How to Remove Field Array Values based on Access Groups

Removing Field Values based on Access Groups

Studio Access Groups provide a quick and easy way to restrict the data rostered to a target application by RapidIdentity Studio however, they currently work at the record level and don’t surgically remove restricted values from multi-valued fields at the field level. 

As such, when setting an Access Group to restrict data based on specific schools, only the org records associated with the selected schools are included in the orgs output and, only the user records associated with the selected schools are included in the users output and each of those user records will reference the associated school in the orgs field. However, the records for those users who are also associated with schools not included in the Access Group scope will also contain those schools in the orgs field, even though they are excluded from the orgs output.

For example, teacher J. Smith teaches in both Smith Elementary and Smith Junior High. An Access Group is created on the Learning target application to send only teachers in Science Courses in Elementary schools including, Smith Elementary.

As such, the teacher J. Smith is included in the user output for the application and the school Smith Junior High is included in the org output for the application. Because J. Smith also teaches in Smith Junior High however, the orgs field on the user record for J. Smith includes both the org code for Smith Elementary and the org code for Smith Junior High.

This scenario often causes target applications to reject the Studio output because it fails to pass the validation check that ensures the presence of org records for orgs that are referenced in output records.

To avoid that scenario, the following mapping expression can be used on the user record, orgs field mapping, to surgically remove org codes from the orgs field on the user record when an org is excluded because of an Access Group restriction:

/* Remove any orgs from the array of orgs that are excluded by Access Groups */
function() {
  const orgs = SRC.org;
  var cleanOrgs = [];
  
  // Fetch Org Records Filtered by Access Groups 
  const allowedOrgs = SRC.applyAccessGroups(SRC.listRecords("org"));
  
  if (allowedOrgs && allowedOrgs.length>0)
  
    for (var i = 0; i < allowedOrgs.length; i++) {
    
        for (var y = 0; y < orgs.length; y++) {
          if (orgs[y] == allowedOrgs[i].recordKey[0]) {
            cleanOrgs.push(orgs[y]);
          }
        }
      
    }
  
  return cleanOrgs;
}

When used on the orgs field in user mappings, only orgs specified by an Access Group are included in the orgs field.

NOTE:

The SRC.applyAccessGroups method is time-consuming and will lengthen the duration of the mapping job.

For additional information on the SRC.applyAcccessGroups method and other Studio Expressions, click here