After Search Filter Rule

The After User Search Filter rule is evaluated when searching for Service Provider users. It runs after the initial search is performed against the Service Provider user directory. It returns a list of objectIds the requesting user is allowed to list and view.

This type of rule can be used to determine whether a user should be in the requesting user’s scope of control. To accomplish this, the rule can reference non-LDAP user attributes, such as LDAP group membership. The rule can also be used when the filter decision needs to be made using a repository other than the Service Provider user directory, such as an Oracle database or RACF.

The authType of this rule must be SPEUsersAfterSearchFilterRule.

The rule is passed the following arguments:

context — Specifies current user’s identity context (session).

runAsUser — The User view of the user the rule will run as. This is a null argument if runAsIDMXUser is specified.

runAsIDMXUser — The IDMXUser view of the user the rule will run as. This is a null argument if runAsUser is specified.

objectType — Specifies the type of object, such as IDMXUser, that the rule filters.

objectIds — Specifies a list of objects the rule filters.

conditions — Specifies a list of AttributeConditions.