Omada.OE.Solution.OIM.AppLogic.AccessModifiers Namespace

The access modifier controls access to ContextAssignment data objects. The access modifier can only be used in a view that filters on ContextAssignment data objects.

The access modifier grants access to: - All context assignments for contexts (valid or not) that the active user is owner of (unless ExcludeAssignmentsForOwnedContexts is true - see below) Note that if the active user is a system admin then he is considered owner of all contexts in this respect. - All context assignments for the active user's identity (if IncludeActiveUserAssignments is true - see below)

The access modifier supports the parameter IncludeActiveUserAssignments (TRUE/FALSE) which controls whether context assignments for the active user's identity are included. The access modifier also supports the parameter ExcludeAssignmentsForOwnedContexts (TRUE/FALSE) which controls whether assignments for contexts that the active user is owner of are included. Note: setting it to true doesn't mean that we explicitly exclude the assignments - it means that we don't include them.

The access modifier controls access to identity data objects that are assigned to a specific "context" data object. Context data objects are not data objects of a specific data object type; Which data objects are contexts depends on the defined ContextType data objects. The access modifier can only be used in a view (not for a data object type) and is specifically intended for showing identities from the context forms.

The access modifier must receive a ContextID in the _PAGECONTEXTS parameter which must specify the context for whom we want to load identities that are in the context.

The access modifier controls access to "context" data objects. Context data objects are not data objects of a specific data object type; Which data objects are contexts depends on the defined ContextType data objects. The access modifier can only be used in a view (not for a data object type).

The access modifier supports the parameter OverrideSecurity (True/False) which controls whether the security model will be overridden.

The access modifier supports the parameter INCLUDEDELETED. The value of INCLUDEDELETED must be either true or false. If value is set to false, Deleted (accepted) contexts will be filtered out. If value is set to true, Deleted (accepted) contexts will NOT be filtered out. If INCLUDEDELETED is not specified it is treated as false.

The access modifier supports the parameter ExcludePersonal. The value of ExcludePersonal must be either true or false. If value is set to true, the "personal" context objects will be excluded. If ExcludePersonal is not specified it is treated as false.

The access modifier controls access to identity data objects. An identity is accessible for a user if:

* It is his own identity (if ACCESSMODE contains SELF)

* He is the manager of the identity (if ACCESSMODE contains MANAGER). An identity is managed if:

* He belongs directly or indirectly (a child org. unit) to an org. unit which the user is manager of AND the identity doesn't have a specific manager stated.

* The user is specified as specific manager of the identity

* The user is owner of a context which the identity has a (valid) context assignment for. (requires that the context fearure is installed)

* He is the owner of a system which the identity has a resource for (if ACCESSMODE contains SYSTEMOWNER)

* He is the owner of a resource which is assigned to the identity (if ACCESSMODE contains ROLEOWNER). A resource is owned if:

* The resource is located (directly) in a resource folder which the user is a role owner of AND the resource doesn’t have a specific resource owner specified.

* The user is specified as specific owner of the resource.

* He is in the same OrgUnit as the identity (if ACCESSMODE contains ORGUNIT)

* He is specified as owner in the property IDENTITYOWNER and the identity is of type non-primary. (if ACCESSMODE contains IDENTITYOWNER or ALL)

* He is a service desk agent for a business context the identitiy belongs to (if ACCESSMODE contains SERVICEDESKAGENT or ALL)

* He is a service desk agent for a business context the identitiy belongs to and the service desk agents are allowed to request access (Service desk auth.role) (if ACCESSMODE contains SERVICEDESKAGENT_ACCESSREQ or ALL)

The following only applies if ACCESSMODE=ALL: The SYSTEM user have READ+UPDATE access to all identities. Members of the built-in Administrators group by default have READ+UPDATE access to all identities as well. This can, however, be changed by using the ADMINGROUPS parameter. All others (non-admins) have only READ access (in case they have access at all).

