Partial user search on external network
When you search for a user from an external network and the Allow user search from external network check box is un-checked, the application would still display the self-service tasks for certain users based on the below mentioned criteria:
- Users can reach Dashboard page only when the search criteria exactly matches with the search results.
- If the user name to be searched is part (substring) of another username, Search Results get listed only for the single user, based on the exact match.
- If the user name to be searched is part (substring) of multiple usernames, Search Results show “No accounts matching your search criteria have been found. Check the information you entered and try again”.
Let us consider the below mentioned users in the user scope. Search behavior and result are as given in the table.
- ABCEFG_1
- ABCEFG_2
- ABCEFG_3
- ABCEFG_11
- XYZEFG
S.No |
Search String |
Dashboard Status |
Search Results |
Comments |
1 |
XYZ |
|
|
“No accounts matching your search criteria have been found. Check the information you entered and try again.” even though search string is part of XYZEFG. |
2 |
XYZEFG |
|
|
Takes user to dashboard of XYZEFG. |
3 |
ABCE |
|
|
“No accounts matching your search criteria have been found. Check the information you entered and try again” Since there are multiple users matching the search string. |
4 |
ABCEFG_1 |
|
|
Only ABCEFG_1 is listed even though search string is part of ABCEFG_11. |
5 |
ABCEFG_3 |
|
|
Takes us to dashboard of ABCEFG_3 |
Conventions:
Dashboard Status - It indicates whether the user is able to view the respective workflow tasks in the Self-service site.
Search Results - It indicates the possible search results obtained after the search criteria.
- It Indicates that the workflow page appears for the user.
- It indicates that the workflow page does not appear for the user.
Configuring Security Options
The One Identity Password Manager Administration Site offers several security options under General Settings > Search and Logon Options > Security Settings. Use these options to:
Hiding the domain user name on the Self-Service Site
By default, the toolbar and the logout pop-up of the Self-Service Site display both the display name and the domain user name of the logged-in user (in the <User Display Name> <domain>\<username> format). For example:
Sam Smith (domainname\SSmith)
If the security policies of your organization require hiding security-sensitive information (such as the user logon name), you can change this so that the Self-Service Site will show only the user display name (for example: Sam Smith), but not the domain user name.
To hide the domain user name of the logged-in user on the Self-Service Site
-
In the Password Manager Administration Site, navigate to General Settings > Search and Logon Options.
-
Scroll down to Security Settings.
-
Enable Show only user display name on the Self-Service site.
-
To apply the changes, click Save.
Once you are ready, logging in next time to the Self-Service Site with any user will display only the user display name of the logged in user.
Hiding personally identifiable information for logged-in users
By default, the toolbar and the logout pop-up of the Self-Service Site display both the display name and the domain user name of the logged-in user (in the <User Display Name> <domain>\<username> format). For example:
Sam Smith (domainname\SSmith)
If the security policies of your organization require hiding personally identifiable information (PII) on the user interface, you can configure Password Manager to truncate PII on the Self-Service Site, for example as:
S** S**** (domainname\S*****)
To hide PII on the Self-Service Site for the logged-in users
-
In the Password Manager Administration Site, navigate to General Settings > Search and Logon Options.
-
Scroll down to Security Settings.
-
Enable Do not show personally identifiable information (PII) for the logged in user.
-
To apply the changes, click Save.
Once you are ready, logging in next time to the Self-Service Site with any user will display truncated PII for the logged-in user.
|
NOTE: The amount of user information truncated by the Do not show personally identifiable information (PII) for the logged in user setting is affected by the following options (also configured on the General Settings > Search and Logon Options page):
-
Truncating PII with the Do not allow users to search for their accounts option also selected will truncate the entire expanded PII. For example, setting the Users must enter the following user account attribute... > Self-Service Site sub-setting to mail will result in both the user display name and their email address being truncated. For example, Sam Smith (sam.smith@example.com) will be truncated as: S** S**** (s********************)
-
Truncating PII with the Allow users to search for their accounts setting also selected will truncate both the user display name and the domain user name (with the exception of the domain name). For example, Sam Smith (domainname\samsmith) will be truncated as: S** S**** (domainname\s*******)
-
Truncating PII with the Show only user display name on the Self-Service site option also selected will show only the truncated user display name. For example, Sam Smith will be truncated as: S** S**** |