Identity Manager 允许您控制哪些用户在最终用户的控制范围之内。
使用“控制范围”选项卡(如图 6–4 中所示)可指定此组织的成员可管理的组织,也可以指定用于确定由管理员角色用户管理的组织的规则,以及选择管理员角色的用户表单。
受控组织。从“可用组织”列表中选择此管理员角色有权管理的组织。
受控组织规则。选择在用户登录时评估的规则,以确定由分配了此管理员角色的用户所控制的组织的个数(零个或多个)。选定的规则必须具有 ControlledOrganizationsRule authType。默认情况下,将选择 "No Controlled Organization Rule"。
可以根据组织需要,使用 EndUserControlledOrganizations 规则来定义所需的逻辑,以确保为委托提供正确的用户集。
如果希望管理员的用户范围列表始终相同(无论他们登录到管理员界面还是最终用户界面),则必须更改 EndUserControlledOrganizations 规则。
修改此规则,使其首先检查验证用户是否为管理员,然后再配置以下内容:
如果该用户不是管理员,则返回应由最终用户控制的组织集,如用户自己的组织(如 waveset.organization)。
如果该用户是管理员,则不返回任何组织,这样用户将只控制已分配的组织(因为用户是管理员)。
例如:
<Rule protectedFromDelete=’true’ authType=’EndUserControlledOrganizationsRule’ id=’#ID#End User Controlled Organizations’ name=’End User Controlled Organizations’> <Comments> If the user logging in is not an Idm administrator, then return the organization that they are a member of. Otherwise, return null. </Comments> <cond> <and> <isnull><ref>waveset.adminRoles</ref></isnull> <isnull><ref>waveset.capabilities</ref></isnull> <isnull><ref>waveset.controlledOrganizations</ref></isnull> </and> <ref>waveset.organization</ref> </cond> <MemberObjectGroups> <ObjectRef type=’ObjectGroup’ id=’#ID#Top’ name=’Top’/> </MemberObjectGroups> </Rule> |
如果用户或管理员属于动态组织,则不会在搜索结果中返回他们。
不过,您可以创建规则以返回动态组织中的用户。通过在 Idm 模式配置对象中定义的 Identity Manager 用户模式定义中添加新属性来更改以下示例规则,导入该对象,然后重新启动 Identity Manager 服务器。
<IDMAttributeConfigurations> ... <IDMAttributeConfiguration name='region' syntax='STRING' description='region of the country'/> </IDMAttributeConfigurations> <IDMObjectClassConfigurations> ... <IDMObjectClassConfiguration name='User' extends='Principal' description='User description'> ... <IDMObjectClassAttributeConfiguration name='region' queryable='true'/> </IDMObjectClassConfiguration> </IDMObjectClassConfigurations> Next, import the following Identity Manager objects: <!-- User member rule that will include all users whose region attribute matches the region organization display name --> <Rule name="Region User Member Rule" authType="UserMembersRule"> <Description>User Member Rule</Description> <list> <new class='com.waveset.object.AttributeCondition'> <s>region</s> <s>equals</s> <ref>userMemberRuleOrganizationDisplayName</ref> </new> </list> <MemberObjectGroups> <ObjectRef type="ObjectGroup" id="#ID#All" name="All"/> </MemberObjectGroups> </Rule> <!-- North & South Region organizations with user member rule assigned --> <ObjectGroup id='#ID#North Region' name='North Region' displayName='North Region'> <UserMembersRule cacheTimeout='3600000'> <ObjectRef type='Rule' name='Region User Member Rule'/> </UserMembersRule> <MemberObjectGroups> <ObjectRef type='ObjectGroup' name='Top' id='#ID#Top'/> </MemberObjectGroups> </ObjectGroup> <ObjectGroup id='#ID#South Region' name='South Region' displayName='South Region'> <UserMembersRule cacheTimeout='3600000'> <ObjectRef type='Rule' name='Region User Member Rule'/> </UserMembersRule> <MemberObjectGroups> <ObjectRef type='ObjectGroup' name='Top' id='#ID#Top'/> </MemberObjectGroups> </ObjectGroup> <!-- Organization containing all employees --> <ObjectGroup id='#ID#Employees' name='Employees' displayName='Employees'> <MemberObjectGroups> <ObjectRef type='ObjectGroup' name='Top' id='#ID#Top'/> </MemberObjectGroups> </ObjectGroup> <!-- End user controlled organization rule that give each user control of the regional organization they are a member of --> <Rule protectedFromDelete='true' authType='EndUserControlledOrganizationsRule' id='#ID#End User Controlled Organizations' name='End User Controlled Organizations' primaryObjectClass='Rule'> <switch> <ref>waveset.attributes.region</ref> <case> <s>North Region</s> <s>North Region</s> </case> <case> <s>South Region</s> <s>South Region</s> </case> <case> <s>East Region</s> <s>East Region</s> </case> <case> <s>West Region</s> <s>West Region</s> </case> </switch> <MemberObjectGroups> <ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/> </MemberObjectGroups> </Rule> <!-- 4 employees (2 in North and 2 in South region) --> <User name='emp1' primaryObjectClass='User' asciipassword='1111'> <Attribute name='firstname' type='string' value='Employee'/> <Attribute name='fullname' type='string' value='Employee One'/> <Attribute name='lastname' type='string' value='One'/> <Attribute name='region' type='string' value='North Region'/> <MemberObjectGroups> <ObjectRef type='ObjectGroup' id='#ID#Employees' name='Employees' displayName='Employees'/> </MemberObjectGroups> </User> <User name='emp2' primaryObjectClass='User' asciipassword='1111'> <Attribute name='firstname' type='string' value='Employee'/> <Attribute name='fullname' type='string' value='Employee Two'/> <Attribute name='lastname' type='string' value='Two'/> <Attribute name='region' type='string' value='North Region'/> <MemberObjectGroups> <ObjectRef type='ObjectGroup' id='#ID#Employees' name='Employees' displayName='Employees'/> </MemberObjectGroups> </User> <User name='emp4' primaryObjectClass='User' asciipassword='1111'> <Attribute name='firstname' type='string' value='Employee'/> <Attribute name='fullname' type='string' value='Employee Four'/> <Attribute name='lastname' type='string' value='Four'/> <Attribute name='region' type='string' value='South Region'/> <MemberObjectGroups> <ObjectRef type='ObjectGroup' id='#ID#Employees' name='Employees' displayName='Employees'/> </MemberObjectGroups> </User> <User name='emp5' primaryObjectClass='User' asciipassword='1111'> <Attribute name='firstname' type='string' value='Employee'/> <Attribute name='fullname' type='string' value='Employee Five'/> <Attribute name='lastname' type='string' value='Five'/> <Attribute name='region' type='string' value='South Region'/> <MemberObjectGroups> <ObjectRef type='ObjectGroup' id='#ID#Employees' name='Employees' displayName='Employees'/> </MemberObjectGroups> </User> |
接下来,通过 Identity Manager 最终用户界面以 emp1(位于北部地区)身份登录。选择“委托”->“新建”。将搜索->提供条件更改为开头为,将该值更改为 emp,然后选择“查找”。进行此选择将会在可用用户列表中返回 emp2。
受控组织用户表单。选择分配了此管理员角色的用户在创建或编辑属于此管理员角色受控组织的用户时使用的用户表单。默认情况下,不会选择任何“受控组织用户表单”。
通过管理员角色分配的用户表单将覆盖从该管理员所在组织继承的任何用户表单。不会覆盖直接分配给该管理员的用户表单。