In reshaping my deployment of ARS 7 I've made extensive use of the dynamic objects ARS provides, ie. Managed Units and Dynamic groups. Both of these are defined by a set of membership rules. In doing so I came across one limitation ( or bug ) and one annoyance. I'd like these to be 'Feature Requests' for the next version of ARS.
- The bug - objects in a Managed Unit are not soted
- The annoyance - You cannot rename the membership rules in a dynamic object
The bug ( although I suspect Quest / Dell / Quest / One Identity, never thought about this ) is that if I use a Custom Include Query that displays the OUs below a target 'searchRoot' the OUs are not displaed in any order and there is no control over this, e.g. If I target a users OU and under this OU there is an OU for each country the MU displays the countries in a random order. If you want to try this out use this query as a membership rule '(&(objectCategory=organizationalUnit)(street=DisplayOUInMU))' where I tag the OUs street attribute with either 'DisplayOUInMU' or 'Don'tDisplayInMU' I also have a 3rd setting 'DisplayObjectsinMU' which allows me to also display the objects in the OU in the MU.
I think that the MU should by default always sort the objects it displays in alphabetical order. In case you were wondering why I don't just add the OUs inplicitly there are two reasons, one there are a lot of them and two, what if we add another country OU, I wanted to make the MU automatically pick it up. I have a fix for this by the way and will blog about it soon ( sorry shameles plug for my blog - https://clan8blog.wordpress.com/) .
The annoyance - You cannot rename the membership rules in a dynamic object. This should be an easy thing to allow in the same way as you can rename teh PVG rules in an ARS Policy. I have dynmaic objects with 3 of even 4 'custom searches' wouldn't it be nice to be able to give these a meaningful name so I don't have to open each one when I need to modify it?