How to exclude groups from the self-service group selection (4349801)

It is possible to mark either specific groups, or all groups within a particular Active Directory container as being ineligible for access requests.

To exclude groups:

WARNING: One Identity does not provide support for problems that arise from improper modification of the registry. The Windows registry contains information critical to your computer and applications. Make sure you back up the registry before modifying it. For more information on the Windows Registry Edition and how to back up and restore it, refer to Microsoft Article ID 256986 "Description of the Microsoft Windows registry" at https://support.microsoft.com/en-gb/kb/256986

1. On the Data Governance server, navigate to the following registry key using regedit.exe:

In DGE 6.x: HKEY_LOCAL_MACHINE\Software\Quest Software\Broadway\Server\DeploymentData\SelfServe\ExclusionByDN

In DGE 7.x: HKEY_LOCAL_MACHINE\Software\Dell\Broadway\Server\DeploymentData\SelfService\ExclusionByDN

NOTE: The "DeploymentData" and "SelfService" subkeys may not exist. If these keys are not present, they should be created.

2. Beneath the ExclusionByDN key, create string values whose names match the Distinguished Name of the groups that are to be excluded.

If you want to exclude an entire container of groups, specify the Distinguished Name of the container, with an asterisk ("*") prefix. For example, to exclude all groups in the Users container of example.com, use the following syntax: "*CN=Users,DC=example,DC=com".

NOTE: With Identity Manager it is possible to apply filters using the web designer for IT Shop, which is an alternate method of displaying the desired groups.