1 of 21

Advanced controls

Advanced controls are more like mini-applications with specific goals. For example, they could display a list of Entra-ID users or groups as the first step in a Flow.

Selector

Use to find objects in data store, e.g. Active Directory. It performs searches using pipes and stores a selected value for next steps to consume.

Properties

Use to find objects in data store, e.g. Active Directory. It performs searches using pipes and stores a selected value for next steps to consume.

Name

Desciption

Default value

Mandatory

type

Must be Selector

N/A

config.pipe_id

Id of pipe searching for objects

Same as control id

config.columns

What columns to be displayed in UI.

N/A

config.submit_on_change

Should selection of an item move to next step. true/false

true

config.search

Should user be able to enter custom search data.

false

config.readonly

Should control be readonly?

false

{
    "id": "<enter_unique_id_for_this_control>",
    "type": "Selector",
    "config": {
        "search": true,
        "columns": ["displayName","mail","givenName"],
        "pipe_id": "find_my_groups"
    }
}

Searching for object to show

To populate list of items in UI a pipe must be executed. List of items returned should at least contain properties defined in columns.

Data sent to pipe is:

search - containing user input if config -> search is set to true
columns - comma separated string of defined columns

Return data must be in a form of a list of items.

Data exposed to flow

When pressing Select, data exposed to flow is found using key if control id. Value is item id returned from pipe

ActiveDirectoryUserEditGroupMember

Update group membership for a selected user.

Use this control to manage groups for a selected user. Note. To select the user, which often is done in a previous step, use the control Selector.

Properties

Update group membership for a selected user.

Requirements

An LdapClient module deployed with matching name as defined in "namespace".

Configuration

Name

Desciption

Default value

Mandatory

type

Must be ActiveDirectoryUserEditGroupMember

N/A

config.namespace

Identifier of LdapClient module to use

"default"

config.columns

List array with columns to display

["cn","description"]

config.change_is_required

Force admin to update user, true/false

false

config.base_dn

Search base DN.

"DC=company,DC=local"

config.scope

Search scope.

"SUB"

config.current_filter

Search filter. Used to fetch all groups the the user is a member of.

N/A

config.available_filter

Search filter. Used to fetch available groups.

N/A

{
    "id": "<enter_unique_id_for_this_control>",
    "type": "ActiveDirectoryUserEditGroupMember",
    "config": {
        "namespace": "ldap_client_1",
        "base_dn": "DC=company,DC=local",
        "current_filter": "(&(objectClass=group)(member={{{flow.findMyActiveDirectoryUsers}}}))",
        "available_filter": "(&(objectClass=group)(!(member={{{flow.findMyActiveDirectoryUsers}}})))",
        "columns": [
            "cn",
            "sAMAccountName"
        ]
    }
}

This control works in conjunction with LdapClient module. It must be installed.

Exposed data to flow

Object array, "ad_pending_remove" - contains data on what groups to remove from user.

Object array, "ad_pending_add" - contains data on what groups to add to user.

Array data will have the syntax:

"ad_pending_add": [
    {
        "id": "CN=AWS administrator,OU=access_review,OU=Governance,OU=IdM_demo,OU=Product_Testing,DC=company,DC=local",
        "description": "Test",
        "cn": "AWS administrator",
        "sAMAccountName": "AWS administrator"
    },
    {
        "id": "CN=Cert Publishers,CN=Users,DC=company,DC=local",
        "description": "Members of this group are permitted to publish certificates to the directory",
        "cn": "Cert Publishers",
        "sAMAccountName": "Cert Publishers"
    }
],
"ad_pending_remove": [
    {
        "id": "CN=Access Control Assistance Operators,CN=Builtin,DC=company,DC=local",
        "cn": "Access Control Assistance Operators",
        "sAMAccountName": "Access Control Assistance Operators",
        "description": "Members of this group can remotely query authorization attributes and permissions for resources on this computer."
    }
]

Valves used in finalize pipe

ActiveDirectoryAddMemberToGroups

Used to add a single group member to groups

ActiveDirectoryRemoveMemberFromGroups

Used to remove a single group member from groups

ActiveDirectoryGroupEditGroupMember

Manage group members for a selected Active Directory group.

Use this control to manage group members for a selected groups. Note. To select the group, which often is done in a previous step, use the control Selector.

Properties

Manage group members for a selected Active Directory group.

