UserQuery, GroupQuery and Create request on behalf
I have found several threads here related to the configuration of the Create request on behalf field of Request Offerings, however they do not seem to answer some of my questions and I cannot seem to find anything else that could be relevant.
My customer has experienced a case recently where a user with privileges to see the Create request on behalf field specified a distribution group instead of an individual user account. As the Affected User of the ticket, once the Service Request was submitted, all the members of the distribution group had received a personal e-mail confirmation one by one regarding a new ticket they have successfully registered, which of course they had not. Reactions were flooding in...
This got us thinking about what we may have missed for several years - and what gap users have not used before. Apparently, none of our AD connectors in Service Manager seems to have been set up to synchronize any distribution groups to the CMDB, except for two that only synchronize two particular objects, yet the undesired distribution groups are still synchronized into the CMDB. Our suspicion is that they may have slipped in through the ConfigMgr connector.
With that in mind I thought there must be another alternative. The goal now is to limit which users are available for selection in the Create request on behalf field of request offerings. With that said, my customer is currently running the 5.0.10 version of the portal.
There is an overview of Setting Items configuration options on Cireson's support portal which does not give enough information either on how the UserQuery and GroupQuery settings can be manipulated to influence the Create request on behalf field. But so far the most valuable I have found is this thread:
What I have found out is that my customer has always had their portal set up with the default out-of-the-box queries for both the UserQuery and the GroupQuery options:
If I am not mistaken this will retrieve everything: users, shared users, security groups, distribution groups... Which it does "nicely" when I try to search for different types of accounts/groups.
This customer of mine has different types of users, internal ones whose user name starts with - let's say - the letter I, and external users whose user name starts with the letter X. To our knowledge it may only be an exception that user accounts are created without an e-mail address, so the example above might work so that the on behalf of field would retrieve all users that have an e-mail address. However, I am not sure this is the right way to go for us.
I have received the following query from an SQL colleague, which is supposed to retrieve all users whose user names (SAM account name or User Name property) start with the letter "i" or the latter "x":
UserName LIKE 'i%' OR UserName LIKE 'x%'
We want exclusively users to be available in On Behalf, but when I use this query in the UserQuery setting (while GroupQuery is the default query), there will be no groups available any more in the on behalf field (which is good!), however I cannot get more than a handful of users, and no matter how I search (by first name, last name, username), I cannot seem to get more results than about the same 10 at the top of the list. I have restarted the Cache Builder and have not tested this query yet in GroupQuery.
And that, finally, leads me to my questions:
1. Can you confirm: when filtering the Create request on behalf field, is it the UserQuery or the GroupQuery setting that must be changed or both?
2. Can you give me a more detailed explanation as to what UserQuery and GroupQuery do, and what they normally impact?
3. Specifically, is there any other field throughout the portal, other than the Create request on behalf field, that will behave differently if either of these two (UserQuery, GroupQuery) settings is changed?
4. After submitting changes to either of these two settings, is a restart of the Cache Builder sufficient or should the portal application also be restarted in IIS?
5. What could be the reason for this query not having retrieved all users whose name starts with either "i" or "x"? Not really sure whether I should use GroupQuery for cutting out unwanted groups or if I should use UserQuery for specifying which users I do want...
UserName LIKE 'i%' OR UserName LIKE 'x%'
Thanks for any help in advance!