none
Dynamic RCDC (Dynamic TABs and Content based on Requestor (Viewer of Objects) Permissions RRS feed

  • General discussion

  • I’m sure everyone has seen the Disappearing TAB for the RCDC which is based on or rather controlled by a the actual object being viewed having a Boolean attribute set. This solution will work for some instances but has potential issues if the Boolean attribute is not defined and or is null.

    Below is a solution that Dynamically Changes the Visibility of a TAB and its contents or individual sections within a TAB depending on what SET a User is a part of.

    A custom attribute is still needed which is bound to the User Object Resource which has been given read permission to an MPR that is associated with a specific Set.

    Example 1 shows how to hide a section within a TAB but not the whole TAB

    Example 2 Shows how to hide an entire TAB and its contents.

    Note: in both examples the attribute isHero is what actually controls the visibility of this section in the RCDC. As long as the permission granting MPR gives permission to this specific attribute, anyone within the requestor set associated with this MPR will be able to view this section or TAB on the users in the associated target set in the MPR.

    Example1

    <my:Grouping my:Name="MemberOfDistributionGroup" my:Caption="Member Of" my:Enabled="true" my:Visible="true">
       <my:Control my:Name="GroupMemberOfDG" my:TypeName="UocListView" my:ExpandArea="true" my:Caption="Distribution Groups">
            <my:Properties>
              <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,Email,Domain,DisplayedOwner" />
              <my:Property my:Name="EmptyResultText" my:Value="There are no groups according to the filter definition." />
              <my:Property my:Name="PageSize" my:Value="20" />
              <my:Property my:Name="ShowTitleBar" my:Value="true" />
              <my:Property my:Name="ShowActionBar" my:Value="false" />
              <my:Property my:Name="ShowPreview" my:Value="false" />
              <my:Property my:Name="ShowSearchControl" my:Value="false" />
              <my:Property my:Name="EnableSelection" my:Value="false" />
              <my:Property my:Name="SingleSelection" my:Value="false" />
              <my:Property my:Name="ItemClickBehavior" my:Value=" ModelessDialog " />
              <my:Property my:Name="ListFilter" my:Value="/Group[(Type='Distribution') and ((ComputedMember='%ObjectID%') or (ExplicitMember='%ObjectID%'))]" />
            </my:Properties>
          </my:Control>
         <my:Control my:Name="GroupMemberOfSG" my:TypeName="UocListView" my:ExpandArea="true" my:Caption="Security Groups" my:RightsLevel="{Binding Source=rights, Path=isHero}">
            <my:Properties>
              <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,Email,Domain,DisplayedOwner" />
              <my:Property my:Name="EmptyResultText" my:Value="There are no groups according to the filter definition." />
              <my:Property my:Name="PageSize" my:Value="20" />
              <my:Property my:Name="ShowTitleBar" my:Value="true" />
              <my:Property my:Name="ShowActionBar" my:Value="false" />
              <my:Property my:Name="ShowPreview" my:Value="false" />
              <my:Property my:Name="ShowSearchControl" my:Value="false" />
              <my:Property my:Name="EnableSelection" my:Value="false" />
              <my:Property my:Name="SingleSelection" my:Value="false" />
              <my:Property my:Name="ItemClickBehavior" my:Value=" ModelessDialog " />
              <my:Property my:Name="ListFilter" my:Value="/Group[(Type='Security') and ((ComputedMember='%ObjectID%') or (ExplicitMember='%ObjectID%'))]" />
            </my:Properties>
          </my:Control>
        </my:Grouping>

