...
Visibility Filter Policies come in two types, the Column Visibility Filter policy and the Data Visibility Filter policy. Column Visibility Filters and Data Visibility Filters are SQL-based filters that you write against the EmpowerID Identity Warehouse to show and hide data at the column and attribute level. These offer flexibility and power, allowing you to show and hide data at the column and attribute level.
Info |
---|
Visibility Filter policies are more difficult to implement and should only be used when Visibility Restriction policies cannot cover your use case. |
...
For example, one of the Column Filter Policies included with EmpowerID is the "Sample AccountView removing visibility on emailremoval of name" policy. This policy hides the true value of each user account's Email attributeperson’s FirstName and LastName attributes, replacing it them with "N/A***" so that assignees of the policy will see "N/A***" as the Email address name for any user accounts people they view.
The following code snippet shows how to write the substitution for the email in the filter.
Code Block | ||
---|---|---|
| ||
'N/A***' AS Email, [TABLEALIAS].*Name |
EmpowerID includes the following Column Filter Policy that you can use out of the box.
Column Filter Policy | EmpowerID Component | Purpose | Assignee Type |
---|---|---|---|
Sample AccountView removing visibility on emailAccountremoval of name | PersonView | Substitutes the actual value of the email Name attribute on an account EmpowerID Person with "N/A***" for anyone assigned the filter. | Empty |
...
EmpowerID includes the following Data Filter Policies that you can use out of the box.
Data Filter Policy | EmpowerID Component (Object Type) | PurposeDescription | Assignee Type | |
---|---|---|---|---|
Anonymous user cannot see anyone | Person | Anonymous users cannot see anyone in EmpowerID | Person | |
Assignee | ||||
Sample filter for Account (see only accounts in or below my locations) | Account | Filters the accounts that can be viewed in EmpowerID to include only those in the assignee's location or below | Empty | N/A |
Sample filter for Account (see only own accounts) | Account | Assignees cannot view any accounts in EmpowerID beyond their own | Empty | N/A |
Can see Account for requests that the current user is a participant | Account | Can see Account for requests that the current user is a participant on | Business Role and Location | AnyRoleAnywhere |
AuditLogOperation | AuditLogOperation | Default filter for AuditLogOperation, filters to only show operations for logs initiated by people that you can see | Business Role and Location | AnyRoleAnywhere |
Can see Business Requests from initiators or target people they can see | BusinessRequest | Default filter for Business Requests (can only see request initiated by people they can see or for target people they can see) | Business Role and Location | AnyRoleAnywhere |
Can see request that the current user is a participant on | BusinessRequest | Can see request that the current user is a participant on | Business Role and Location | AnyRoleAnywhere |
Can see Business Requests Items from initiators or target people they can see | BusinessRequestItem | Default filter for Business Requests Items(can only see request initiated by people they can see or for target people they can see) | Business Role and Location | AnyRoleAnywhere |
Can see request items that the current user is a participant on | BusinessRequestItem | Can see request items that the current user is a participant on | Business Role and Location | AnyRoleAnywhere |
Sample filter for Business Roles (see only business roles in a list) | OrgRole | Filters the business roles that can be viewed in EmpowerID to include only those specified | Empty | |
Sample filter for Computer (see only computers in or below my locations) | Computer | Filters the computers that can be viewed in EmpowerID to include only those in the assignee's location or below | Empty | N/A |
Any role anywhere can see all computers they can use (login) | Computer | Filters computers that can be viewing in EmpowerID to include all computers people can login to | Business Role and Location | AnyRoleAnywhere |
CoreIdentity | CoreIdentity | Default filter for CoreIdentity filter to see only the ones for people you can see | Business Role and Location | AnyRoleAnywhere |
Sample filter for Groups (see only groups in a list) | Group | Filters the groups that can be viewed in EmpowerID to include only those specified | Empty | |
Sample filter for Groups (see only groups in a specific OU) | Group | Filters the groups that can be viewed in EmpowerID to include only those in a specified OU | Empty | |
Sample filter for Groups (see only groups in or below my locations) | Group | Filters the groups that can be viewed in EmpowerID to include only those in the assignee's location or below | Empty | |
Sample filter for Groups (see only groups I belong to) | Group | Filters the groups that can be viewed in EmpowerID to include only those to which the assignee belongs | Empty | |
Sample filter for Locations (see only locations below my locations) | Location | Filters the locations that can be viewed in EmpowerID to include only those below the assignee's locations | Empty | |
Sample filter for Management Role (see only management roles in a list) | Management Role | Filters the management roles that can be viewed in EmpowerID to include only those specified | Empty | |
Sample filter for Management Role (see only management roles in a location) | Management Role | Filters the management roles that can be viewed in EmpowerID to include only those in the location specified | Empty | |
Sample filter for Management Role (see only management roles in or below my locations) | Management Role | Filters the management roles that can be viewed in EmpowerID to include only those in or below the assignee's locations | Empty | |
Sample filter for Management Role Definition (see only management role definitions in a list) | Management Role Definition | Filters the management role definitions that can be viewed in EmpowerID to include only those specified | Empty | |
Sample filter for Person (see only self) | Person | Assignees cannot view anyone in EmpowerID beyond their own person | Empty |
...