Identity Manager allows you to control which users are within an end user’s scope of control.
Use the Scope of Control tab (shown in Figure 6–4) to specify organizations that members of this organization can manage, or to specify the rule that determines the organizations to be managed by users of the admin role, and to select the user form for the admin role.
Controlled Organizations. Select from the Available Organizations list the organizations that this admin role has the rights to manage.
Controlled Organizations Rule. Select a rule that will be evaluated, at user login, to zero or more organizations to be controlled by a user assigned this admin role. The selected rule must have the ControlledOrganizationsRule authType. By default, no controlled organization rule is selected.
You can use the EndUserControlledOrganizations rule to define whatever logic is necessary to ensure the right set of users are available for delegating, based on your organizational needs.
If you want the scoped list of users to be the same for administrators, whether they are logged into the Administrator interface or the End User interface, you must change the EndUserControlledOrganizations rule.
Modify the rule to first check whether the authenticating user is an administrator, and then configure the following:
If the user is not an administrator, return the set of organizations that should be controlled by an end user, such as the user’s own organization (for example, waveset.organization).
If the user is an administrator, do not return any organizations so the user only controls organizations that are assigned because that user is an administrator.
For example:
<Rule protectedFromDelete=’true’ authType=’EndUserControlledOrganizationsRule’ id=’#ID#End User Controlled Organizations’ name=’End User Controlled Organizations’> <Comments> If the user logging in is not an Idm administrator, then return the organization that they are a member of. Otherwise, return null. </Comments> <cond> <and> <isnull><ref>waveset.adminRoles</ref></isnull> <isnull><ref>waveset.capabilities</ref></isnull> <isnull><ref>waveset.controlledOrganizations</ref></isnull> </and> <ref>waveset.organization</ref> </cond> <MemberObjectGroups> <ObjectRef type=’ObjectGroup’ id=’#ID#Top’ name=’Top’/> </MemberObjectGroups> </Rule> |
If the user or administrator belongs to a dynamic organization, they are not returned in search results.
However, you can create a rule to return users in dynamic organizations. Change the following sample rule by adding a new attribute to the Identity Manager user schema definition that is defined in the Idm Schema Configuration object, import that object, and then restart the Identity Manager server.
<IDMAttributeConfigurations> ... <IDMAttributeConfiguration name='region' syntax='STRING' description='region of the country'/> </IDMAttributeConfigurations> <IDMObjectClassConfigurations> ... <IDMObjectClassConfiguration name='User' extends='Principal' description='User description'> ... <IDMObjectClassAttributeConfiguration name='region' queryable='true'/> </IDMObjectClassConfiguration> </IDMObjectClassConfigurations> Next, import the following Identity Manager objects: <!-- User member rule that will include all users whose region attribute matches the region organization display name --> <Rule name="Region User Member Rule" authType="UserMembersRule"> <Description>User Member Rule</Description> <list> <new class='com.waveset.object.AttributeCondition'> <s>region</s> <s>equals</s> <ref>userMemberRuleOrganizationDisplayName</ref> </new> </list> <MemberObjectGroups> <ObjectRef type="ObjectGroup" id="#ID#All" name="All"/> </MemberObjectGroups> </Rule> <!-- North & South Region organizations with user member rule assigned --> <ObjectGroup id='#ID#North Region' name='North Region' displayName='North Region'> <UserMembersRule cacheTimeout='3600000'> <ObjectRef type='Rule' name='Region User Member Rule'/> </UserMembersRule> <MemberObjectGroups> <ObjectRef type='ObjectGroup' name='Top' id='#ID#Top'/> </MemberObjectGroups> </ObjectGroup> <ObjectGroup id='#ID#South Region' name='South Region' displayName='South Region'> <UserMembersRule cacheTimeout='3600000'> <ObjectRef type='Rule' name='Region User Member Rule'/> </UserMembersRule> <MemberObjectGroups> <ObjectRef type='ObjectGroup' name='Top' id='#ID#Top'/> </MemberObjectGroups> </ObjectGroup> <!-- Organization containing all employees --> <ObjectGroup id='#ID#Employees' name='Employees' displayName='Employees'> <MemberObjectGroups> <ObjectRef type='ObjectGroup' name='Top' id='#ID#Top'/> </MemberObjectGroups> </ObjectGroup> <!-- End user controlled organization rule that give each user control of the regional organization they are a member of --> <Rule protectedFromDelete='true' authType='EndUserControlledOrganizationsRule' id='#ID#End User Controlled Organizations' name='End User Controlled Organizations' primaryObjectClass='Rule'> <switch> <ref>waveset.attributes.region</ref> <case> <s>North Region</s> <s>North Region</s> </case> <case> <s>South Region</s> <s>South Region</s> </case> <case> <s>East Region</s> <s>East Region</s> </case> <case> <s>West Region</s> <s>West Region</s> </case> </switch> <MemberObjectGroups> <ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/> </MemberObjectGroups> </Rule> <!-- 4 employees (2 in North and 2 in South region) --> <User name='emp1' primaryObjectClass='User' asciipassword='1111'> <Attribute name='firstname' type='string' value='Employee'/> <Attribute name='fullname' type='string' value='Employee One'/> <Attribute name='lastname' type='string' value='One'/> <Attribute name='region' type='string' value='North Region'/> <MemberObjectGroups> <ObjectRef type='ObjectGroup' id='#ID#Employees' name='Employees' displayName='Employees'/> </MemberObjectGroups> </User> <User name='emp2' primaryObjectClass='User' asciipassword='1111'> <Attribute name='firstname' type='string' value='Employee'/> <Attribute name='fullname' type='string' value='Employee Two'/> <Attribute name='lastname' type='string' value='Two'/> <Attribute name='region' type='string' value='North Region'/> <MemberObjectGroups> <ObjectRef type='ObjectGroup' id='#ID#Employees' name='Employees' displayName='Employees'/> </MemberObjectGroups> </User> <User name='emp4' primaryObjectClass='User' asciipassword='1111'> <Attribute name='firstname' type='string' value='Employee'/> <Attribute name='fullname' type='string' value='Employee Four'/> <Attribute name='lastname' type='string' value='Four'/> <Attribute name='region' type='string' value='South Region'/> <MemberObjectGroups> <ObjectRef type='ObjectGroup' id='#ID#Employees' name='Employees' displayName='Employees'/> </MemberObjectGroups> </User> <User name='emp5' primaryObjectClass='User' asciipassword='1111'> <Attribute name='firstname' type='string' value='Employee'/> <Attribute name='fullname' type='string' value='Employee Five'/> <Attribute name='lastname' type='string' value='Five'/> <Attribute name='region' type='string' value='South Region'/> <MemberObjectGroups> <ObjectRef type='ObjectGroup' id='#ID#Employees' name='Employees' displayName='Employees'/> </MemberObjectGroups> </User> |
Next, log in through the Identity Manager End User interface as emp1, who is in the North region. Select Delegations -> New. Change the search -> provide criteria to Starts with, change the value to emp, and choose Find. This selection should return emp2 in the list of available users.
Controlled Organizations User Form. Select a user form that a user who is assigned this admin role will use when he creates or edits users who are members of this admin role’s controlled organizations. By default, no Controlled Organizations User Form is selected.
A user form assigned through an admin role overrides any user form that is inherited from the organization of which the administrator is a member. It does not override a user form that is directly assigned to the admin.