Grant Group Override Ability to See Hidden Photos Within the User Application



By: stevewdj

February 4, 2010 4:21 pm

Reads: 178

Comments:0

Rating:0

Situation:

Some users want to be able to hide their photograph so that other users will not see it when looking at them from the Organization Chart or from performing a Directory Search within the User Application. However, members of the Human Resources group need the ability to see every User’s photograph when looking at the Organization Chart or when performing a Directory Search.

Problem:

In the User Application, there is the ability for Users to hide their photograph so that it can not be seen by other users. However, when an attribute is added to the attribute srvprvHideAttributes that attribute can not be seen on the user in question by any other user within the User Application. There is not the ability to have certain users / groups still be able to see these “hidden” attribute(s) on the user.

Solution:

Utilize ACL’s within the IDVault, a Null Driver, and do not use the attribute srvprvHideAttributes Attached is a Null Driver that will monitor for a configured boolean attribute to change state and take the following actions:

  1. If the monitor attribute is set to true, then it will remove the configured rights (For Example: Read) from the configured container (For Example: ou=medical-idmsample,o=novell) and add them to the configured group (For Example: cn=HR,ou=groups,ou=medical-idmsample,o=novell) for the configured attribute (For Example: photo) of the user.
  2. If the monitor attribute is set to false, then it will add the configured rights (For Example: Read) for the configured container (For Example: ou=medical-idmsample,o=novell) and remove them from the configured group (For Example: cn=HR,ou=groups,ou=medical-idmsample,o=novell) for the configured attribute (For Example: photo) of the user.

This null driver has been written to utilize GCVs as must as possible so that it will not require the code in the rules to be re-written. The driver has the following GCVs:

  1. group – The Group that will have permission when the user hides the attribute
  2. container – The Container that will not have permission when the user hides the attribute
  3. watchAttribute – Attribute to watch. This attribute must be added to the Filter in this driver, added to the Entity in use in the Directory Abstraction Layer (DAL) and Edit must be enabled. All User need the ability to read and modify this attribute on them self. Finally, the attribute must be exposed in the Edit view of the Detail portlet within the User Application.
  4. ModAttribute – The attribute that will have permissions modified on for the user
  5. permissionLevel – An integer that is used to determine what the ACL will be set to. For example, a 2 on an attribute right is READ access.

All configuration notes for this driver are located in three (3) locations:

  1. Properties -> General Tab -> Notes
  2. Policy: HidePhotoChanges -> Policy Description
  3. All of the GCVs have comments
VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags:
Categories: Identity Manager, Technical Solutions

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment