.png)
Scope
Definition
A Scope describes a population of objects (Managed Objects such as Identities, Role Assignments,…). They are used throughout IM configuration to specify on which Data a Configuration Entity operates. For instance, which Objects are accessible through a Feature, or to which Identities a Password Policy applies to.
Scopes leverage Search Expressions:
<scope type="EXPRESSION" objectKind="IDENTITY">
<objectTypes>
<objectType>employee</objectType>
<objectType>superUser</objectType>
</objectTypes>
<searchExpression>
<search:Prop op="NOT_EQUALS" name="status">
<value>DELETED</value>
</search:Prop>
</searchExpression>
</scope>Simple vs Object Scopes
Scopes may be used to describe populations of “simple” objects, such as the Role Assignments to display in a specific Role Dashboard Widget, or populations of Managed Objects, such as the Identities accessible through a Feature.
In the first scenario, a Simple Scope is used, which is just a constraint:
<scope type="EXPRESSION">
<searchExpression>
<search:Prop op="EQUALS" name="role.application">
<value>o365</value>
</search:Prop>
</searchExpression>
</scope>In the second scenario, an Object Scope is used: This is a specialization of a Simple Scope where the Object Kind and Object Type(s) constraints are expressed separately of the main constraint.
<scope type="EXPRESSION" objectKind="IDENTITY">
<objectTypes>
<objectType>employee</objectType>
<objectType>superUser</objectType>
</objectTypes>
<searchExpression>
<search:Prop op="NOT_EQUALS" name="status">
<value>DELETED</value>
</search:Prop>
</searchExpression>
</scope>Static vs Dynamic Scopes
A Scope is basically a constraint on objects, and this constraint may depend on the context. For instance, one may configure a Feature used by managers to assign certain Roles to the people they manage. In such a scenario, whatever the meaning of “the people they manage”, the Feature Scope will depend on the connected user.
When the constraint may depend on the context, a Dynamic Scope is used, as opposed to a Static Scope where the constraint is fixed.
Static Scopes
In a Static Scope, the constraint is always a fixed Search Expression, i.e. without variable parts.
<scope type="EXPRESSION" objectKind="IDENTITY">
<objectTypes>
<objectType>employee</objectType>
<objectType>superUser</objectType>
</objectTypes>
<searchExpression>
<search:Prop op="NOT_EQUALS" name="status">
<value>DELETED</value>
</search:Prop>
</searchExpression>
</scope>Dynamic Scopes
In a Dynamic Scope, the constraint is either a Search Expression where some values are Groovy Rules, or a single Groovy Rule returning the final Search Expression:
Search Expression containing Groovy Rules
<scope type="EXPRESSION" objectKind="IDENTITY">
<objectTypes>
<objectType>employee</objectType>
</objectTypes>
<!-- All Identities have their manager expressed using a Reference attribute -->
<!-- A user can manage all Identities whose manager is himself -->
<searchExpression>
<search:Prop op="EQUALS" name="manager">
<value script="true">OBJECT.id</value>
</search:Prop>
</searchExpression>
</scope>
value elements having the script="true" attribute are interpreted as Groovy Rules of Type COMPUTE and Category SCOPE.
Groovy Rule returning a Search Expression
<scope type="RULE" objectKind="IDENTITY">
<objectTypes>
<objectType>employee</objectType>
</objectTypes>
<rule type="COMPUTE" category="SCOPE" engineType="GROOVY">
<spec><![CDATA[
// User has the 'user.manager' Right on several Organizations
// and is allowed to manage all Identities inside those organizations
OBJECT.rights
.findAll { it.name == "user.manager" }
.collect { it.target }
.inject(
~expr {} as SearchExpression,
{ acc, organization -> acc | expr { securityOrganization.belowOrEquals(organization) } }
)
]]></spec>
</rule>
<searchExpression/>
</scope>
For Dynamic Object Scopes, the Object Kind and Object Type(s) is always static, as at least partial knowledge on available attributes is required for any meaningful configuration.
Configuration
Properties
Property name | Type | Mandatory | Description | Values | Applies to |
|---|---|---|---|---|---|
type |
| YES | The Constraint type of the scope Always |
| All Scope Types |
searchExpression | Search Expression container | YES , if | The Scope constraint, expressed as a Search Expression | All Scope Types | |
rule |
| YES , if | The Scope constraint, expressed as a Groovy Rule | Dynamic Scopes | |
objectKind |
| YES | The Object Kind constraint | an Object Kind, e.g. | Object Scopes |
objectTypes |
| YES | The Object Type constraint. An empty list is interpreted as an absence of constraint. | Object Type ids. | Object Scopes |
In some Feature Widgets capable of operating on both Manage Objects and Simple Objects (typically search form configuration of “list” widgets), scopes may be either Simple or Object Scopes. In such cases, the scope type must be explicitly specified according to the intended use, for instance:
<scope type="EXPRESSION" objectKind="IDENTITY" xsi:type="ctdcore:DynamicObjectScopeType"><!-- ... --></scope>
Examples
There are 4 Scope Types:
Simple | Object | |
|---|---|---|
Static |
XML
|
XML
|
Dynamic |
XML
|
XML
|
XML
|
XML
|
Read Next
- Search Expressions
Search Expressions are domain-specific language used to search objects (Managed Objects, Reporting collections,…) or express constraints on them. They are composed of Property Expressions (e.g. firstName LIKE 'John*') and Functions combined with Logical Operators (AND, OR, NOT)