select list filter.

 

If I go to the Analyze->Advanced Analytics page, "Access Review Search" sub-tab, my inactive user no longer appears in the "Certifier" select list. Because of this, I am unable to search for any historical certifications that this inactive user might have certified while it was active.

 

The first thing I need to do here is determine the "ID" for this particular select list. The easiest way to do that is to use Firebug (Firefox add-on), in combination with the Firefox web browser. If you are not familiar with Firebug and Firefox, both can be freely downloaded from the web. If you don't have access to these tools, you will most likely need some type of expert services assistance.

 

To obtain the "ID" for this particular select list, do the following:

  1. Startup Firefox with Firebug enabled and opened.
  2. Navigate to the identityIQ page listed above and click on the "Certifier" select list.

    Screen shot 2011-03-30 at 1.06.11 PM.png

  3. Click on the "plus" sign above to examine the "Post http:......." entry created when clicking on the Certifier select list.
  4. When expanded, click on the "Post" sub-tab that appears.

    Screen shot 2011-03-30 at 12.59.36 PM.png
  5. There are several things to notice here:
    • The "context" is Owner. This is the name of the filter currently in use for this select list.
    • The "ID" for this particular select list is certifierSuggestCmp.

Once we have the select list "ID", we can override this select list filter inside the "IdentitySelectorConfiguration" object like so:

            <entry key="certifierSuggestCmp">
              <value>
                <IdentityFilter name="certifierSuggestCmp" order="Ascending">
                  <IncludedFilterReferences>
                    <String>IncludeWorkGroups</String>
                  </IncludedFilterReferences>
                  <OrderBy>
                    <String>firstname</String>
                  </OrderBy>
                </IdentityFilter>
              </value>
            </entry>

Notice the key and name for this filter reference the actual ID of the select list: certifierSuggestCmp.

Since the original filter named "Owner" only included a reference to the "IncludeWorkGroups" filter, I simply use that filter here to allow my inactive Identity to appear.

Do not forget to click on the "Reset Configuration Caches" button via the debug pages to see these changes.

Simply repeat the above Firebug process to override any other desired select lists.

Note: When making a change to a default filter like "Owner" one must perform a complete examination of the identityIQ UI, to ensure that all Identity select lists display the desired information for your corporate needs.

Labels (2)
Comments
aakanksha_bhatia
‎Dec 19, 2016 08:58 AM
‎Dec 19, 2016 08:58 AM

My Filter worked the issue was my filter was not inside identity filters tag :smileyhappy:

‎Jun 05, 2017 09:01 AM
‎Jun 05, 2017 09:01 AM

I have posted a query at http://https://community.sailpoint.com/message/68688#68688.

Requesting you expertise revert here.

khandoo
‎Apr 30, 2018 07:14 AM
‎Apr 30, 2018 07:14 AM

Hey tamalika01​ - I have a similar requirement to show user's username along with the display name and email id in a custom form. Did you find a way out?

isha_gupta
‎May 07, 2018 04:29 AM
‎May 07, 2018 04:29 AM

Hi Victor/Lyndsay,

Can you please let me know how to exclude inactive identities from Forwarding User drop down. I can't find any key for it. I am using 7.2 version.

Thanks!

shruthichethan
‎Jun 26, 2018 03:29 AM
‎Jun 26, 2018 03:29 AM

Hi All,

With the similar Active Filter in article can we exclude the inactive identities from Manage Access page??

Thanks,

Shruthi Chethan

jim_moore1
‎Sep 07, 2018 12:26 PM
‎Sep 07, 2018 12:26 PM

Sruthi,

Your question sounds more like an issue for configuring the associated Quicklink Populations. Those control who can ask what for whom. So you can configure Quicklink populations to only  members to request access only for active identities (for whom). You could add a filter such as "inactive == false" under 'Who can members request for?"

IdentitySelectors are more to control what identities are shown in pull-down drop box in the UI. Hence the term Identity Select Lists.

camila_ronderos
‎May 08, 2019 04:32 PM
‎May 08, 2019 04:32 PM

Hi Isha,

Did you figure out how to exclude the identities?

maheshraj9
‎Jan 15, 2020 04:14 PM
‎Jan 15, 2020 04:14 PM

Hi Doug,

                   So for the Identities select list for the Access Requests, for an example: If I would like to see the active users from my department to submit  the request in access request form, then I can use the same IdentitySelectorConfiguration or it is different? Please let me know.

Thanks and Regards,

Mahesh.

sarthak_chawla_87
‎Apr 13, 2020 06:34 AM
‎Apr 13, 2020 06:34 AM

Does the owner selector only affect certification items or does it also affect others like manual/approval items?

m010995
‎Feb 20, 2022 07:03 PM
‎Feb 20, 2022 07:03 PM

I created the XML to implement the changes suggested in this article:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE sailpoint PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<sailpoint>
   <ImportAction name="merge">
      <Configuration name="IdentitySelectorConfiguration">
         <Attributes>
            <Map>
               <entry key="identityFilters">
                  <value>
                     <Map>

                        <entry key="Active">
                           <value>
                              <IdentityFilter name="Active" order="Ascending">
                                 <FilterSrc>
                                    <FilterSource>
                                       <BasicFilter>
                                          <Filter operation="EQ" property="inactive">
                                             <Value>
                                                <Boolean></Boolean>
                                             </Value>
                                          </Filter>
                                       </BasicFilter>
                                    </FilterSource>
                                 </FilterSrc>
                                 <OrderBy>
                                    <String>firstname</String>
                                    <String>lastname</String>
                                    <String>name</String>
                                    <String>id</String>
                                 </OrderBy>
                              </IdentityFilter>
                           </value>
                        </entry>

                        <entry key="Owner">
                           <value>
                              <IdentityFilter name="Owner" order="Ascending">
                                 <IncludedFilterReferences>
                                    <String>Active</String>
                                    <String>IncludeWorkGroups</String>
                                 </IncludedFilterReferences>
                                 <OrderBy>
                                    <String>firstname</String>
                                    <String>lastname</String>
                                    <String>name</String>
                                    <String>id</String>
                                 </OrderBy>
                              </IdentityFilter>
                           </value>
                        </entry>

                     </Map>
                  </value>
               </entry>
            </Map>
         </Attributes>
      </Configuration>
   </ImportAction>
</sailpoint>

 

After importing the XML, the "Active" key was created. But the "Owner" is not modified to have the "Active" added.

Can you help?

 

Version history
Revision #:
4 of 4
Last update:
‎Jul 03, 2023 12:15 PM
Updated by:
Community Administrator
 
View Article History
Contributors