Hi all,
Do you know if there is a way to hide the outstanding user accounts in the Data Explorer page of the new angular web portal?
Thank you
Hi all,
Do you know if there is a way to hide the outstanding user accounts in the Data Explorer page of the new angular web portal?
Thank you
That's an interesting question.
Here are some options to hide outstanding objects in portal.
Option 1: Set 'Show in wizards' option in Designer
This uses an configurable option called 'Show in wizards'.
Designer.exe > One Identity Manager Schema > Proxy > UNSAccount
UNSAccount > Columns > XMarkedForDeletion
Column properties: [v] Show in wizard
All columns that have 'Show in wizards' enabled:
select ColumnName from DialogColumn where IsFilterDesignerEnabled = 1 order by ColumnName
Demo identity has these application roles assigned:
Identity Management\Identities\Administrators
Target systems\Custom target systems
Log in to the portal: Check if the property 'XMarkedForDeletion' is included in the response.
itshop.groot.net/.../columns
If not restart IIS server.
Data administration > Data Explorer > User accounts > Filter icon
Filter Data > Custom Filter
Custom filter
Property: Marked for deletion
Operator: not equal
Value: 2
Apply filter
https://itshop.groot.net/apiserverdev/portal/targetsystem/uns/account?PageSize=20&filter=[{"Expression":{"Expressions":[{"PropertyId":"XMarkedForDeletion","Operator":"<>","LogOperator":0,"Value":2}],"LogOperator":0}}]&search=
Now the issue with the case of 'XMarkedForDeletion' is that it's of type 'int' but used as a bitwise value to store multiple states and conditions of the account.
So when for instance the UNSAccountB all ready had a 'Prohibit modification' on one of it's properties before it was set as outstanding than the 'XMarkedForDeletion' value would be 6.
!!! There seems to be an issue with the filter option for 'User accounts' in the Sidesheet component. Data administration > Data Explorer > Identities > Select an user > Memberships > User accounts. The 'Search' and 'Filter' options don't work for me (v9.2). None of these options get appended to the request url:
itshop.groot.net/.../accounts
I will make an github issue for this.
Option 2: Configure 'API method configuration' in the Administration Portal
In the Administration Portal create a configuration key of type 'API method configuration'
named 'admin_person' with a where clause for filtering
Metho: admin/person = itshop.groot.net/.../person = admin_person
Administration Portal > Configuration: Web Portal (click on: three dots icon)
Create configuration key
Select where to add the configuration key: API method configuration
Enter the API method name, replacing slashes with underscores, for example "itshop_cart".
Name of the new configuration key: admin_person
[Create]
Search: admin_person
Property configuration
API method configuration / shop_serviceitems / Filter condition
Specify a filter condition (WHERE clause). To refer to the identifier of the current user, use the %useruid% variable.
Value: XMarkedForDeletion & 2 = 0
PropertyConfig/MethodConfiguration/shop_serviceitems/WhereClause
[Apply] (*) Apply globally [Apply]
Option 3: Angular: modification in 'tsb\accounts'
An other option is to make a change in the following file of the Angular project.
imxweb/projects/tsb/src/lib/accounts/accounts.component.ts
... import { CollectionLoadParameters, ..., FilterType, CompareOperator} from 'imx-qbm-dbts'; ... this.navigationState = { ...{ PageSize: settingsService.DefaultPageSize, StartIndex: 0 }, ...{ filter: [ { ColumnName: 'XMarkedForDeletion', Type: FilterType.Compare, CompareOp: CompareOperator.BitsNotSet, Value1: 2, }, ], }, }; ...
Now outstanding accounts are hidden for everyone.
":"XMarkedForDeletion","Type":0,"CompareOp":9,"Value1":2}]">itshop.groot.net/.../account
And when you use the 'Search' or 'Filter' options they will get appended.
":"XMarkedForDeletion","Type":0,"CompareOp":9,"Value1":2}]&search=Test">itshop.groot.net/.../account
Same issue with 'User accounts' in the Sidesheet component.
Option 4: Angular: modification in 'qer\identities', 'qer\admin' + Configure 'Program function' in Designer
This option combines the previous option with the a Program function object to make to make hiding Outstanding identities conditional.
I used modifying the 'qer\identities' module in this example instead of 'tsb\accounts' because it requires less modification.