    Example 2

        <my:Grouping my:Name="MemberOfDistributionGroup" my:Caption="Member Of" my:Enabled="true" my:Visible="true">
       <my:Control my:Name="GroupMemberOfDG" my:TypeName="UocListView" my:ExpandArea="true" my:Caption="Distribution Groups">
            <my:Properties>
              <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,Email,Domain,DisplayedOwner" />
              <my:Property my:Name="EmptyResultText" my:Value="There are no groups according to the filter definition." />
              <my:Property my:Name="PageSize" my:Value="20" />
              <my:Property my:Name="ShowTitleBar" my:Value="true" />
              <my:Property my:Name="ShowActionBar" my:Value="false" />
              <my:Property my:Name="ShowPreview" my:Value="false" />
              <my:Property my:Name="ShowSearchControl" my:Value="false" />
              <my:Property my:Name="EnableSelection" my:Value="false" />
              <my:Property my:Name="SingleSelection" my:Value="false" />
              <my:Property my:Name="ItemClickBehavior" my:Value=" ModelessDialog " />
              <my:Property my:Name="ListFilter" my:Value="/Group[(Type='Distribution') and ((ComputedMember='%ObjectID%') or (ExplicitMember='%ObjectID%'))]" />
            </my:Properties>
          </my:Control>
       <my:Grouping my:Name="MemberOfSecurityGroup" my:Caption="SG" my:Visible="{Binding Source=rights, Path=isHero}">
       <my:Control my:Name="GroupMemberOfSG" my:TypeName="UocListView" my:Caption="Security Groups" my:RightsLevel="{Binding Source=rights, Path=isHero}">
            <my:Properties>
              <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,Email,Domain,DisplayedOwner" />
              <my:Property my:Name="EmptyResultText" my:Value="There are no groups according to the filter definition." />
              <my:Property my:Name="PageSize" my:Value="20" />
              <my:Property my:Name="ShowTitleBar" my:Value="true" />
              <my:Property my:Name="ShowActionBar" my:Value="false" />
              <my:Property my:Name="ShowPreview" my:Value="false" />
              <my:Property my:Name="ShowSearchControl" my:Value="false" />
              <my:Property my:Name="EnableSelection" my:Value="false" />
              <my:Property my:Name="SingleSelection" my:Value="false" />
              <my:Property my:Name="ItemClickBehavior" my:Value=" ModelessDialog " />
              <my:Property my:Name="ListFilter" my:Value="/Group[(Type='Security') and ((ComputedMember='%ObjectID%') or (ExplicitMember='%ObjectID%'))]" />
            </my:Properties>
          </my:Control>
        </my:Grouping>

    Anthony Marsiglia

    Wednesday, July 11, 2012 11:33 AM

All replies

  • This is extremely useful.
    Wednesday, July 11, 2012 6:38 PM
  • The following can be used to allow different users to see different parts of the User Interface defined by the RCDC.

    User A is an Administrator and when they log on to the Portal they can see the MemberOf Tab with both Distribution Groups and Security Groups.

    User B is a Manager who when they log on to the Portal they can see the MemberOf Tab with Only Distribution Groups Info.

    User C is a Basic User who when they log on to the Portal they don't see the MemberOf Tab or any of its contents.

    <my:Grouping my:Name="MemberOfGroups" my:Caption="Member Of" my:Visible="{Binding Source=rights, Path=DistroGroups}">
        <my:Control my:Name="GroupMemberOfDG" my:TypeName="UocListView" my:ExpandArea="true" my:Caption="Distribution Groups" my:RightsLevel="{Binding Source=rights, Path=DistroGroups}">
             <my:Properties>
               <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,Email,Domain,DisplayedOwner" />
               <my:Property my:Name="EmptyResultText" my:Value="There are no groups according to the filter definition." />
               <my:Property my:Name="PageSize" my:Value="20" />
               <my:Property my:Name="ShowTitleBar" my:Value="true" />
               <my:Property my:Name="ShowActionBar" my:Value="false" />
               <my:Property my:Name="ShowPreview" my:Value="false" />
               <my:Property my:Name="ShowSearchControl" my:Value="false" />
               <my:Property my:Name="EnableSelection" my:Value="false" />
               <my:Property my:Name="SingleSelection" my:Value="false" />
               <my:Property my:Name="ItemClickBehavior" my:Value=" ModelessDialog " />
               <my:Property my:Name="ListFilter" my:Value="/Group[(Type='Distribution') and ((ComputedMember='%ObjectID%') or (ExplicitMember='%ObjectID%'))]" />
             </my:Properties>
           </my:Control>
          <my:Control my:Name="GroupMemberOfSG" my:TypeName="UocListView" my:ExpandArea="true" my:Caption="Security Groups" my:RightsLevel="{Binding Source=rights, Path=SecGroups}">
             <my:Properties>
               <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,Email,Domain,DisplayedOwner" />
               <my:Property my:Name="EmptyResultText" my:Value="There are no groups according to the filter definition." />
               <my:Property my:Name="PageSize" my:Value="20" />
               <my:Property my:Name="ShowTitleBar" my:Value="true" />
               <my:Property my:Name="ShowActionBar" my:Value="false" />
               <my:Property my:Name="ShowPreview" my:Value="false" />
               <my:Property my:Name="ShowSearchControl" my:Value="false" />
               <my:Property my:Name="EnableSelection" my:Value="false" />
               <my:Property my:Name="SingleSelection" my:Value="false" />
               <my:Property my:Name="ItemClickBehavior" my:Value=" ModelessDialog " />
               <my:Property my:Name="ListFilter" my:Value="/Group[(Type='Security') and ((ComputedMember='%ObjectID%') or (ExplicitMember='%ObjectID%'))]" />
             </my:Properties>
           </my:Control>
         </my:Grouping>


