The After User Search Filter rule is evaluated when searching for Service Provider users. It runs after the initial search is performed against the Service Provider user directory. It returns a list of objectIds the requesting user is allowed to list and view.
This type of rule can be used to determine whether a user should be in the requesting user’s scope of control. To accomplish this, the rule can reference non-LDAP user attributes, such as LDAP group membership. The rule can also be used when the filter decision needs to be made using a repository other than the Service Provider user directory, such as an Oracle database or RACF.
The authType of this rule must be SPEUsersAfterSearchFilterRule.
The rule is passed the following arguments:
context — Specifies current user’s Identity context (session).
runAsUser — The User view of the user the rule will run as. This is a null argument if runAsIDMXUser is specified.
runAsIDMXUser — The IDMXUser view of the user the rule will run as. This is a null argument if runAsUser is specified.
objectType — Specifies the type of object, such as IDMXUser, that the rule filters.
objectIds — Specifies a list of objects the rule filters.
conditions — Specifies a list of AttributeConditions.