The access modifier supports the parameter ACCESSMODE. The value of ACCESSMODE must be a comma delimited string with one or more of these values: MANAGER, ROLEOWNER, SYSTEMOWNER, ORGUNIT, SELF, IDENTITYOWNER, SERVICEDESKAGENT, SERVICEDESKAGENT_ACCESSREQ, ALL If ACCESSMODE is not specified it is treated as ALL.

--- ADMINGROUPS is deprecated! Use the IdentitiesAccessModifier authorization element to control permissions --- The following only applies if ACCESSMODE=ALL: The access modifier supports the parameter ADMINGROUPS which can be used to specify a number of user groups who's members should have READ+UPDATE access to all identities. The value of ADMINGROUPS must be a comma delimited string with user group uids. If ADMINGROUPS is not specified then the value defaults to the built-in Administrators group. If ADMINGROUPS is specified then the built-in Administrators group must be included in order to have READ+UPDATE access. --- ADMINGROUPSKEY is deprecated! Use the IdentitiesAccessModifier authorization element to toggle Admin permissions --- The access modifier also supports the parameter ADMINGROUPSKEY which works in the same way except that the value must be the key of a customer setting which holds a comma delimited string with user group uids.

--- READERGROUPS is deprecated! Use the IdentitiesAccessModifier authorization element to control permissions --- The following only applies if ACCESSMODE=ALL: The access modifier supports the parameter READERGROUPS which can be used to specify a number of user groups who's members should have READ access to all identities. The value of READERGROUPS must be a comma delimited string with user group uids. --- READERGROUPSKEY is deprecated! Use the IdentitiesAccessModifier authorization element to toggle Read permissions --- The access modifier also supports the parameter READERGROUPSKEY which works in the same way except that the value must be the key of a customer setting which holds a comma delimited string with user group uids.

The access modifier supports the parameter EXCLUDEINDIRECTMANAGED (TRUE/FALSE) which controls whether it is both directly and indirectly managed identities (default) which are allowed - or only directly managed. An indirectly managed identity is an identity which belongs to a context which is child or grand child of a managed context. Regardless of the setting, personal context assignments are still included if their parent is directly assigned. E.g. an employment (where type is personal) to a directly assigned org unit is included. The parameter is only considered if ACCESSMODE contains MANAGER.

The access modifier supports the parameter UNFOLDHIERARCHYFORSERVICEDESK (TRUE/FALSE) which controls whether it is both directly (default) and indirectly managed identities - or only directly managed which are allowed for service desk agents. An indirectly managed identity is an identity which belongs to a context which is child or grand child of a managed context. Regardless of the setting, personal context assignments are still included if their parent is directly assigned. E.g. an employment (where type is personal) to a directly assigned org unit is included. The parameter is only considered if ACCESSMODE contains SERVICEDESKAGENT or SERVICEDESKAGENT_ACCESSREQ.

The access modifier supports the parameter SERVICEDESKAGENTSGROUPSUIDS which can be used to specify a number of user groups whose members should have service desk access to identities. The value of SERVICEDESKAGENTSGROUPSUIDS must be a comma delimited string with user group uids. If parameter is not provided, standard "Service desk agents" user group is assigned by default. The parameter is only considered if ACCESSMODE contains SERVICEDESKAGENT or SERVICEDESKAGENT_ACCESSREQ.

The access modifier has a configuration object xml (AccessModifierConfig_IdentitiesAccessModifier) which can be used to control field-level security for three scenarios: 1. When the active user updates his own identiy (myOwnidentity) 2. When a supervisor updates his contractor (contractorSupervisor) 3. When a technical identity owner updates his technical identity (techIdentOwner)

The access modifier supports the parameter DELEGATEACCESS (TRUE/FALSE) which controls whether it is both directly and indirectly managed identities - or only directly managed which are allowed for delegator and delegates in the delegate access. It respects to "DelegOnBehalfAnyLvl" customer setting to show subordinate managed identities for a manager.

The access modifier controls access to "context" data objects that a specific identity is assigned to. Context data objects are not data objects of a specific data object type; Which data objects are contexts depends on the defined ContextType data objects. The access modifier can only be used in a view (not for a data object type) and is specifically intended for showing contexts from the identity form.

