• State Not Answered
  • Replies 3 replies
  • Subscribers 96 subscribers
  • Views 774 views
  • Users 0 members are here
Options
Related

Hide the outstanding user accounts from Data Explorer on the angular web portal

francesco caldarella_57910
8 months ago

Hi all,

Do you know if there is a way to hide the outstanding user accounts in the Data Explorer page of the new angular web portal? 

Thank you

Untitledddd

Parents
  • 0 8 months ago

    That's an interesting question.
    Here are some options to hide outstanding objects in portal.

    Option 1: Set 'Show in wizards' option in Designer
    This uses an configurable option called 'Show in wizards'.
    Designer.exe > One Identity Manager Schema > Proxy > UNSAccount
    UNSAccount > Columns > XMarkedForDeletion
    Column properties: [v] Show in wizard

    All columns that have 'Show in wizards' enabled:

    select ColumnName from DialogColumn where IsFilterDesignerEnabled = 1 order by ColumnName

    Demo identity has these application roles assigned:
    Identity Management\Identities\Administrators
    Target systems\Custom target systems

    Log in to the portal: Check if the property 'XMarkedForDeletion' is included in the response.

    itshop.groot.net/.../columns
    If not restart IIS server.

    Data administration > Data Explorer > User accounts > Filter icon
    Filter Data > Custom Filter

    Custom filter
    Property: Marked for deletion
    Operator: not equal
    Value: 2
    Apply filter

    https://itshop.groot.net/apiserverdev/portal/targetsystem/uns/account?PageSize=20&filter=[{"Expression":{"Expressions":[{"PropertyId":"XMarkedForDeletion","Operator":"<>","LogOperator":0,"Value":2}],"LogOperator":0}}]&search=

    Now the issue with the case of 'XMarkedForDeletion' is that it's of type 'int' but used as a bitwise value to store multiple states and conditions of the account.
    So when for instance the UNSAccountB all ready had a 'Prohibit modification' on one of it's properties before it was set as outstanding than the 'XMarkedForDeletion' value would be 6.

    !!! There seems to be an issue with the filter option for 'User accounts' in the Sidesheet component. Data administration > Data Explorer > Identities > Select an user > Memberships > User accounts. The 'Search' and 'Filter' options don't work for me (v9.2). None of these options get appended to the request url:

    itshop.groot.net/.../accounts
    I will make an github issue for this.

    Option 2: Configure 'API method configuration' in the Administration Portal

    In the Administration Portal create a configuration key of type 'API method configuration'
    named 'admin_person' with a where clause for filtering

    Metho: admin/person = itshop.groot.net/.../person = admin_person

    Administration Portal > Configuration: Web Portal (click on: three dots icon)
    Create configuration key
    Select where to add the configuration key: API method configuration
    Enter the API method name, replacing slashes with underscores, for example "itshop_cart".
    Name of the new configuration key: admin_person
    [Create]

    Search: admin_person

    Property configuration
    API method configuration / shop_serviceitems / Filter condition
    Specify a filter condition (WHERE clause). To refer to the identifier of the current user, use the %useruid% variable.
    Value: XMarkedForDeletion & 2 = 0
    PropertyConfig/MethodConfiguration/shop_serviceitems/WhereClause
    [Apply] (*) Apply globally [Apply]

     
    Option 3: Angular: modification in 'tsb\accounts'
    An other option is to make a change in the following file of the Angular project.
    imxweb/projects/tsb/src/lib/accounts/accounts.component.ts

    ...
import { CollectionLoadParameters, ..., FilterType, CompareOperator} from 'imx-qbm-dbts';
...
this.navigationState = {
...{ PageSize: settingsService.DefaultPageSize, StartIndex: 0 },
...{
filter: [
{
ColumnName: 'XMarkedForDeletion',
Type: FilterType.Compare,
CompareOp: CompareOperator.BitsNotSet,
Value1: 2,
},
],
},
};
...

    Now outstanding accounts are hidden for everyone.

    ":"XMarkedForDeletion","Type":0,"CompareOp":9,"Value1":2}]">itshop.groot.net/.../account

    And when you use the 'Search' or 'Filter' options they will get appended.

    ":"XMarkedForDeletion","Type":0,"CompareOp":9,"Value1":2}]&search=Test">itshop.groot.net/.../account

    Same issue with 'User accounts' in the Sidesheet component.