Requirements

An LdapClient module deployed with matching name as defined in "namespace".

Configuration

Name

Desciption

Default value

Mandatory

This control works in conjunction with LdapClient module. It must be installed.

Exposed data to flow

Object array, "ad_pending_remove" - contains data on what members to remove from group.

Object array, "ad_pending_add" - contains data on what members to add to group.

Example data in finalize pipe:

Valves used in finalize pipe

ActiveDirectoryAddGroupToMembers

Used to add group members to a specified group

ActiveDirectoryRemoveGroupFromMembers

Used to remove group members from a specified group

ActiveDirectorySingleSelect

Use to select one option from a list that is populated from the result of an LDAP query.

Below is a screenshot of the control. This is from a create step where an admin like to choose a manager for a user to be created.

Properties

Use to select one option from a list that is populated from the result of an LDAP query.

Configuration

Name

Desciption

Default value

Mandatory

Search filter

The search filter is a template that has access to all data that is available in the flow. Additionally, the template can use the parameter search_query, that contains the user input.

The attributes defined by display_key and value_key are always queried.

Attestor

Allows for users to accept or reject work-orders.

User mapping

For an order to be displayed in the list selection is made base on user login subject. Most likely the SAML NameID attribute from SP login.

Properties

Allows for users to accept or reject work-orders.

Configuration

Name

Desciption

Default value

Mandatory

This control works in conjunction with WorkOrder module. It must be installed.

EntraGroupSelect

Find an Entra ID group based on search data

Use this control to find and selected a Microsoft Entra ID group. Note. When group is selected you might like to mange members for the group. Use the control EntraGroupEditGroupMember.

Requirements

An Entra ID module deployed with matching name as defined in "namespace".

Properties

Find an Entra ID group based on search data

The configuration is divided in two blocks, config & ui where config parameters are marked as config.<parameter name> and ui parameters are marked as ui.<parameter name>.

See the Example tab for a full example.

Name

Desciption

Default value

Mandatory

In this scenario the grid will contain two columns. The query will also be executed before grid is displayed. This is what "ui:search": false will do, if you add true the grid will let you add Bob* before search is executed.

In addition to example 1 this grid will also contain the owners of the groups returned.

This control works in conjunction with EntraID module. It must be installed.

Only showing groups by end user

Set owned_groups_only_attribute will cause control match the data from owned_groups_only_attribute. Matching is done using data from owned_groups_only_attribute and entra_identifier.

entra_identifier is read from session or flow. Session read first then flow.

Settings "owned_groups_only_attribute":"owner", will match value from entra_identifier with id in "owner". Only showing groups where user is set to owner.

Exposed data to flow

"selected_entra_id" - id of selected group

"selected_entra_displayName" - display name of selected group.

EntraGroupEditGroupMember

Edit Entra ID group, update group members

Use this control to manage users for a selected group. Note. To select the user, which often is done in a previous step, use the control EntraGroupSelect.

Requirements

An Entra ID module deployed with matching name as defined in "namespace".

An Entra ID identifier, "selected_entra_id", located in either session or flow. Data is taken from session first and flow second. selected_entra_id must reference a Entra ID group.

Properties

Edit Entra ID group, update group members

Name

Desciption

Default value

Mandatory

In this example the grid will have five columns.

This control works in conjunction with Entra ID module. It must be installed.

Exposed data to flow

Object array, "entra_pending_remove" - contains data on what groups to remove from user.

Object array, "entra_pending_add" - contains data on what groups add to user.

Array data will ha the syntax:

[{"id":"1234567","displayName":"Group 1"}]

EntraUserSelect

Find an Entra ID user based on search data

Use this control to find and selected a Microsoft Entra ID user. Note. When user is selected you might like to manage groups for the user. Use the control EntraUserEditUserMember.

Requirements

An Entra ID module deployed with matching name as defined in "namespace".

Properties

Find an Entra ID user based on search data

The configuration is divided in two blocks, config & ui where config parameters are marked as config.<parameter name> and ui parameters are marked as ui.<parameter name>.

See the Example tab for a full example.

Name

Desciption

Default value

Mandatory

type

Must be EntraGroupSelect

N/A

config.namespace

Identifier of EntraID module to use

"default"

config.columns

List array with columns to display

["displayName", "mail", "mobilePhone", "companyName", "department"]

config.search_attributes

List array with columns used for searching. Search is done using "starts with".

