PhenixID

PSD1156 – Include/Exclude OU´s in Main view. DN_Filter.

Summary

This PhenixID Solution Document (PSD) is written for PhenixID Identity Manager (IM) 5.5 or later.

With this filter you can exclude or include any OU´s with a specific name when doing predefined searches or browse in an LDAP structure.
This filter is only available for views based in the Main view.
For more about configuring views, see PSD1103

Overview

There is an old way and a new way of writing arguments for what to include or exclude. From IM 5.5 or later we recommend using the new way.
There are a couple of policies to configure, depending on how you like to use this. Configuration is done in DSEditor.properties. You can configure the policy for a specific role or for the entire web app.
Configuration will be explained using a number of use cases.
The three policies available for this are:

  • DN_FILTER_ADVANCED=true/false
    Set value true for using the new way and false for the old way.
    Default is true.
  • DN_FILTER=
    The filter will affect both predefined searches and objects in browse. If you use this policy it will also affect the forms when editing objects. For example editing a user and adding it to a group, only groups that are allowed with DN_FILTER will be available.
  • DN_FILTER_BROWSE=
    The filter will only affect browse but NOT predefined searches or when editing objects.
    For example, you like to prevent user to see and click/browse OU´s called Limbo (they might contain many users), but you like to have a predefined search to search in the Limbo OU.

Configuration (DN_FILTER_ADVANCED=true)

This is the recommended way to configure and what we will continue to develop if updates are needed.

The use cases below maps to the following OU example structure:

The use cases has the following entrypoint in nodes.json:
“dn”: “OU=DN_Filter,OU=Test,DC=demo,DC=phenixid,DC=net”
For more information about nodes.json. Please read PSD1103

Use case 1

Show all OU´s under DN_Filter except OU´s called Sweden
DN_FILTER=((*OU=DN_Filter*)&&(!*OU=Sweden*))
For Browse/nodes you can see the result below, the Sweden OU is not available. If we had a predefined search there would be no Swedish user in the result set.

Use case 2

Show only OU´s called Users in Denmark or Users in Finland.
There are often different ways to write a filter. Below are two different ways to accomplish use case 2

Example 1
DN_FILTER=((OU=DN_Filter*)||(OU=Denmark*)||(*OU=Users,OU=Denmark*)||(OU=Finland*)||(*OU=Users,OU=Finland*))

Example 2
DN_FILTER=((OU=DN_Filter)||(OU=Denmark)||(OU=Finland)||(OU=Users*))

Below show the result of use case 2:

Use case 3

Show all OU´s under DN_FILTER but not if an OU is called Limbo
DN_FILTER=((*OU=DN_Filter*)&&(!*Limbo*))
Below show the result of use case 3:

Use case 4

Show all OU´s under DN_FILTER but not if an OU is called Limbo. Also, if you running predefined searches they are allowed to search Limbo folders. Note: We are using DN_FILTER_BROWSE, this will only affect Browse.
DN_FILTER_BROWSE=((*OU=DN_Filter*)&&(!*Limbo*))
Below show the result of use case 4:

Use case 5

Three nodes added with different display names and any OU called Limbo should not be allowed.
DN_FILTER=((*OU=DN_Filter*)&&(!*Limbo*))
Below show the result of use case 5:

Note: The nodes.json file was configured like:

{
    "entryPoints": [
     {
                    "dn": "OU=Denmark,OU=DN_Filter,OU=IM_Devlopment,DC=demo,DC=phenixid,DC=net","displayName":"Dannish users"
             },
             {
                    "dn": "OU=Finland,OU=DN_Filter,OU=IM_Devlopment,DC=demo,DC=phenixid,DC=net","displayName":"Finnish users"
             },
             {
                    "dn": "OU=Sweden,OU=DN_Filter,OU=IM_Devlopment,DC=demo,DC=phenixid,DC=net","displayName":"Swedish users"

             }
    ]
}

Configuration (DN_FILTER_ADVANCED=false)

In earlier PIM versions there was another way to write arguments for DN_FILTER. That method was not as functional as the method described above, but we kept the support for backward compatibility.

Use case 1

You like to exclude Limbo in any predefined search or anywhere in browse. Limbo can be an OU or a user object for example.

DN_FILTER=!contains(Limbo)

!contains is for excluding the value.
(If you remove the ! then contains will only include the value.)

Use case 2

You like to exclude two OU´s, one called Limbo and one called Inactive, in any predefined search or anywhere in browse. The two OU´s can be located in several places in your OU structure.

DN_FILTER=!contains(Limbo)$$!contains(ou=Inactive)

$$ is to separate if you have several values

Use case 3

You like to make sure you only exclude OU´s and not for example a user called Limbo any where in the LDAP structure. You also like to exclude an OU called ou=Inactive,DC=test,DC=local

DN_FILTER=!contains(ou=Limbo)$$!contains(ou=Inactive,DC=test,DC=local)

Use case 4

You like to exclude Limbo in browse but not when doing a predefined search. Limbo can be an OU or a user object for example.

DN_FILTER_BROWSE=!contains(Limbo)

Misc

DN_FILTER also supports pattern startsWith(pattern) and endsWith(pattern)


DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se