    Option 4: Angular: modification in 'qer\identities', 'qer\admin' + Configure 'Program function' in Designer
    This option combines the previous option with the a Program function object to make to make hiding Outstanding identities conditional.
    I used modifying the 'qer\identities' module in this example instead of 'tsb\accounts' because it requires less modification.
    Configure program function
    Designer.exe > Permissions > Program functions > [+] Create a new object

    Function group: Portal
    Program function: CCC_Portal_UI_HideOutstanding
    Description: Don't show outstanding objects in data explorer

    Designer.exe > Permissions > Permissions groups > Role based permissions group > [+] Create a new object

    Permissions group: CCC_4_HideOutstanding
    Description: Don't show outstanding objects in data explorer
    Program functions: CCC_Portal_UI_HideOutstanding

    Manager.exe > One Identity Manager Administration > Custom > [+] Create a new object

    Application role: Hide outstanding objects
    Description: Don't show outstanding objects in data explorer
    Permissions group: CCC_4_HideOutstanding

    Assign the application role  'Hide outstanding objects' to the Demo identity.

    Extracts from changes in the angular project:

    projects\qer\src\lib\admin\qer-permissions-helper.ts

    export function isPersonAdmin(features: string[]): boolean {
return features.find((item) => item === 'Portal_UI_PersonAdmin') != null;
}
export function hideOutstanding(features: string[]): boolean {
return features.find((item) => item === 'CCC_Portal_UI_HideOutstanding') != null;
}
imxweb/projects/qer/src/lib/admin/qer-permissions.service.ts

import {
isCancelPwO,
isPasswordHelpdesk,
isPersonAdmin,
hideOutstanding,
...
} from './qer-permissions-helper';
...
export class QerPermissionsService {
constructor(private readonly userService: UserModelService) {}

public async isPersonAdmin(): Promise<boolean> {
return isPersonAdmin((await this.userService.getFeatures()).Features);
}
public async hideOutstanding(): Promise<boolean> {
return hideOutstanding((await this.userService.getFeatures()).Features);
}
...

    projects\qer\src\lib\identities\identities.component.ts

    ...
import { CollectionLoadParameters, ..., FilterType, CompareOperator } from 'imx-qbm-dbts';
...
public isPersonAdmin: boolean;
public hideOutstanding: boolean;
...
this.isPersonAdmin = await qerPermissionService.isPersonAdmin();
this.hideOutstanding = await qerPermissionService.hideOutstanding();
//console.log('hideOutstanding = ' + this.hideOutstanding);
...
if (this.hideOutstanding) {
this.navigationState = {
...{ PageSize: settingsService.DefaultPageSize, StartIndex: 0 },
...{
filter: [
{
ColumnName: 'XMarkedForDeletion',
Type: FilterType.Compare,
CompareOp: CompareOperator.BitsNotSet,
Value1: 2,
},
],
},
};
}

    Log in to the portal with Demo identity and check if the modification works:

    https://itshop.groot.net/apiserverdev/portal/features
    Response now contains: ...,"CCC_Portal_UI_HideOutstanding",...

    Option 5: Configure custom permission group
    This last option is not really an option for this use case, but just to provide a complete overview of possible solutions.
    So you see Outstanding objects in the first place because you have database permissions.
    Via The base roles every user gets 'Everyone (Lookup)\VI_4_ALLUSER_LOOKUP' this group gives you view permissions in the person table.
    There is a viewing condition defined for this group on the table person : IsInActive = 0. For your use case you would want the viewing condition on the person table to be:
    IsInActive = 0 AND XMarkedForDeletion & 2 = 0
    But since all the default permission groups have some kind of view permission on the person table you will have to create a copy of the OOTB groups and create your custom permission group model based on the OOTB configuation plus your own customizations. But this would have major impact on OOTB configuration and is difficult to maintain (updates/hotfixes have to be closely tracked and tested). If you have issues and want support from Quest you will probably have to rollback to the default permission group configuration.

    Regards,
    Niels

  • 0 8 months ago in reply to Niels de Groot

    Hi Niels,

     

    First of all, thank you very much for your response. I'd like to provide more information about my scenario: I am in a cloud environment (IMODSE), and the installed version is 9.1. 

    I don't see the option to create custom filters within the web portal. The customer we are working with has requested the ability to hide the outstanding user accounts from the "data administration" section but still wants to see them in the tools (manager and object browser).

    After several attempts via the administration portal, I tried creating a "Configuration Key" of type "Filters for object selection." Since I don't see any changes, I'm having trouble understanding if I'm configuring it incorrectly or if there is some other error.

     

    Microsoft-Teams-image-1

    Regards,
    Francesco

  • 0 8 months ago in reply to francesco caldarella_57910

    Hello Francesco,

    This is used only for candidate filtering.
    So when you add an identities to a business role, this configuration filters the list of possible candidates you can add.

    Filters for object selection = Filters for candidate selection
    Filters for object selection by table = Filters for candidate selection by table

Reply Children
No Data