["displayName","mail"]

config.owned_users_only_attribute

If set, users will be filtered based on the attribute.

N/A

ui.ui:search

Should search input be visible for end user, true/false

true

ui.ui:submit_on_change

Should selection of an item move to next step. true/false

false

{
    "id": "<enter_unique_id_for_this_control>",
    "type": "EntraUserSelect",
    "config": {
        "namespace": "tenant1",
        "columns": [
            "displayName",
            "description"
        ]
    },
    "ui": {
        "ui:search": false
    }
}

In addition to example 1 this grid will also contain the manager of the users returned.

{
    "id": "<enter_unique_id_for_this_control>",
    "type": "EntraUserSelect",
    "config": {
        "namespace": "tenant1",
        "owned_users_only_attribute": "manager",
        "columns": [
            "displayName",
            "jobTitle",
            "manager"
        ]
    },
    "ui": {
        "ui:size": {
            "md": 12
        },
        "ui:submit_on_change": true,
        "ui:search": false
    }
}

This control works in conjunction with EntraID module. It must be installed.

Only showing used by end user

Set owned_users_only_attribute will cause control match the data from owned_users_only_attribute. Matching is done using data from owned_users_only_attribute and entra_identifier.

entra_identifier is read from session or flow. Session read first then flow.

Settings "owned_users_only_attribute":"manager", will match value from entra_identifier with id in "manager". Only showing users where user is set to owner.

Exposed data to flow

"selected_entra_id" - id of selected group

"selected_entra_displayName" - display name of selected group.

EntraUserEditGroupMember

Edit Entra ID user, update group membership.

Use this control to manage groups for a selected user. Note. To select the user, which often is done in a previous step, use the control EntraUserSelect.

Requirements

An Entra ID module deployed with matching name as defined in "namespace".

An Entra ID identifier, "selected_entra_id", located in either session or flow. Data is taken from session first and flow second. selected_entra_id must reference a Entra ID user.

Properties

Edit Entra ID user, update group membership.

The configuration is divided in two blocks, config & ui where config parameters are marked as config.<parameter name> and ui parameters are marked as ui.<parameter name>.

See the Example tab for a full example.

Name

Desciption

Default value

Mandatory

In this example grid will have two columns.

In this example the grid will have three columns where the owner columns contain the user managing the group.

This control works in conjunction with EntraID module. It must be installed.

Exposed data to flow

Object array, "entra_pending_remove" - contains data on what groups to remove from user.

Object array, "entra_pending_add" - contains data on what groups add to user.

Array data will ha the syntax:

[{"id":"1234567","displayName":"Group 1"}]

TextArea

Use to display text from a text file. Markdown is supported as well as templating: {{flow.xxxx}} etc. Currently translation is not supported

Properties

Use to display text from a text file. Markdown is supported as well as templating: {{flow.xxxx}} etc. Currently translation is not supported

Name

Desciption

Default value

Mandatory

Properties

Update group membership for a selected user.

Requirements

An LdapClient module deployed with matching name as defined in "namespace".

Configuration

Name

Desciption

Default value

Mandatory

type

Must be ActiveDirectoryUserEditGroupMember

N/A

config.namespace

Identifier of LdapClient module to use

"default"

config.columns

List array with columns to display

["cn","description"]

config.change_is_required

Force admin to update user, true/false

false

config.base_dn

Search base DN.

"DC=company,DC=local"

config.scope

Search scope.

"SUB"

config.current_filter

Search filter. Used to fetch all groups the the user is a member of.

N/A

config.available_filter

Search filter. Used to fetch available groups.

N/A

{
    "id": "<enter_unique_id_for_this_control>",
    "type": "ActiveDirectoryUserEditGroupMember",
    "config": {
        "namespace": "ldap_client_1",
        "base_dn": "DC=company,DC=local",
        "current_filter": "(&(objectClass=group)(member={{{flow.findMyActiveDirectoryUsers}}}))",
        "available_filter": "(&(objectClass=group)(!(member={{{flow.findMyActiveDirectoryUsers}}})))",
        "columns": [
            "cn",
            "sAMAccountName"
        ]
    }
}

This control works in conjunction with LdapClient module. It must be installed.

Exposed data to flow

Object array, "ad_pending_remove" - contains data on what groups to remove from user.

