Symantec IGA

Expand all | Collapse all

Custom filter on User Search screen

Jump to Best Answer
  • 1.  Custom filter on User Search screen

    Posted 03-16-2018 04:12 AM

    I am using CA IDM 14.0 version and i want to add a custom criteria for Show only objects meeting the following rules in Search User Screen.


    From Search User Screen, only user reporting to admin (logged in user) should display, for this i want to put rule  like manager = Admin's login id


    But i am not able to find this kind of rule for Search User Screen.

    Can anyone help me on this ?


    Thanks in advance

  • 2.  Re: Custom filter on User Search screen

    Broadcom Employee
    Posted 03-16-2018 11:13 AM

    Hi Rajesh, 


    This is configured in Admin Role's member scoping rules. Specifically, you create an Admin Role, add the tasks that you want the members of this role to be able to execute and then you also define which objects are in scope (including users). See a screenshot of  what you are asking for:




  • 3.  Re: Custom filter on User Search screen

    Posted 03-18-2018 10:04 PM

    HI Russi,


    Thanks for your reply!!!

    I have tried with this and it is working, but facing issue with below scenario.


    Scenario is to update Users Manager and requester is User's current manager.


    1. I have created a manager Admin Role with scope rule as User's Manager = admin's UserID.

    2. I have created task to Update users manager and added it to manager admin role.

    3. applied user search screen which is giving only users reporting to manager.

    4. To update manager, i have given an User Selector field to search new manager, but as the scope of this task is set to User's Manager = admin's          UserID, its not returning all users.


    I really appreciate if you can help me on this scenario.


    Also with Scope Rule as User's Manager = admin's UserID, i am getting error while updating manager, its saying User is not in admin scope on manager update.


    Thanks in advance !!!


    Rajesh Patel

  • 4.  Re: Custom filter on User Search screen
    Best Answer

    Broadcom Employee
    Posted 03-20-2018 04:11 PM

    Hi Rajesh

    Sorry for the belated response. I am traveling and I did not have access to an IM console.


    For every task there is a possibility to disable the following behavior (from IM documentation):


    • Modified objects must remain in administrator’s scope
      When this check box is selected, CA Identity Manager displays an error if changes to the task cause the administrator to lose scope over the primary object. For example, an administrator may use Modify User to change a user's Employee Type attribute to Manager. This change may put the user outside the administrator’s scope.


    The following is the screenshot of the setting I am talking about:



    On the other hand, because the scope of the users is limited based on the Admin Role members rule you specified, using the default search options such as a user selector you cannot view users outside of the Admin's scope. So if you want to provide a type of a selector for your manager you may need to write a Logical Attribute Handler or similar.