I am trying to create a filter in IdentityIQ that includes both workgroups and individual users. The goal is to create an identity select list for forwarding purposes, where users should see both users who share the same Orginsation-attribute value and members of specific workgroups marked as “approval groups.”
I have tried a script that collects both types of identities and adds them to a filter, but I am having trouble getting both types to display properly in the UI. I either get only users or only workgroups, and sometimes I encounter errors. Here is the current script I am using:
<entry key="forwardingIdentitySuggest">
<value>
<IdentityFilter name="forwardingIdentitySuggest" order="Ascending">
<FilterScript>
<Script>
<Source>
import sailpoint.object.Filter;
import sailpoint.object.Identity;
import sailpoint.object.QueryOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Iterator;
QueryOptions qo = new QueryOptions();
// Step 1: Create a filter to find approval workgroups
Filter workgroupUserFilter = null;
List approvalGroups = new ArrayList();
// Filter to get only workgroups
Filter workgroupFilter = Filter.eq("workgroup", true);
qo.addFilter(workgroupFilter);
// Fetch matching workgroups and add approval groups
List mapApproval = context.getObjects(Identity.class, qo);
Iterator iterator = mapApproval.iterator();
while (iterator.hasNext()) {
Identity approvalGroup = (Identity) iterator.next();
String approvalGroupAttribute = (String) approvalGroup.getAttribute("ApprovalGroup");
if (approvalGroupAttribute != null && approvalGroupAttribute.equals("true")) {
approvalGroups.add(approvalGroup);
}
}
// Step 2: Add all approval groups to user filter
for (Object group : approvalGroups) {
if (group instanceof Identity) {
Identity workgroup = (Identity) group;
Filter currentFilter = Filter.eq("workgroups.name", workgroup.getName());
if (workgroupUserFilter == null) {
workgroupUserFilter = currentFilter;
} else {
workgroupUserFilter = Filter.or(workgroupUserFilter, currentFilter);
}
}
}
// Step 3: Add OrgAttribute filter for logged-in user
Identity identity = context.getObjectById(Identity.class, loggedInUser);
if (identity != null) {
Object OrgAttributeValue = identity.getAttribute("OrgAttribute");
if (OrgAttributeValue != null) {
Filter OrgAttributeFilter = Filter.eq("OrgAttribute", OrgAttributeValue.toString());
if (workgroupUserFilter == null) {
workgroupUserFilter = OrgAttributeFilter;
} else {
workgroupUserFilter = Filter.or(workgroupUserFilter, OrgAttributeFilter);
}
}
}
// Step 4: Apply the final filter to QueryOptions
if (workgroupUserFilter != null) {
qo = new QueryOptions();
qo.addFilter(workgroupUserFilter);
}
return qo;
</Source>
</Script>
</FilterScript>
<OrderBy>
<String>name</String>
</OrderBy>
</IdentityFilter>
</value>
</entry>
Issues Encountered:
I am only able to get either users or groups to appear in the select list, but not both.
I sometimes receive a generic error message: “The system has encountered a serious error while processing your request.”
Questions:
How can I ensure that both users and workgroups are included in the final result?
Are there specific limitations in IIQ that could prevent workgroups and users from being combined in this way?
Is there a different approach I should consider to achieve the desired filtering?
Thank you in advance for any help or suggestions you may have!
Can you make your question more clear if possible, is your Identity attributes OrgAttribute and ApprovalGroup are both searchable and named columns?
If I understand correctly you want to the queryOptions to select the workgroups which has ApprovalGroup marked as true and Identities who are having OrgAttribute value same as users OrgAttribute? Is this what you are expecting or anything else
Also where are trying to use this code, in any form and report task definition, can you provide more insight
Both OrgAttribute and ApprovalGroup are searchable and are available as named columns in IdentityIQ.
My goal is indeed to have QueryOptions select workgroups that have ApprovalGroup marked as true and to include users who have the same OrgAttribute value as the logged-in user.
I am using this code for an identity select list for forwarding purposes, within a form-based interaction.
I tested your code with combined filters using Filter.or(). While the log shows the correct values for both workgroups and users, nothing appears in the search box in the UI. It seems that despite the correct construction, the combined filter doesn’t return any visible results at runtime.
Any further ideas on why this might be happening?
Thanks again!
Please share your complete form.xml if possible, is this custom form from a quick link, if so please use filterString instead of this and set the filterString accordingly as per above code.
I’m a bit lost about where exactly to place this code. Should I put it in the IdentitySelectorConfiguration object, or do I need to add it in a XML configuration that defines the UI form fields, such as <Field> tags?
@mihe1606 you have to place it under the field tags, please share your form xml or at least this field related complete tag, will share you the update the code
I typically make entries into IdentitySelectorConfiguration when I have a custom form object that has an identity field where I need to change the sort order of identities. By default it’s sorted by name, whereas I want it sorted by last name.
A typical entry I would use would look like this replacing My Custom Form with the name of your form object and name with the name of that field :
I’ve already added my entry in the IdentitySelectorConfiguration.xml to set up the filtering logic, but I’m uncertain about where exactly to place the <Field> part of the code:Should it be in this file: IdentitySelectorConfiguration.xml? or somewhere else?
<Field displayName="Select Identity" dynamic="true" filterString="" multi="true" name="forwardingIdentity" type="Identity">
<Attributes>
<Map>
<entry key="filterString">
<value>
<Script>
<Source>
// Create a final filter to set
field.setFilterString(filter.toString());
</Source>
</Script>
</value>
</entry>
</Map>
</Attributes>
</Field>
I am quite new to IdentityIQ, so any guidance on where to put this code would be really helpful.