Walkthrough: Search Policy - define scope and filter results

Applies To:

GroupID 8.x - Automate & Self-Service

Business Requirement:

Set GroupID search in such a way that AD objects (e.g., Groups, Users, Contacts) can only be searched within a specific OU and filtered based on Active Directory attributes.

Solution:

This business requirement can be achieved by configuring the Search Policy on specific security role(s) in an identity store.

More Information:

Use the Search policy to:

• Limit the search scope to a particular container for role members.
• Designate an LDAP criterion to restrict the search scope for role members.

Suppose you specify a container and set the LDAP filter to (Country=United States*). When a role member performs a search, GroupID looks up the container and displays objects that have ‘United States’ as value for the Country attribute.

Now consider these scenarios: if you only specify a container, a search performed by role members returns all matching objects residing in that container. However, if you only specify an LDAP filter, a search performed by role members displays only those objects with the Country attribute set to 'United States' from all containers in the identity store.

By default or in the absence of this policy, any search performed by role members returns objects from all containers in the identity store.

Apply the Search Policy:

1. In GroupID Management Console, click the Identity Stores node.
2. On the Identity Stores tab, double-click the required identity store to open its properties.
3. On the Security Roles tab, select a role to define a search policy for it and click Edit.
4. On the Role Properties page, click the Policies tab and then click Search in the left pane.
5. Click Browse and select a container. Search performed by role members would only show objects that reside in this container.

   

Choose a Search Filter:

When you apply an LDAP filter, search performed by role members only shows objects that match the specified criterion.

1. In the Filter area on the Search page, select a schema attribute from the drop-down list (for example, Company).
2. Select an operator from the second drop-down list (for example, Is Exactly).
3. Enter a value with respect to the selected schema attribute in the third box.

   

   You can define multiple queries, where the AND or OR operator is used to group all rows that make up a query.

   A down arrow appears in the applied operator's icon. Click it to display the context menu, which has the following options:

   • Select Group, to select all rows that make up the query.
   • Ungroup, to remove the operator and ungroup the rows.
   • Change, to change the AND operator to OR and vice versa.
   • Add Clause, to add a new row for specifying an additional clause for the query.
   • Delete, to delete all rows grouped by the operator. In other words, the query is deleted.

Some Useful Examples:

• To limit searches to mail-enabled distribution groups and all users:

  

• Limit searches to all global security groups and all users:

  

• Limit searches to mail-enabled groups and mail-enabled users:

  

Reference:

GroupID Online Help topic: Search policy