    Anthony Marsiglia

    Thursday, August 23, 2012 3:16 PM
  • Hi All

    We have a requirement to hide the tab based on rights. We need to provide access to list of users and hide the tab from others. To acheive this, we followed below steps.

    1. Created a custom attribute "VisibleTab" which is of boolean type.

    2. Binded to User obejct and added the same in administrative filter permission.

    3. Created a MPR and workflow to set the boolean value based on account status for all users.

    4. Created another MPR to provide read permission only set of users as specific requestor set  and All users as target request set and boolean attribute as selected specific attributes.This is created mainly for visibility of tab.

    5. In RCDC, we added the  property as {Binding Source=rights, Path=VisibleTab} in grouping section and IISRESET .

    After making the above changes, still the tab is visible to all users. For your information, this attributes is removed from User :User can read attributes of their own and User: user can read the attributes of others MPR's.

    Please suggest some idea to hide tab based on rights.

    Thanks in Advance

    bsivash.

    Monday, June 17, 2013 5:46 AM
  • for permissions; who is the permissions to be applied for? the one viewing the resource or the resource itself?

    For example User A logs in to the portal to view User B

    Depending on the permissions of User A would determine what tabs in the RCDC are viewable for User A to see while viewing User B

    or

    Depending on the permissions of User B this would determine what Tabs in the RCDC are viewable for User A to see while viewing User B, Lets say that you have an attribute called isAdminAccount which is checked for all Admin Accounts.

    User B is an Admin which means that this Boolean would be checked and there for could be used to allow User A to view an additional Tab for User B

    This can also be done without Boolean attributes based on weather a user has permissions to view a specific attribute and than a bind in the RCDC to that.

    What is the Tab you want to hide?

    on what attribute do you wish to hide this tab?

    to whom is this for the viewer or the viewed?


    Anthony Marsiglia

    Monday, June 17, 2013 2:43 PM
  • Anthony,

    User A is part of Admin SET
    User B is basic/normal user
    A custom TAB is created in user Edit RCDC, with few attributes grouped under it.
    Now my requirement is below,
    When User A logins to FIM Portal, he should be able to see the Custom TAB for all users (including his).
    When User B logins to FIM Portal, he should not be able see the Custom TAB for any user (including his).

    Is this possible to achieve? with or without boolean attribute. If it is possible could you please suggest the approach."

    Thanks in Advance

    bsivash.

    Tuesday, June 18, 2013 8:21 AM
  • does your RCDC info look something like the following?

     <my:Control my:Name="GroupMemberOfSG" my:TypeName="UocListView" my:ExpandArea="true" my:Caption="Security Groups" my:RightsLevel="{Binding Source=rights, Path=isAdminAccount}">

       <my:Properties>

        <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,Email,Domain,DisplayedOwner" />

        <my:Property my:Name="EmptyResultText" my:Value="There are no groups according to the filter definition." />

        <my:Property my:Name="PageSize" my:Value="20" />

        <my:Property my:Name="ShowTitleBar" my:Value="true" />

        <my:Property my:Name="ShowActionBar" my:Value="false" />

        <my:Property my:Name="ShowPreview" my:Value="false" />

        <my:Property my:Name="ShowSearchControl" my:Value="false" />

        <my:Property my:Name="EnableSelection" my:Value="false" />

        <my:Property my:Name="SingleSelection" my:Value="false" />

        <my:Property my:Name="ItemClickBehavior" my:Value=" ModelessDialog " />

        <my:Property my:Name="ListFilter" my:Value="/Group[(Type='Security') and ((ComputedMember='%ObjectID%') or (ExplicitMember='%ObjectID%'))]" />

        </my:Properties>

      </my:Control>

    </my:Grouping>


    Anthony Marsiglia

    Wednesday, June 19, 2013 2:55 AM
  • here is a screen shot of your Dynamic Tab in Action, The Image on the Left shows the user logged in as himself which he is not a member of the set associated with the MPR that gives permissions to view the Tab and its contents. The image on the right show a user that is a member of the set that is used to give permissions to view the tab and its contents below is the code that makes this happen.

