User Scope Rules
If an access scan has users scoped by a rule, the User Scope rule is
evaluated to determine a list of users to scan.
Inputs:
Accepts the lhcontext argument
You must specify the following for a custom User Scope rule:
|
AuthType
|
AccessScanRule
|
|
SubType
|
USER_SCOPE_RULE
|
|
Called
|
At the beginning of an access scan
|
|
Returns
|
An Identity Manager user name or a list of Identity Manager user names.
Each name must be a valid Identity Manager user name.
-
If the results contain any names that cannot be resolved to
valid Identity Manager user names, the rule returns an error.
-
If the results contain any duplicate user names, the rule
returns an error.
Note –
-
An access scan that scans the same user multiple times might
fail to create the attestation workflow for a subsequent instance of the same
user. Therefore, a customized implementation of the User Scope rule should
provide checks to avoid duplicate users in the output.
-
This rule can return accounts that are not available to the
administrator running the scan. In this case, the scan will attempt to get
the account’s User view and fail; resulting in an error in the scan
task.
|
|
Predefined Rules
|
-
All Administrators: Returns
all users with administrative capabilities assigned.
-
All Non-Administrators:
Returns all users with no administrative capabilities assigned.
-
Users Without Manager:
Returns all user accounts with no manager (idmManager)
assigned.
|
|
Location
|
Compliance > Manage Access Scans > Access Scan > User Scope Rule
|
