PhenixID

PSD1123 – MyUsersFilter for Identity Manager

Summary

This PhenixID Solution Document (PSD) is written for PhenixID Identity Manager (IM) 5.2.1 and above.

This filter is used to only show users in the search result that are member of groups that are connected to the logged in user’s admin group.

An example of usage is in a school with multiple classes in the same grade. Each class has a group containing the students, and all the teachers for the classes in the same grade should be able to view the students in all the classes. A teacher group is therefor made, where the teachers are members, and the teacher group is linked to the student class groups.

System Requirements

  • PhenixID Identity Manager 5.2.1

Add the filter to the search

  1. Open or create a Predefined search
  2. Click ToolsTab External Filters
  3. Add filter name filter.MyUsersFilter
  4. Click OK

Configure policies

The filter is configured by a set of policies. There are a couple of policies that are configuring the administrator group(s), i.e. the group(s) in which the logged in user should be a member. And a couple of corresponding policies for the user group(s), i.e. the group(s) where the member list is used for filtering the search result.

filter_MyUsersFilter_ADMIN_GROUP_MEMBER_ATTRIBUTE
This policy sets the attribute in the logged in user that are used for membership in groups. Default: memberOf.

filter_MyUsersFilter_ADMIN_GROUP_SEARCH_ATTRIBUTE
This policy sets the attribute in the administrator group that are used for linking the admin group to the user group(s). Default: description

filter_MyUsersFilter_ADMIN_GROUP_EXTRACT_ONE_LEVEL
This policy can be set to true or false. If set to true, a search will be made for each group the logged in user is a member of, to see if that group is member of another group, and then add the parent group’s search attribute value to the list of linked user group values. Default: false.

filter_MyUsersFilter_USER_GROUP_MEMBER_ATTRIBUTE
This policy sets the attribute in the users group that are used for the member list. Default: member.

filter_MyUsersFilter_USER_GROUP_SEARCH_ATTRIBUTE
This policy sets what attribute in the users group that are used in the admin groups search attribute. Default: cn.

filter_MyUsersFilter_USER_GROUP_EXTRACT_ONE_LEVEL
This policy can be set to true or false. If set to true, a search will be made for each member in the user group to see if the member is a group object. When a group object is found, all the members in that group will be added to the list of qualified users. Default: false.

filter_MyUsersFilter_GROUP_OBJECTCLASS
This policy sets the object class for group objects. The value is only used when extracting the user groups one level. Default: group.

filter_MyUsersFilter_SEARCH_BASE
The search base to use when searching for the user groups. No default, i.e. this policy must be configured when using the filter.

 

 

DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se