How to Limit QuickLinks Accessibility to Defined User Sets in SailPoint IdentityIQ

QuickLinks are objects in IdentityIQ that enable you to place customized links on the IdentityIQ Home page and in the QuickLinks menu that is available on every page. QuickLinks are defined when IdentityIQ is deployed and are based on the needs of your enterprise. You can determine the behavior and availability of these links for different users. For example, IdentityIQ can be set up to limit access based on user capabilities, rights, or workgroup membership.

Three objects control links. Quicklink objects define the links, the DynamicScope object controls who can view those links, and the QuickLinkOption object references the first two to create the QuickLinks within the product.

Occasionally, we have customers who would like to use custom menus that are only available for a certain set of users based on account privileges. Today’s guide will walk you through how IdentityIQ we can limit the visibility/accessibility of some custom menus (QuickLinks) to specific accounts(people) only. To achieve this we’ll examine how to use QuickLinks, DynamicScopes, and IdentitySelector.

There are a few out-of-the-box QuickLinks available or you can create custom QuickLinks. <QuickLinks> are available to users depending upon <DynamicScopes> declared inside the <QuickLinks> object.

We can modify <DynamicScopes> using <Selector> and <IdentitySelector> to filter identities of our interest so that <QuickLinks> will appear and accessible for those users only.

With <IdentitySelector> we can combine the following objects to filter identities which shows different ways to filter it.

·  CompoundFilter
·  MatchExpression
·  PopulationRef
·  RuleRef
·  Script

QuickLinks Accessibility Scenarios

1) QuickLinks is accessible for the user(s) belonging to a specific application’s group, where the application name is “LDAP”

<DynamicScope name="App Admin Capability"

     <Selector>  

          <IdentitySelector>

              <CompoundFilter>

                  <Filter operation="EQ" property="LDAP:memberOf" value="cn=myGroup, ou=groups, dc=example, dc=com"/>

             </CompoundFilter>

       </IdentitySelector>

   </Selector>

</DynamicScope>

 

2) QuickLinks is accessible for the user(s) who have “ApplicationAdministrator” capability

<DynamicScope name="App Admin Capability">

        <Selector>

              <IdentitySelector>

                  <MatchExpression>

                     <MatchTerm name="capabilities" value="ApplicationAdministrator"/>

                 </MatchExpression>

            </IdentitySelector>

       </Selector>

</DynamicScope>

 

3) QuickLinks is accessible for any user in the “Austin” population

<DynamicScope name="Austin Population">

     <Selector>

        <IdentitySelector>

                 <PopulationRef>

                      <Reference class="sailpoint.object.GroupDefinition" name="Austin"/>

                 </PopulationRef>

           </IdentitySelector>

      </Selector>

</DynamicScope>

 

4) A rule is used to determine whether users have access to this QuickLink.  If the Rule IdentitySelectors returns “true,” the logged-in user meets the criteria and the respective user can see the associated QuickLink.

<DynamicScope name="Rule Selector">

     <Selector>

         <IdentitySelector>

               <RuleRef>

               <Reference class="sailpoint.object.Rule" name="Example Selector Rule"/>

               </RuleRef>

          </IdentitySelector>

       </Selector>

</DynamicScope>

 

5) if the logged-in user meets the script’s criteria then script IdentitySelectors return “true” and grant the user access to the associated QuickLinks.

<DynamicScope name="Rule Selector">

      <Selector>

        <IdentitySelector>

            <Script>

                 <Source>

                          import sailpoint.object.Identity;

                          if ("Austin".equals(identity.getAttribute("location")))

                                return true;

                          else

                                return false;

                 </Source>

            </Script>

        </IdentitySelector>

      </Selector>

</DynamicScope>

We hope this brief tutorial helps you better understand how simple it is to use QuickLinks, DynamicScopes, and IdentitySelector to create and deliver custom QuickLinks to a defined set of users.