Post Date: March 30, 2011
Posted By: Doug Bulkley
Question:
We would like to exclude inactive IIQ identities from appearing in most of the UI select lists, for example:
Answer: Filters for Identity Select Lists are maintained in the Configuration (type) object named "IdentitySelectorConfiguration".The first thing we need to do is create a new filter inside the identityFilters map of this "IdentitySelectorConfiguration" object.One needs to think of the filter in terms of what will be shown in the select lists.We only want to show active users, so we'll name this filter "Active" and the filter logic below makes sure the inactive Identity attribute is not set:
<entry key="Active">
<value>
<IdentityFilter name="Active" order="Ascending">
<FilterSrc>
<FilterSource>
<BasicFilter>
<Filter operation="EQ" property="inactive">
<Value>
<Boolean></Boolean>
</Value>
</Filter>
</BasicFilter>
</FilterSource>
</FilterSrc>
<OrderBy>
<String>firstname</String>
</OrderBy>
</IdentityFilter>
</value>
</entry>
Once we have our "Active" identity filter properly configured, we need to decide how best to apply this filter to the various identityIQ select lists.
If you look at the entire "IdentitySelectorConfiguration" object, you will notice there are several filters already pre-configured. Since we are mostly concerned with certification based select lists, these tend to be assigned the "Owner" filter:
<entry key="Owner">
<value>
<IdentityFilter name="Owner" order="Ascending">
<IncludedFilterReferences>
<String>IncludeWorkGroups</String>
</IncludedFilterReferences>
<OrderBy>
<String>firstname</String>
</OrderBy>
</IdentityFilter>
</value>
</entry>
I can choose to modify the "Owner" filter and include a reference to my "Active" filter like so:
<entry key="Owner">
<value>
<IdentityFilter name="Owner" order="Ascending">
<IncludedFilterReferences>
<String>IncludeWorkGroups</String>
<String>Active</String>
</IncludedFilterReferences>
<OrderBy>
<String>firstname</String>
</OrderBy>
</IdentityFilter>
</value>
</entry>
Note: Any changes made to this Configuration object will not be visible in the UI until you either:
If any Identity object has the following attribute set to true, then they will no longer appear in any UI select list that utilizes the "Owner" filter:
<entry key="inactive" value="true"/>
There may be occasion where you wish to override or change a specific select list filter.
If I go to the Analyze->Advanced Analytics page, "Access Review Search" sub-tab, my inactive user no longer appears in the "Certifier" select list. Because of this, I am unable to search for any historical certifications that this inactive user might have certified while it was active.
The first thing I need to do here is determine the "ID" for this particular select list. The easiest way to do that is to use Firebug (Firefox add-on), in combination with the Firefox web browser. If you are not familiar with Firebug and Firefox, both can be freely downloaded from the web. If you don't have access to these tools, you will most likely need some type of expert services assistance.
To obtain the "ID" for this particular select list, do the following:
Once we have the select list "ID", we can override this select list filter inside the "IdentitySelectorConfiguration" object like so:
<entry key="certifierSuggestCmp">
<value>
<IdentityFilter name="certifierSuggestCmp" order="Ascending">
<IncludedFilterReferences>
<String>IncludeWorkGroups</String>
</IncludedFilterReferences>
<OrderBy>
<String>firstname</String>
</OrderBy>
</IdentityFilter>
</value>
</entry>
Notice the key and name for this filter reference the actual ID of the select list: certifierSuggestCmp.
Since the original filter named "Owner" only included a reference to the "IncludeWorkGroups" filter, I simply use that filter here to allow my inactive Identity to appear.
Do not forget to click on the "Reset Configuration Caches" button via the debug pages to see these changes.
Simply repeat the above Firebug process to override any other desired select lists.
Note: When making a change to a default filter like "Owner" one must perform a complete examination of the identityIQ UI, to ensure that all Identity select lists display the desired information for your corporate needs.
