Model Filter Criteria

Overview

Model filter criteria defines how users (for example, Microsoft Active Directory or MS Entra MSOL user) are matched to corresponding data in VOSS Automate, to move users and related data to the correct system levels (Customer or Site) on import (in a sync or overbuild), based on one or attributes defined for the model type.

Note

Model filter criteria for LDAP sources is only compatible with Microsoft Active Directory (that is, Microsoft LDAP, not OpenLDAP).

Administrator users with access to the data/ModelFilterCriteria model can manage instances of this model so that these are available for selection in the Site Defaults Doc (SDD) of a site.

The SDD provides options to choose a predefined model filter criteria (depending on the user type). Options are:

• MS 365 User Model Filter Criteria

• Microsoft Active Directory (Microsoft LDAP) User Model Filter Criteria

• CUCM User Model Filter Criteria

Create Model Filter Criteria

Pre-requisites:

• To allow move to work using model filter criteria defined at the Site level, an admin user must enable the following global settings (on the Flow Through Provisioning tab), via (default menus) Customizations > Global Settings:

  • Enable Move & Flow Through Provisioning

  • Enable Move & Provisioning after Add Sync

Perform these steps:

1. Identify the source and target model and field that will be used in the filter.

2. Go to (default menu) Customizations > Model Filter Criteria.

   Note

   Alternative step: Go to (default menus) Flow Through Provisioning Configuration > Model Filter Criteria.

3. Click Add to add a new record, or clone an existing model filter criteria and update it to create a new model filter.

4. Provide a Name, Description, and Usage for the filter.

   Note

   The Model Filter Criteria with usage set to Move User is used to move the user. Model Filter Criteria with usage set to Flow Through Provisioning is used to provision the user.

   The flow through provisioning usage does not move a user, and will run only if the user is at a site.

5. From the Type (model type) drop-down, select the source model, for example device/msgraph/MsolUser (MS Entra MSOL users) or device/ldap/user (Microsoft Active Directory users).

   Note

   The model type defines the available attributes you can use in the model filter criteria.

6. Click the Plus sign (+) in the Criteria group to add one or more criteria.

   Each criteria is defined by the following:

Field	Description
Unary Operator	None, or NOT: to operate on the match Condition with the target value
Attribute	The field from the source model, for example City from device/msgraph/MsolUser.
Condition	Options are exact and non-exact types of contains and equals, as well as a regex search option.
Value	The target value that identifies the site in VOSS Automate. The value can also be a named macro, for example, {{ macro.OVERBUILD_SITE_CITY_NAME }}.
Conditional Operator	AND or OR: only needed and used to indicate the type of Boolean combination with the following criteria instance, if an additional instance is added.

7. Save the model filter criteria.

   You will be able to choose this new model filter criteria in the site’s SDD, and it will be, for example, applied in the Microsoft overbuild if Include Site for Overbuild and Microsoft Users is enabled.

   When running the overbuild, the system loops through the site defaults to identify sites with Include Site for Overbuild enabled, and moves related user data to the site based on the chosen model filter criteria rule.

   In this example, all device/msgraph/MsolUser instances synced in will be moved to the site matching {{ macro.OVERBUILD_SITE_CITY_NAME }} if their City value matches.

Microsoft Entra ID Groups in Model Filter Criteria

New model filter criteria functionality is available from release 21.4-PB3. For Model Filter Criteria of Type device/msgraph/MsolUser, the Attribute called Groups.displayName is available to create a filter that can be used to sync in and automatically onboard - move and provision users - based on their Microsoft Entra ID group membership.

Important

A number of caveats need to be considered when creating filters using Groups.displayName:

• The Value of the Groups.displayName attribute should be an exact case-sensitive match of the Microsoft Entra ID group name.

  For example, a Value of Northwood will match Northwood, but will not match northwood, Northwoodly, WestNorthwood or Westnorthwood.

• The Condition should be Equals Exactly.

• Multiple conditions using the Groups.displayName attribute are supported, but require the use of AND as the Conditional Operator. All conditions in the filter should therefore be true for the filter to apply; in other words, the user needs to belong to all the groups matching the Value field.

  Note that:

  • If a single matching filter condition is added whereas a user belongs to more than one Microsoft Entra ID group, the user is matched if the filter matches.

  • If an OR conditional operator is used, this will be interpreted as an AND operator.

• The Groups.displayName attribute cannot be combined with other attributes in a filter: other attributes will be ignored.

• Verify that these caveats are taken into consideration, since model filter criteria can be saved in the system without their considersation.

Related Topics

• Microsoft Overview
• Sync with Flow Through
• Flow Through Provisioning