The access modifier must receive a IdentityID in the _PAGECONTEXTS parameter which must specify the identity for whom we want to load context assignments he is assigned to.

The access modifier filters on resource assignment data objects which are potentially irrelevant. It is intended to be used for migration purposes only. It aids in removal of resource assignment data objects that are not needed cause of other "desired state" reasons.

It includes resource assignments where a CRA exists that is (also) assigned for another desired state reason than "direct".

It is only to be used in views as it has no access calculation logic (only load-option modification!).

The access modifier controls access to identity data objects for business managers. It is only to be used in views as it has no access calculation logic (only load-option modification!).

An identity is accessible for a user if he is the manager of the identity. The access modifier doesn't allow anything for users who aren't business managers.

The access modifier supports the parameter INCLUDEINDIRECTMANAGED (TRUE/FALSE) which controls whether it is only directly managed identities (default) which are allowed - or also indirectly managed. An indirectly managed identity is an identity which belongs to a context which is child or grand child of a managed context.

The access modifier supports the parameter INCLUDECHILDCONTEXTOWNERS (TRUE/FALSE). If true we will include owners (identities) of contexts that are direct children of the identity's directly owned/managed contexts. Note that those owners (identities) may not themselves belong to the identity's owned contexts.

The access modifier controls access to data objects of unspecified types.

It is only to be used in views as it has no access calculation logic (only load-option modification!).

The view should not apply any data object type filtering or it should filter on one or more of these types: identities, org. units, role folders, roles, systems.

- The object has the "Manager" property and the user is selected as manager or is member of a group selected as manager.

- The object has the "Owner" property and the user is selected as owner or is member of a group selected as owner.

The access modifier either shows managed/owned objects for the active user or for a specified user. A user can be specified by adding a USERID parameter to the url of the view where the access modifier is applied. It is only possible for members of the administrators group to specify a userid other than their own.

The access modifier supports the parameter ADMINGROUPS which can be used to specify a number of user groups who's members should have access to managed/owned objects for users other than themselves. The value of ADMINGROUPS must be a comma delimited string with user group uids. If ADMINGROUPS is not specified then the value defaults to the built-in Administrators group. If ADMINGROUPS is specified then the built-in Administrators group must be included in order to have access. The access modifier also supports the parameter ADMINGROUPSKEY which works in the same way except that the value must be the key of a customer setting which holds a comma delimited string with user group uids.

The access modifier supports the parameter OVERRIDEGROUPS which can be used to specify a number of user groups who's members should have access to all objects. The value of OVERRIDEGROUPS must be a comma delimited string with user group uids.

The access modifier controls access to "context" data objects. Context data objects are not data objects of a specific data object type; Which data objects are contexts depends on the defined ContextType data objects. The access modifier is only to be used in views as it has no access calculation logic (only load-option modification!).

An context data object it is accessible for a user if: - he is in the context - if INCLUDEOWNED=true: he is the owner of the context and the context is valid. - if INCLUDEALL=true: any context is allowed (security is overridden)

The access modifier controls access to "delegation" data objects. It showns the delegations where the active user has either created the object or is referenced in the "DELEGATOR / On behalf of" field.

If the parameter INCLUDEALL is set to FALSE then it will only show the delegations where the active user is delegating own access to others.

The access modifier controls access to data objects of an unspecified type (for example 'Roles'). It is only to be used in views as it has no access calculation logic (only load-option modification!). An object is accessible to a user if: - he has an identity (if not an error is thrown!) - the identity has the same value for a specified property as the object itself (that is, the object must have the very same property with the very same value(s) as the identity) - if the property is a multi-value set- or reference-property just one value need to be in common before it is considered a match

The access modifier requires the parameter MATCHPROPERTY which holds a system name of a property. The MATCHPROPERTY is the one being matched. MATCHPROPERTY must be present on both the Identity DOT as well as the DOT for the objects controlled by the access modifier. There is, however, and exception to this - see IDENTITYPROPERTY for details.

