Resolution
Question:
We would like to exclude inactive Access Governance Suite identities from appearing in most of the UI select lists, for example:
- Certification owner
- Forwarding of a certification
Answer:
Filters for Identity Select Lists are maintained in the Configuration (type) object named "IdentitySelectorConfiguration".
The first thing we need to do is create a new filter inside the identityFilters map of this "IdentitySelectorConfiguration" object.
One needs to think of the filter in terms of what will be shown in the select lists.
We only want to show active users, so we'll name this filter "Active" and the filter logic below makes sure the inactive Identity attribute is not set:
<entry key="Active">
<value>
<IdentityFilter name="Active" order="Ascending">
<FilterSrc>
<FilterSource>
<BasicFilter>
<Filter operation="EQ" property="inactive">
<Value>
<Boolean></Boolean>
</Value>
</Filter>
</BasicFilter>
</FilterSource>
</FilterSrc>
<OrderBy>
<String>firstname</String>
</OrderBy>
</IdentityFilter>
</value>
</entry>
Once we have our "Active" identity filter properly configured, we need to decide how best to apply this filter to the various identityIQ select lists.
If you look at the entire "IdentitySelectorConfiguration" object, you will notice there are several filters already pre-configured. Since we are mostly concerned with certification based select lists, these tend to be assigned the "Owner" filter:
<entry key="Owner">
<value>
<IdentityFilter name="Owner" order="Ascending">
<IncludedFilterReferences>
<String>IncludeWorkGroups</String>
</IncludedFilterReferences>
<OrderBy>
<String>firstname</String>
</OrderBy>
</IdentityFilter>
</value>
</entry>
I can choose to modify the "Owner" filter and include a reference to my "Active" filter like so:
<entry key="Owner">
<value>
<IdentityFilter name="Owner" order="Ascending">
<IncludedFilterReferences>
<String>IncludeWorkGroups</String>
<String>Active</String>
</IncludedFilterReferences>
<OrderBy>
<String>firstname</String>
</OrderBy>
</IdentityFilter>
</value>
</entry>
Note: Any changes made to this Configuration object will not be visible in the UI until you either:
- Restart the application server
or - Click on the "Reset Configuration Caches" button via the debug pages
If any Identity object has the following attribute set to true, then they will no longer appear in any UI select list that utilizes the "Owner" filter:
<entry key="inactive" value="true"/>
There may be occasion where you wish to override or change a specific select list filter.
If I go to the Analyze->Advanced Analytics page, "Access Review Search" sub-tab, my inactive user no longer appears in the "Certifier" select list. Because of this, I am unable to search for any historical certifications that this inactive user might have certified while it was active.
The first thing I need to do here is determine the "ID" for this particular select list. The easiest way to do that is to use Firebug (Firefox add-on), in combination with the Firefox web browser. If you are not familiar with Firebug and Firefox, both can be freely downloaded from the web. If you don't have access to these tools, you will most likely need some type of expert services assistance.
To obtain the "ID" for this particular select list, do the following:
- Startup Firefox with Firebug enabled and opened.
- Navigate to the identityIQ page listed above and click on the "Certifier" select list.
- Click on the "plus" sign above to examine the "Post http:......." entry created when clicking on the Certifier select list.
- When expanded, click on the "Post" sub-tab that appears.
- There are several things to notice here:
- The "context" is Owner. This is the name of the filter currently in use for this select list.
- The "ID" for this particular select list is certifierSuggestCmp.
Once we have the select list "ID", we can override this select list filter inside the "IdentitySelectorConfiguration" object like so:
<entry key="certifierSuggestCmp">
<value>
<IdentityFilter name="certifierSuggestCmp" order="Ascending">
<IncludedFilterReferences>
<String>IncludeWorkGroups</String>
</IncludedFilterReferences>
<OrderBy>
<String>firstname</String>
</OrderBy>
</IdentityFilter>
</value>
</entry>
Notice the key and name for this filter reference the actual ID of the select list: certifierSuggestCmp.
Since the original filter named "Owner" only included a reference to the "IncludeWorkGroups" filter, I simply use that filter here to allow my inactive Identity to appear.
Do not forget to click on the "Reset Configuration Caches" button via the debug pages to see these changes.
Simply repeat the above Firebug process to override any other desired select lists.
Note: When making a change to a default filter like "Owner" one must perform a complete examination of the identityIQ UI, to ensure that all Identity select lists display the desired information for your corporate needs.