Object array, "ad_pending_add" - contains data on what groups to add to user.

Array data will have the syntax:

"ad_pending_add": [
    {
        "id": "CN=AWS administrator,OU=access_review,OU=Governance,OU=IdM_demo,OU=Product_Testing,DC=company,DC=local",
        "description": "Test",
        "cn": "AWS administrator",
        "sAMAccountName": "AWS administrator"
    },
    {
        "id": "CN=Cert Publishers,CN=Users,DC=company,DC=local",
        "description": "Members of this group are permitted to publish certificates to the directory",
        "cn": "Cert Publishers",
        "sAMAccountName": "Cert Publishers"
    }
],
"ad_pending_remove": [
    {
        "id": "CN=Access Control Assistance Operators,CN=Builtin,DC=company,DC=local",
        "cn": "Access Control Assistance Operators",
        "sAMAccountName": "Access Control Assistance Operators",
        "description": "Members of this group can remotely query authorization attributes and permissions for resources on this computer."
    }
]

Valves used in finalize pipe

ActiveDirectoryAddMemberToGroups

Used to add a single group member to groups

ActiveDirectoryRemoveMemberFromGroups

Used to remove a single group member from groups

Properties

Use to find objects in data store, e.g. Active Directory. It performs searches using pipes and stores a selected value for next steps to consume.

Name

Desciption

Default value

Mandatory

type

Must be Selector

N/A

config.pipe_id

Id of pipe searching for objects

Same as control id

config.columns

What columns to be displayed in UI.

N/A

config.submit_on_change

Should selection of an item move to next step. true/false

true

config.search

Should user be able to enter custom search data.

false

config.readonly

Should control be readonly?

false

{
    "id": "<enter_unique_id_for_this_control>",
    "type": "Selector",
    "config": {
        "search": true,
        "columns": ["displayName","mail","givenName"],
        "pipe_id": "find_my_groups"
    }
}

Searching for object to show

To populate list of items in UI a pipe must be executed. List of items returned should at least contain properties defined in columns.

Data sent to pipe is:

search - containing user input if config -> search is set to true
columns - comma separated string of defined columns

Return data must be in a form of a list of items.

Data exposed to flow

When pressing Select, data exposed to flow is found using key if control id. Value is item id returned from pipe

Properties

Find an Entra ID user based on search data

The configuration is divided in two blocks, config & ui where config parameters are marked as config.<parameter name> and ui parameters are marked as ui.<parameter name>.

See the Example tab for a full example.

Name

Desciption

Default value

Mandatory

type

Must be EntraGroupSelect

N/A

config.namespace

Identifier of EntraID module to use

"default"

config.columns

List array with columns to display

["displayName", "mail", "mobilePhone", "companyName", "department"]

config.search_attributes

List array with columns used for searching. Search is done using "starts with".

["displayName","mail"]

config.owned_users_only_attribute

If set, users will be filtered based on the attribute.

N/A

ui.ui:search

Should search input be visible for end user, true/false

true

ui.ui:submit_on_change

Should selection of an item move to next step. true/false

false

{
    "id": "<enter_unique_id_for_this_control>",
    "type": "EntraUserSelect",
    "config": {
        "namespace": "tenant1",
        "columns": [
            "displayName",
            "description"
        ]
    },
    "ui": {
        "ui:search": false
    }
}

In addition to example 1 this grid will also contain the manager of the users returned.

{
    "id": "<enter_unique_id_for_this_control>",
    "type": "EntraUserSelect",
    "config": {
        "namespace": "tenant1",
        "owned_users_only_attribute": "manager",
        "columns": [
            "displayName",
            "jobTitle",
            "manager"
        ]
    },
    "ui": {
        "ui:size": {
            "md": 12
        },
        "ui:submit_on_change": true,
        "ui:search": false
    }
}

This control works in conjunction with EntraID module. It must be installed.

Only showing used by end user

Set owned_users_only_attribute will cause control match the data from owned_users_only_attribute. Matching is done using data from owned_users_only_attribute and entra_identifier.

entra_identifier is read from session or flow. Session read first then flow.

Settings "owned_users_only_attribute":"manager", will match value from entra_identifier with id in "manager". Only showing users where user is set to owner.

Exposed data to flow

"selected_entra_id" - id of selected group

"selected_entra_displayName" - display name of selected group.