If MATCHPROPERTY is a reference property then the optional parameter IDENTITYPROPERTY can be applied. IDENTITYPROPERTY holds a system name of a reference property present on the Identity DOT. If IDENTITYPROPERTY is specified then the identity's value(s) for IDENTITYPROPERTY will be matched with the objects' value(s) for MATCHPROPERTY.

If MATCHPROPERTY is a reference property then the optional parameter INCLUDEIDENTITYVALUEPARENTS can be applied. INCLUDEIDENTITYVALUEPARENTS is a boolean indicating whether the parents of the identity values should be included in the match. As an example: if the MATCHPROPERTY states an org. unit and INCLUDEIDENTITYVALUEPARENTS is true then the match will be performed on the identity's org. unit as well as all parent data objects to the org. unit (on all levels up to the root).

OVERRIDEGROUPS parameter can be spcified with a list of user group UIds, if the active user is a member of any of these specified groups then the access modifier is overriden

The match property must be either: - a set property - a reference property - a value property w. datatype 'text' or 'integer'

The access modifier controls access to org. units. It is only to be used in views as it has no access calculation logic (only load-option modification!).

An org. unit is accessible for a user if: - he belongs to the org. unit - or he is the manager of it (if his user (or a group he is member of) is stated in the "Manager" property on the org. unit)

The access modifier supports the parameter INCLUDEINDIRECTMANAGED (TRUE/FALSE) which controls whether it is only directly managed org. units (default) which are allowed - or also indirectly managed.

The access modifier controls access to "context" data objects. Context data objects are not data objects of a specific data object type; Which data objects are contexts depends on the defined ContextType data objects. The access modifier can only be used in a view (not for a data object type).

The access modifier supports the parameter INCLUDEDESCENDANTS (TRUE/FALSE) which controls whether it is only directly owned contexts (default) which are allowed - or also descendant contexts to those.

The access modifier supports the parameter INCLUDESYSOWNERRESOURCES (TRUE/FALSE) which controls whether all resources belonging to an owned system should be included. Default false.

The access modifier is used in the managed password reset process for selecting identities. The access modifier is also used to count and visualize password reset enrollment status for identities

The access modifier controls access to identity data objects for operation managers. It is only to be used in views as it has no access calculation logic (only load-option modification!).

The access modifier supports the parameters - MANAGEDPWR (TRUE/FALSE) - if true it shows the identites allowed for managed password reset being orgunit managers and help desk - NOTENROLLED (TRUE/FALSE) - if true it shows identities NOT enrolled - used by KPI - ENROLLED (TRUE/FALSE) - if true it shows identities already enrolled - used by KPI - PENDING (TRUE/FALSE) - if true it shows identities with an open enrollment process. Those identities may already and may not be enrolled. - used by KPI

The access modifier controls access to resource folder data objects

The access modifier has a configuration object xml (AccessModifierConfig_ResourceFoldersAccessModifier) which can be used to control field-level security for the following scenarios: 1. When the resource folder owner updates his resource (resourceFolderOwner)

The access modifier controls access to resource data objects

The access modifier has a configuration object xml (AccessModifierConfig_ResourcesAccessModifier) which can be used to control field-level security for the following scenarios: 1. When the resource owner updates his resource (resourceOwner)

The access modifier controls access to resource assignment data objects. A resource assignment is accessible for a user if: - It belongs to his own identity (if ACCESSMODE=SELF) - He is manager of the identity which the resource assignment is for (if ACCESSMODE contains MANAGER) - He owns a context which the resource assignment is granted for (if ACCESSMODE contains OWNEDCONTEXTS) - He is owner of the role which the resource assignment is for (if ACCESSMODE contains ROLEOWNER) - He is owner of the system which the assigned resource belongs to (if ACCESSMODE contains SYSTEMOWNER) - ACCESSMODE is set to ALL

The following only applies if ACCESSMODE=ALL: The SYSTEM user have READ+UPDATE access to all role assignments. Members of the built-in Administrators group by default have READ+UPDATE access to all role assignments as well. This can, however, be changed by using the ADMINGROUPS parameter. All others (non-admins) have only READ access (in case they have access at all).

