Search Policy
The Search policy sets the search scope for the Directory Manager portal and Management Shell.
By default, any search performed by role members returns objects from all containers in the identity store. Use the Search policy to:
- Limit the search scope to one container for role members.
- Designate a criterion to limit the objects that role members can search.
NOTE: Microsoft Entra ID supports a single container only, so the search scope cannot be restricted container-wise in a Microsoft Entra ID identity store.
How does the Search Policy Work?
Let’s assume you specify a container, localOU, and set the LDAP filter to (Country=United States*) for an Active Directory identity store. Now consider these scenarios:
- When a role member performs a search, Directory Manager looks up the localOU container and displays objects with the Country attribute set to United States.
- If you specify a container only, a search performed by role members returns all matching objects residing in that container.
- If you specify an LDAP filter only, a search performed by role members displays objects with the Country attribute set to United States from all containers in the identity store.
Impact of the Search Policy on the Portal
The Search policy has the following impact on the Directory Manager portal:
- It determines the groups to display in all group listings, such as those on the All Groups and My Groups pages.
- It determines the users to display in user listings, namely My Direct Reports and Disabled Users.
- It sets the search scope for the Find dialog box.
- It sets the scope for quick search and advanced search.
What do you want to do?
- Set the Search Scope to a Specific Container
- Set the Search Scope to all Containers in the Identity Store
- Designate a Criterion for the Search Scope
Set the Search Scope to a Specific Container
- In Admin Center, click Identity Stores in the left pane.
- On the Identity Stores page, click the ellipsis button for an identity store and select Edit.
- Click Security Roles under Settings in the left pane.
- On the Security Roles page, click Edit for a security role.
- On the Edit Security Role page, click Specify policies for the members in the Policies area.
- On the Add Policies pane, click the Search tab.
- Click Add next to Add Container.
- On the Add Container dialog box, select a container and click Add.
Search performed by role members will display objects from this container and its sub-containers. - Click OK.
- On the Edit Security Role page, click Update Security Role.
- On the Security Roles page, click Save.
NOTE: An advanced setting for the Directory Manager portal, Search Default, controls the search scope of the portal. If its value is "Global Catalog", the container specified here is ignored and the portal shows objects from the entire directory. See the Manage Advanced Settings topic.
Set the Search Scope to all Containers in the Identity Store
When no container is specified as the search scope for an identity store, search performed by role members fetches objects from all OUs in the identity store.
To set the search scope to all containers:
- In Admin Center, click Identity Stores in the left pane.
- On the Identity Stores page, click the ellipsis button or an identity store and select Edit.
- Click Security Roles under Settings in the left pane.
- On the Security Roles page, click Edit for a security role.
- On the Edit Security Role page, click Specify policies for the members in the Policies area.
- On the Add Policies pane, click the Search tab.
- In the Container area, click Remove for a container to remove it.
- Click OK.
- On the Edit Security Role page, click Update Security Role.
- On the Security Roles page, click Save.
Designate a Criterion for the Search Scope
When you apply a filter criterion, search performed by role members shows objects that match the criteria.
To designate a criterion:
-
In Admin Center, click Identity Stores in the left pane.
-
On the Identity Stores page, click the ellipsis button for an identity store and select Edit.
-
Click Security Roles under Settings in the left pane.
-
On the Security Roles page, click Edit for a security role.
-
On the Edit Security Role page, click Specify policies for the members in the Policies area.
-
On the Add Policies pane, click the Search tab.
-
In the Filters area, click Add Filter.
-
A row is displayed for adding a criterion.
- Select a schema attribute in the first drop-down list (for example, mail).
- Select an operator in the second drop-down list (for example, Ends with).
- Enter a value for the schema attribute in the third box (for example, @Netwrix.com).
With this filter, search performed by role members will display objects with email addresses created on the netwrix.com domain.
Advanced Filter
You can also define a query by adding more rows and applying the AND or OR operator to group them.
-
After defining two or more filter expressions, select two or more rows and apply one of these operators:
(To select a row, click the down arrow next to it and click Select Row.)- AND: to display the objects having the specified values for all attributes.
- OR: to display objects having the specified value for any one of the attributes.
-
Click the ellipsis button for an applied operator to display the context menu, which has the following options:
- Select Group: to select all rows that make up the query.
- Ungroup: to remove the operator and ungroup the rows.
- Change to OR: to change the AND operator to OR and vice versa.
- Add Clause: to add a new row for specifying another clause for the query.
- Delete: to delete the operator along with all the rows that the operator joins.
You can also:
- Click Tree View to view a list of all queries defined.
- Click Preview to preview the search results that will be displayed with this Search policy, i.e., with the container and filter settings on the Search tab.
- Click Clear to clear the Filter area.
-
After defining a filter, click OK.
-
On the Edit Security Role page, click Update Security Role.
-
On the Security Roles page, click Save.
See Also