    <my:Grouping my:Name="AdminAccountPermissions" my:Caption="Permissions" my:Visible="{Binding Source=rights, Path=isAdminAccount}">
     <my:Control my:Name="GroupMemberOfSG" my:TypeName="UocListView" my:ExpandArea="true" my:Caption="Distribution Groups" my:RightsLevel="{Binding Source=rights, Path=isAdminAccount}">
            <my:Properties>
              <my:Property my:Name="ColumnsToDisplay" my:Value="DisplayName,Email,Domain,DisplayedOwner" />
              <my:Property my:Name="EmptyResultText" my:Value="There are no groups according to the filter definition." />
              <my:Property my:Name="PageSize" my:Value="20" />
              <my:Property my:Name="ShowTitleBar" my:Value="true" />
              <my:Property my:Name="ShowActionBar" my:Value="false" />
              <my:Property my:Name="ShowPreview" my:Value="false" />
              <my:Property my:Name="ShowSearchControl" my:Value="false" />
              <my:Property my:Name="EnableSelection" my:Value="false" />
              <my:Property my:Name="SingleSelection" my:Value="false" />
              <my:Property my:Name="ItemClickBehavior" my:Value=" ModelessDialog " />
              <my:Property my:Name="ListFilter" my:Value="/Group[(Type='Distribution') and ((ComputedMember='%ObjectID%') or (ExplicitMember='%ObjectID%'))]" />
            </my:Properties>
          </my:Control>


    Anthony Marsiglia

    Wednesday, June 19, 2013 3:26 AM
  • Just wanted to verify you were able to get this working?


    Anthony Marsiglia

    Monday, June 24, 2013 4:09 PM
  • It worked !!!!! when we added the right level to each control in the grouping section, the tab is hidden for restricted users.

    Thanks a lot Anthony.

    Thanks

    bsivash

    Tuesday, June 25, 2013 12:24 PM
  • Great to hear,

    Anthony Marsiglia

    Tuesday, June 25, 2013 10:05 PM
  • Hi Anthony,

    Have you had any success with extending this to other resource types?

    We are trying to control access to a 'Members' tab on custom resource we have created.  It has the look of a group object but i'm trying to restrict access to the members tab to the owner of the group.  So we have an level 1 admin who creates the group but shouldn't see the members tab (security constraints!) but assigns the owner of the group during the create stage.  The Group owner should then access the group that he/she manages, the members tab is visible now and he/she can add/remove members.

    Any thoughts?

    Rob

    Tuesday, November 25, 2014 6:27 PM
  • The issue you may have with the Group Resource is the Group RCDC is connected to both Distribution and Security Groups. By default there is already a bit of dynamic functionality with in Group RCDC ie when you select Mail Enabled. When working with the group RCDC its easy to break the UI for 1 or the other Group Types. I would have to play with this but I don't see any reason it shouldn't work.

    Anthony Marsiglia

    Wednesday, November 26, 2014 7:53 PM
  • Hi colleagues,

    Has anyone tried this with Microsoft Identity Manager SP1?

    We configured exactly this and removed read permissions to the CostCenter attribute from our permission granting MPR.

    <my:Grouping my:Name="ITInfo" my:Caption="ITInfo" my:Visible="{Binding Source=rights, Path=CostCenter}">

    I uploaded the RCDC, did a IIS reset but the TAB ist still visible.

    Any idea?

    Thanks

    Chris

    Thursday, March 22, 2018 9:59 AM
  • This forum was written before an updated post was posted @ https://blogs.msdn.microsoft.com/connector_space

    Click on Portal Customization

    you will find the RCDC post

    


    Anthony Marsiglia

    Thursday, March 22, 2018 12:29 PM