Full Organizational View from Top-Down

You could change the collection condition in WEB UI that shows only direct subordinates, to include all subordinates. 

As mekindad says. You've two choices of how to walk your heirarchy to find the employees you can edit. The first option is through the person manager (person.uid_personhead), however watch-out for problems relating to breaks in the path. The other choice is through the organisational structure, e.g. department. This is more robust, but assumes that department manager's are populated. For an example see the  edit condition on the Person table for the VI_4_ALLMANAGER permission group.

I'm in the VI_Employee_Overview -> Collections -> Person, but I can't seem to figure out or see how to switch from "direct subordinates" to "all subordinates". Do I need to make a copy of this module it? Would this be the query to modify?

"uid_person in ( select uid_person from QERVEditEmployee where uid_personhead = '%useruid%')"

Thanks for any help!

-CK

Thanks for the reply. I will try to be aware of that pitfall. Departments would be an option, but we have quite an extensive organizational structure and we have a lot of sub-managers that causes issues with managing that view logistically.

 It looks like this post addresses the hierarchy question by creating a stored procedure and then adding it to the query, but that was 5 years ago and I wonder if that feature has been added since? I am currently on version 7.1.2:

https://www.quest.com/community/one-identity/identity-manager/f/identity-manager-forum/6547/dynamic-roles-based-on-everyone-under-multiple-managers/17204#17204

Thanks!

-CK

I'm not aware of anything OotB that recurses over the person manager. It would be nice if there was.

I don't see a way to take advantage of this procedure in the VI_Employee_Overview and the recursive CTE query doesn't work because you are in a "WHERE" statement already when adding the condition under the  "Employees which can be edited by the current user" key. I think the best way to approach this is to give the Top-level manager the "QERVEditEmployee" rights for all subordinate employees. The challenge is how to provision and de-provision those rights.

-CK

I used the recursive query (renamed) and it worked fine by setting VI_Employee_Person_Filter to:

"uid_person in ( select uid_person from CCC_FTPersonSubordinate('%useruid%') )"

The view QERVEditEmployee finds who has responsibility for an employee using the following criteria (1) if they are the manager of a department at/or above the employee's department (2) they are the manager of the employee. The responsibility can be delegated for both (1) and (2), but that means creating, and maintaining a lot of delegations. I would recommend it, I'd use the recursive query.

Thank you CraigHunter so much! I was approaching it wrong by trying to embed the CTE into the filter, but once I injected the table function as you did, it is working perfectly. I was able to see and modify subordinates. You made my week!

-CK