Quicklink Populations
Quicklinks are tasked-based links to frequently-used areas of IdentityIQ. Quicklinks are displayed as cards on the IdentityIQ Home page and as links in the Quicklink Menu, which is available throughout the product.
Use the Quicklinks Populations page to associate quicklinks, that are created and imported into IdentityIQ by your administrators, with quicklink populations, sometimes referred to as dynamic scopes.
Quicklink populations grant access to specific areas of IdentityIQ to predetermined populations of users. These populations can be defined based on capabilities, identity attributes, work groups, or by selecting individual identities.
One predefined population, Everyone, is in the list by default. If you have purchased IdentityIQ Lifecycle Manager you also see Help Desk, Manager, and Self Service in the Populations list.
Select a population from the list or click New to open the Configuration and Quicklinks tabs.
The Configuration tab contains the following:
Details
Name
Name of the population.
Description
Description of the population.
Membership
Membership Rule
Select a membership rule to define the population.
None – only the identities specified in the Included Identities list are in the population.
All – include all identities in the population.
Match List – only identities whose criteria match that specified in the list. Add identity attributes, application attributes and application permissions. Customize further by creating attribute groups to which this assignment rule applies.
If Is Null is selected, the associated value text box is disabled. When the is null match is processed, the term matches users on the chosen application who have a null value for that attribute / permission.
Filter – a custom database query.
Script – a custom script.
Rule – select an existing rule from the dropdown list.
Click Edit Rule to launch the Rule Editor. See Using the Rule Editor.
Population – select an existing population.
Included Identities
Manually select identities to include in the population.
Excluded Identities
Manually select identities that should not be included in the population. For example, Administrator.
Who can members request for?
Identities for whom the members of this population can make access requests.
Everyone
Can create access request for anyone.
Specific Users
Can only create access requests for identities based on the selected criteria.
Use the dropdown list to specify if they must match all of the criteria or just any of the criteria.
Share attributes with the requester
Can make requests for identities that share the attributes specified.
Report to the requester
Enable managers to make requests for their subordinates.
Specify if this applies to direct reports or all subordinates. If all subordinates, specify a Maximum Hierarchical Depth.
Match custom criteria
The filter is the context of the identity object and is parsed as a Velocity template with a parameter called requester.spa
For example for an identity whose manager's name is the same as the manager's name for the requester: manger.name == "$requester.manager.name"
Match filter rule
Select the IdentityFilterGenerator rule that generates the filter that specifies for whom users can make requests.
Note: You must have the ManageRules SPRight to create or edit an Identity Filter Generator rule from this page.
When this rule is executed, the resulting filter value is added to the list of filters used to query the list of accessible identities.
For example, the following Beanshell in a rule could be used to return only identities that have the same manager as the requester.
import sailpoint.object.Filter;
import sailpoint.object.Identity;
log.warn("Executing on behalf of " + requester.getFullName());
if (requester.getManager() != null)
{
return Filter.eq("manager.id", requester.getManager().getId());
}
return null;
Ignore scoping
Disregard IdentityIQ scopes when determining for whom request can be made.
What can members request?
Click Edit Rule to launch the Rule Editor for any of the following. See Using the Rule Editor.
Roles
Select a rule that defines the set of roles that this population can request.
Applications
Select a rule that defines the set of applications from which this population can request entitlements.
Entitlements
Select a rule that defines the set of entitlements that this population can request.
What can members remove?
Click Edit Rule to launch the Rule Editor for any of the following. See Using the Rule Editor.
Roles
Select a rule that defines the set of roles that this population can remove.
Applications
Select a rule that defines the set of applications from which this population can remove entitlements.
Entitlements
Select a rule that defines the set of entitlements that this population can remove.
Sync with Request
The selections from What members can request is copied to What members can remove.
Once you have selected a population, you can click Quicklinks Tab to define Quicklinks for this population.