What is the best way to allow current logged in users in a specific workgroup to view all options in a picklist while others can only see some of the options in a picklist on a form?
Example below, if I wanted a user that is in an HR Ops workgroup to see all options 1-4, but anyone not in the workgroup would only be able to see Options 2-4.
Modify the Form Field: Add a script in to check the user’s workgroup and retrieve the matching options from the custom object.
<Field columnSpan="3" displayName="Role" displayType="combobox" name="role" postBack="true" required="true" type="string">
<AllowedValuesDefinition>
<Script>
<Source>
import sailpoint.object.Custom;
import sailpoint.object.Identity;
import java.util.List;
Map configMap = null;
// Get the current logged-in user
Identity currentUser = context.getUserIdentity();
String workgroupName = "Default"; // Default for non-HR Ops users
// Check for "HR Ops" membership
if (currentUser != null && currentUser.getWorkgroups() != null) {
for (Identity wg : currentUser.getWorkgroups()) {
if ("HR Ops".equals(wg.getName())) {
workgroupName = "HR Ops";
break;
}
}
}
// Load the config from the Custom object
Custom config = context.getObjectByName(Custom.class, "PicklistOptionsConfig");
if (config != null) {
configMap = config.getAttributes();
if (configMap != null) {
List options = (List) configMap.get(workgroupName);
if (options != null) {
return options;
}
}
}
// Fallback
List fallbackOptions = (List) configMap.get(workgroupName);
return fallbackOptions;
</Source>
</Script>
</AllowedValuesDefinition>
</Field>
This approach offers centralized control, ease of maintenance. you can update workgroup options in the Custom object without touching the form, admins can tweak the config via Debug or imports (keeping it out of code). You could skip the custom object and hardcode the logic in the script (e.g., checking workgroups directly), but that’s less maintainable long-term. A Rule might also work instead of a script, but I think the Custom object keeps things straightforward.
Thank you so much for this. It seems close, but I’m getting an error when using “Identity currentUser = context.getUserIdentity();” If I force a user to be selected, it doesn’t populate the drop down, but I do see if I create an error log that it is returning the values.
This is the error I’m seeing when using “Identity currentUser = context.getUserIdentity();”:
"Typed variable declaration : Error in method invocation: Method getUserIdentity() not found in class’sailpoint.server.InternalContext’ : at Line: 8 "
Here is what I have now that uses a static user and I’m seeing the values returned in the error log, but not to the drop down list.
<AllowedValuesDefinition>
<Script>
<Source>
import sailpoint.object.Custom;
import sailpoint.object.Identity;
import java.util.List;
Map configMap = null;
// Get the current logged-in user
//Identity currentUser = context.getUserIdentity();
Identity currentUser = context.getObjectByName(Identity.class, "EMP000313");
log.error("currentuser: " + currentUser);
String workgroupName = "Default"; // Default for non-HR Ops users
log.error("workgroupname: " + workgroupName);
// Check for "HR Ops" membership
if (currentUser != null && currentUser.getWorkgroups() != null) {
for (Identity wg : currentUser.getWorkgroups()) {
if ("HR Operations".equals(wg.getName())) {
workgroupName = "HR Ops";
break;
}
}
}
// Load the config from the Custom object
Custom config = context.getObjectByName(Custom.class, "PicklistOptionsConfig");
if (config != null) {
configMap = config.getAttributes();
if (configMap != null) {
log.error("workgroupname2: " + workgroupName);
List options = (List) configMap.get(workgroupName);
if (options != null) {
log.error("Options: " + options);
return options;
}
}
}
// Fallback
List fallbackOptions = (List) configMap.get(workgroupName);
return fallbackOptions;
</Source>
</Script>
</AllowedValuesDefinition>
I am seeing that the options are returned correctly if I capture it in a log, but it’s not populating the drop-down list. On the form, it’s just a label with no drop-down. Is there something else needed so that it populates the allowed values after the return options?
Some efficiencies in the previous code can be applied. There is a direct method to check if they are in a workgroup. No need to iterate over all of their workgroups. No need to do a null check on your logged in user, but you could on your workgroup.
Losing track of your current code, but I tried this and it worked in my environment. In my case, my logged in user isn’t in that workgroup.
<Field columnSpan="3" displayName="Role" displayType="combobox" name="role" postBack="true" required="true" type="string">
<AllowedValuesDefinition>
<Script>
<Source><![CDATA[
import sailpoint.object.*;
Identity id = context.getObjectByName(Identity.class, context.getUserName());
Identity wg = context.getObjectByName(Identity.class, "HR Ops");
List rv = new ArrayList();
if (id.isInWorkGroup(wg)) {
rv.add("Option1");
}
rv.add("Option2");
rv.add("Option3");
rv.add("Option4");
return rv;
]]></Source>
</Script>
</AllowedValuesDefinition>
</Field>
Both solutions worked great in the end. I want to thank both for your assistance and guidance. In the end, once Sunny provided the logged in user syntax, “Identity currentUser = context.getObjectByName(Identity.class, context.getUserName());” the original solution fits best with maintaining the choices separately.
