PSD1152 – Manage objects based on attributes from other objects

Summary

This PhenixID Solution Document (PSD) is written for PhenixID Identity Manager (IM) 5.4.1 or later.
This filter is used to make a linked search in a predefined search.
This filter can be used in several use cases. In this PSD we use one use case to describe the filter.

System Requirements

• PhenixID Identity Manager 5.4.1
• PhenixID Identity Manager 6.0.4 (for extended Search base support)

Use Case

You like some users to manage other users on based on which department they belong to. Also the managing responsibility will be for more than one department.
For example:
You like some users to manage users with department=Dep1 and department=Dep2 and other users to managed users with department=Dep3 and department=Dep4. For this example there will be two group created, Manage_Dep1and2 and Manage_Dep3and4.
The idea is for a user is to login and just click search and see the user he/she are admin for.

Screenshots of use case

• First picture. This is the view of the user with managing rights. The user can manage all user with Dep1 or Dep2.
• Second picture. This are two example groups for the use case.
• Third picture. This are the users with different department values.

Download

Download and extract PSD1152.zip for the filter.
Download an example predefined search for the use case used in this PSD, click LINK to download.

Add filter to IM Web

Place the file LinkedLDAPQueryPDSearchFilter.class in
[IM root folder]/customer/extension/class/psd
If the /psd folder does not exist, then create one.

Add filter to IM Configurator

To be able to add the filter to a search using IM Configurator, you should also place a copy of the file in
[IM Configurator root folder]/ext/class/psd
If the /psd folder does not exist, then create one.

Add the filter to the predefined search

1. Open IM Configurator
2. Open or create a Predefined search. You can also use the example predefined search available for this PSD.
3. Click Tools – Tab External Filters
4. Add filter name psd.LinkedLDAPQueryPDSearchFilter
5. Click OK

Configure the search and filter

The filter is configured by adding text fields to the search form and giving them a default value. The textfields should be made Hidden and Display Only to not be a part of the main search.

Mandatory controls and configuration

preSearchFilter
1. Add a text field control to the search
2. Type preSearchFilter in Attribute name: and Title:
3. In Default Value: add (for this use case) the value member=MyDN.
This will create a list of all groups that the user logging in is member of.

preSearchAttributes
1. Add a text field control to the search
2. Type preSearchAttributes in Attribute name: and Title:
3. In Default Value: add (for this use case) the value extensionName.
extensionName is used to hold (in this use case) the different departments values of the groups.

Optional controls and configuration

preSearchBase
Enter the search base for the pre search. If this fields is left out, the search base from the main search will be used.

preSearchScope
Enter the search scope for the pre search. If this fields is left out, the search scope from the main search will be used.

Configure the search filter

1. Open IM Configurator and your predefined search
2. Click Tools – Tab Properties
3. Add in Optional SearchFilter the filter for this use case:
   1. (&(objectclass=person)(department=[extensionName]))
      This is already added if you use the filter available in this PSD.
4. Verify that Search base map your environment.
   The use of [] supported in Search base from PIM version 6.0.4
   OU=[extensionName],DC=company,DC=SE

Configure the example objects for this use case

User object that will be managed

Make sure you have a number of user created for this use case. Add to the department attribute the value Dep1, Dep2, Dep3 or Dep4 respectively,

Configuration on the admin groups

In this scenario I have two groups Manage_Dep1and2 and Manage_Dep3and4, create the example groups.

• On Manage_Dep1and2 add the attribute extensionName twice with the value Dep1 and Dep2, respectively. The attribute must be a multi-value attribute to hold more than one value. On this use case we have two values.
• On Manage_Dep3and4 add the attribute extensionName twice with the value Dep3 and Dep4, respectively

Test of use case

• Add a user account to Manage_Dep1and2.
• Add the predefined search to a I role and make sure your test user can login using this role.
• Click your configured predefined search and you should see all user belonging to department dep1 or dep2.
• Add the test user to the other group (Manage_Dep3and4) and now you should see dep3 and dep4 users also.