Thanks Gaurav for the response.
:smileysad: now I have to find other way to show the department I guess.
Regards,
Jeorly
This is what we did to overcome this issue. We used OOB identity selector for search purpose and in the same form, we created one table to display rest of the selected identity information in non-editable format. This information is displayed dynamically with the identity selected in drop down. I hope it will help you in designing your solution.
Thanks,
Gaurav
Gaurav,
We were thinking about something similar. To show outside the identity selector with identity information but as you said if I can show with the identity selected in drop down that will be great. Can you please give more input on that how we can do that or if you have any sample code to share.
Appreciate your help.
Regards,
Jeorly
I defined a field with postBack="true" like this:
<Field displayName="Select a Contractor" name="name" postBack="true" required="true" type="Identity"/>
The, defined a section of type datatable like this:
<Section columns="8" label="Contractor Details" name="Contractor Details" type="datatable">
<Attributes>
<Map>
<entry key="hidden">
<value>
<Script>
<Source>
if (null != name) {
return false;
} else {
return true;
}</Source>
</Script>
</value>
</entry>
</Map>
</Attributes>
<Field displayName="First Name"/>
<Field displayName="Middle Name"/>
<Field displayName="Last Name"/>
<Field displayName="Company"/>
<Field displayName="Birth MM/DD"/>
<Field displayName="User ID"/>
<Field displayName="Last 4 SSN"/>
<Field displayName="Active/Inactive"/>
<Field dynamic="true">
<Script>
<Source>
import sailpoint.object.Identity;
if(null != name){
return context.getObjectByName(Identity.class, name).getFirstname();
}</Source>
</Script>
</Field>
<Field dynamic="true">
<Script>
<Source>
import sailpoint.object.Identity;
if(null != name)
return context.getObjectByName(Identity.class, name).getStringAttribute("middleName");</Source>
</Script>
</Field>
<Field dynamic="true">
<Script>
<Source>
import sailpoint.object.Identity;
if(null != name)
return context.getObjectByName(Identity.class, name).getLastname();</Source>
</Script>
</Field>
<Field dynamic="true">
<Script>
<Source>
import sailpoint.object.Identity;
import sailpoint.object.Link;
import sailpoint.object.Application;
if(null != name){
Link link = context.getObjectByName(Identity.class, name).getLink(context.getObjectByName(Application.class, "appName"));
if(link != null){
return (String)link.getAttribute("companyDesc");
}
}</Source>
</Script>
</Field>
<Field dynamic="true">
<Script>
<Source>
import sailpoint.object.Identity;
if(null != name)
return context.getObjectByName(Identity.class, name).getStringAttribute("birthDate");</Source>
</Script>
</Field>
<Field dynamic="true">
<Script>
<Source>
if(null != name)
return name;</Source>
</Script>
</Field>
<Field dynamic="true">
<Script>
<Source>
import sailpoint.object.Identity;
if(null != name)
return context.getObjectByName(Identity.class, name).getStringAttribute("last4SSN");</Source>
</Script>
</Field>
<Field dynamic="true">
<Script>
<Source>
import sailpoint.object.Identity;
if(null != name){
if(context.getObjectByName(Identity.class, name).isInactive()){
return "Inactive";
}else{
return "Active";
}
}
</Source>
</Script>
</Field>
</Section>
Is there a separate option for the fowarding user select list? I would also like to exclude inactive identities from that list, but I'm not sure what entry key section would be.
Thanks
!
Hi Gaurav,
Did you find any way to do this? We need to show the display name and location of Identities in the Identity dropdown instead of display name and email addresses?
Unfortunately not.
Thanks,
Gaurav
Hello ,
while forwarding a work item, identity selector shows inactive users .
I added Active filter same as mentioned in the post and reset configuration cache as well, still I see deleted & inactive users in the identityselector while forwarding.
please suggest.
Thanks,
Aakanksha
Hi Aakanksha,
Can you share the code?