Symantec IGA

Hi,

Is it possible to search / filter / scope managed objects (e.g.: users, groups etc.) based on their containing unit in the admin tasks by default? (without having to specify an organization first before searching)

for example i only want to show groups that are stored in the "o=root,ou=internal,ou=groups" container 

and of course by definition not in places like

"o=root,ou=internal,ou=roles"

"o=root,ou=external,ou=groups" 

"o=root,ou=administrators,ou=groups"

or any other place that could possibly store group objects. (The referred ou/container is also known within IM as an organization so could be used for filtering i guess.)

i have played around with the search filter of the admin tasks and tried the "Show only objects meeting the following rules" setting but when i use this most times i am not getting any objects. 

(Search Filters - CA Identity Manager - 12.6.5 - CA Technologies Documentation )

How could i accomplish this? (it sounds simple enough)

as an alternative:

currently i have specified a "Search in organization" which only shows one ou, based on a name and description (but i'm not very fond of doing things like this). Also with this i still have to apply the organization filter before it only shows the objects i want to see, before that i'm seeing all objects.  

I would say i could use something like the "Group search screen" or "User search screen"

Types of Search Screens - CA Identity Manager - 12.6.5 - CA Technologies Documentation 

but i'm not seeing those or similar options when i'm defining a new search screen in an admin task. 

Hi Wietse,

I think the way to achieve that is by scoping a specific Admin Role to this. So, you can create an Admin Role and scope it as follows:

Groups = All.

Organization - the specific organization unit you need.

This should result in only retrieving groups out of that OU only.

Let us know if that helped.

Sagi

Hi Sagi,

Thank you for your reaction.

How could i couple the admin role which filters the wanted groups to the admin task search result?

so the user could pick one of them to modify it.

The thing I expect to do is use the "Group Organization" value which shows the ou/container -dn in the search result. but if I use this it will always result in 0 results (even with wildcard).

I could mention the container dn of the group as an attribute and use that filter... but this could not be the way.

kr, Wietse

I will rephrase the question.

I'm not familiar how an Admin Role determines the result of the Admin Task search result. "All groups in the administrator's scope" is not an option because the administrator has permissions to all the other ou's as well.

Could you please reefer to the documentation about how Admin Roles determine the result of an Admin Task search result. Or was the administrator's scope what you where pointing to? 

(Selecting a reaction as the correct answer doesn't by definition solve the question.

For me it is still not answered.)

Could you/someone please help me out, 

kind regards, 

Hi.

I would think it would make most sense if you open a support case on this to proceed. Will you be able to open a support case?

Regards,

Sagi

Hi Sagi, 

You where pointing in the right direction.

I had to create an Admin Role for the specific functionality(ies) (like create & modify internal group)

- enter admin role profile information (like: Manage Internal Groups)

- connect the task(s)  (create and modify internal Group tasks)

- assign the member(s) to it And  apply scope rules (Group in Organization Internal).

- define the owner

- (more... but optional)

And do the same for the other Admin Task(s) which needs to be bound to a specific OU/organization, like external groups.

Once the user is assigned, the Admin Task will use that admin Role to filter the objects.

Note...

If the user is assigned to more Admin Roles which are connected to the same Admin Task and allows the user (for instance) to search every where (broader scope) the search for the Admin Taks will show everything (which makes sense but good to keep in mind). 

kr

Wietse