The access modifier supports the parameter STATUS. The value of STATUS must be a comma delimited string with one or more of these values: PENDING, INACTIVE, ACTIVE, REJECTED, OBSOLETE, DISABLED, LOCKED, ALL If STATUS is not specified it is treated as ALL.

The access modifier supports the parameter ACCESSMODE. The value of ACCESSMODE must be a comma delimited string with one or more of these values: SELF, MANAGER, OWNEDCONTEXTS, ROLEOWNER, SYSTEMOWNER, ALL If ACCESSMODE is not specified it is treated as ALL.

--- ADMINGROUPS is deprecated! Use the RoleAssignmentsAccessModifier authorization element to control permissions --- The following only applies if ACCESSMODE=ALL: The access modifier supports the parameter ADMINGROUPS which can be used to specify a number of user groups who's members should have READ+UPDATE access to all role assignments. The value of ADMINGROUPS must be a comma delimited string with user group uids. If ADMINGROUPS is not specified then the value defaults to the built-in Administrators group. If ADMINGROUPS is specified then the built-in Administrators group must be included in order to have READ+UPDATE access. --- ADMINGROUPSKEY is deprecated! Use the RoleAssignmentsAccessModifier authorization element to toggle Admin permissions --- The access modifier also supports the parameter ADMINGROUPSKEY which works in the same way except that the value must be the key of a customer setting which holds a comma delimited string with user group uids.

--- ADMINGROUPS is deprecated! Use the RoleAssignmentsAccessModifier authorization element to control permissions --- The following only applies if ACCESSMODE=ALL: The access modifier supports the parameter READERGROUPS which can be used to specify a number of user groups who's members should have READ access to all identities. The value of READERGROUPS must be a comma delimited string with user group uids. --- READERGROUPSKEY is deprecated! Use the RoleAssignmentsAccessModifier authorization element to toggle Read permissions --- The access modifier also supports the parameter READERGROUPSKEY which works in the same way except that the value must be the key of a customer setting which holds a comma delimited string with user group uids.

* He is the manager of the secondary identity (if ACCESSMODE contains MANAGER). A user is manager for a secondary identity if:

* He is manager of it’s primary identity

* The secondary identity is placed in the OU or one of the child OU’s of the manager

* He is the owner of the identity (if ACCESSMODE contains OWNER)

* He is the owner of the secondary identity (if ACCESSMODE contains OWNER). A user owns a secondary identity if:

* He/she is the Identity Owner of the secondary identity

* The secondary identity has no Identity Owner and he/she is the manager of it

The access modifier supports the parameter ACCESSMODE. The value of ACCESSMODE must be a comma delimited string with one or more of these values: MANAGER, OWNER, ADMINS, ALL If ACCESSMODE is not specified than all access modes are applyed.

The following only applies if ACCESSMODE contains ADMINS: The SYSTEM user havs access to all identities. Members of the built-in Administrators group by default have access to all identities as well. This can, however, be changed by using the ADMINGROUPS parameter.

The following only applies if ACCESSMODE contains ADMINS: The access modifier supports the parameter ADMINGROUPS which can be used to specify a number of user groups who's members should have access to all identities. If ADMINGROUPS is not specified then the value defaults to the built-in Administrators group. If ADMINGROUPS is specified then the built-in Administrators group must be included in order to have access. The access modifier also supports the parameter ADMINGROUPSKEY which works in the same way except that the value must be the key of a customer setting which holds a comma delimited string with user group uids.

The following only applies if ACCESSMODE contains ADMINS: The access modifier supports the parameter READERGROUPS which can be used to specify a number of user groups who's members should have access to all identities. (used in the standard Identity Access Modifier for read access only) Works the same way as ADMINGROUPS, having READERGROUPSKEY as a custommer setting key.

Examples

The access modifier controls access to users and groups.

It is only to be used in views as it has no access calculation logic (only load-option modification!).

The access modifier filters away users and groups that are not "normal". This includes personal groups and special groups (like dummy groups).