Configure program function
Designer.exe > Permissions > Program functions > [+] Create a new object
Function group: Portal
Program function: CCC_Portal_UI_HideOutstanding
Description: Don't show outstanding objects in data explorer
Designer.exe > Permissions > Permissions groups > Role based permissions group > [+] Create a new object
Permissions group: CCC_4_HideOutstanding
Description: Don't show outstanding objects in data explorer
Program functions: CCC_Portal_UI_HideOutstanding
Manager.exe > One Identity Manager Administration > Custom > [+] Create a new object
Application role: Hide outstanding objects
Description: Don't show outstanding objects in data explorer
Permissions group: CCC_4_HideOutstanding
Assign the application role 'Hide outstanding objects' to the Demo identity.
Extracts from changes in the angular project:
projects\qer\src\lib\admin\qer-permissions-helper.ts
export function isPersonAdmin(features: string[]): boolean { return features.find((item) => item === 'Portal_UI_PersonAdmin') != null; } export function hideOutstanding(features: string[]): boolean { return features.find((item) => item === 'CCC_Portal_UI_HideOutstanding') != null; } imxweb/projects/qer/src/lib/admin/qer-permissions.service.ts import { isCancelPwO, isPasswordHelpdesk, isPersonAdmin, hideOutstanding, ... } from './qer-permissions-helper'; ... export class QerPermissionsService { constructor(private readonly userService: UserModelService) {} public async isPersonAdmin(): Promise<boolean> { return isPersonAdmin((await this.userService.getFeatures()).Features); } public async hideOutstanding(): Promise<boolean> { return hideOutstanding((await this.userService.getFeatures()).Features); } ...
... import { CollectionLoadParameters, ..., FilterType, CompareOperator } from 'imx-qbm-dbts'; ... public isPersonAdmin: boolean; public hideOutstanding: boolean; ... this.isPersonAdmin = await qerPermissionService.isPersonAdmin(); this.hideOutstanding = await qerPermissionService.hideOutstanding(); //console.log('hideOutstanding = ' + this.hideOutstanding); ... if (this.hideOutstanding) { this.navigationState = { ...{ PageSize: settingsService.DefaultPageSize, StartIndex: 0 }, ...{ filter: [ { ColumnName: 'XMarkedForDeletion', Type: FilterType.Compare, CompareOp: CompareOperator.BitsNotSet, Value1: 2, }, ], }, }; }
https://itshop.groot.net/apiserverdev/portal/features
Response now contains: ...,"CCC_Portal_UI_HideOutstanding",...
Option 5: Configure custom permission group
This last option is not really an option for this use case, but just to provide a complete overview of possible solutions.
So you see Outstanding objects in the first place because you have database permissions.
Via The base roles every user gets 'Everyone (Lookup)\VI_4_ALLUSER_LOOKUP' this group gives you view permissions in the person table.
There is a viewing condition defined for this group on the table person : IsInActive = 0. For your use case you would want the viewing condition on the person table to be:
IsInActive = 0 AND XMarkedForDeletion & 2 = 0
But since all the default permission groups have some kind of view permission on the person table you will have to create a copy of the OOTB groups and create your custom permission group model based on the OOTB configuation plus your own customizations. But this would have major impact on OOTB configuration and is difficult to maintain (updates/hotfixes have to be closely tracked and tested). If you have issues and want support from Quest you will probably have to rollback to the default permission group configuration.
Regards,
Niels
Hi Niels,
First of all, thank you very much for your response. I'd like to provide more information about my scenario: I am in a cloud environment (IMODSE), and the installed version is 9.1.
I don't see the option to create custom filters within the web portal. The customer we are working with has requested the ability to hide the outstanding user accounts from the "data administration" section but still wants to see them in the tools (manager and object browser).
After several attempts via the administration portal, I tried creating a "Configuration Key" of type "Filters for object selection." Since I don't see any changes, I'm having trouble understanding if I'm configuring it incorrectly or if there is some other error.
Regards,
Francesco
Hello Francesco,
This is used only for candidate filtering.
So when you add an identities to a business role, this configuration filters the list of possible candidates you can add.
Filters for object selection = Filters for candidate selection
Filters for object selection by table = Filters for candidate selection by table