Resource group filter plugin

In standard input/output (stdio) mode, filter plugins work in the following way:

Input

Input is similar for all resource filter plugins. The plugin first receives standard data in the format:

"" "" = {
  "sessionid" = "<session ID>" # The session ID of the request.
  "module" = "<idr|ids|idp|idwfm>"
                     
  "accountID" = "<account ID>" # The account ID of the recipient.
                     
  "template = "<template ID>" # The selected template ID.
  "targetid" = "<target ID>" # The target ID for the recipient.
  "navigation" "" = { ... } # User navigation data
  "recipient" "<user|empty>" = {
     # The "recipient" group contains standard information about the
                     
     # subject of the request.
   }
  "viewer" "user" = {
     # The "viewer" group contains standard information about the
     # person using the CGI.
   }
  "request" "" = {
     # The "request" group contains standard information about the
     # the request.
   }
 } 

Some of the values above may be empty due to the stage and type of the request.

The plugin then receives a series of KVGroups; one for each item.

Input to the first KVGroup also includes the following key-value pairs:

  "netresourcetype" = "<F|P|M>"
     # The resource type related to a !\IDACCESS{}! request.
  "netresourceunc" = "<UNC path>"
     # The UNC path related to a !\IDACCESS{}! request. 
Subsequent input is passed for each group that the plugin must evaluate. Each item is as follows:
"group" "<long ID of the group>" = {
  "desc" = "<group desc>" # Description of the group
  "hassubgroups" ="<true|false>" # Sub-group flag
  "member" = "<true|false>"  # Indicates the recipient's current membership status.
  "owners" "" = { # Existing owners
      "owner" = "<profile ID>" # 0 or more
                     
  }
  "perm" "" = {
      "read" = "<true|false>" # false if omitted
      "write" = "<true|false>" # false if omitted
  }
} 

For example:

"group" "CN=arch_frv_owners,OU=groups,OU=staff,DC=norse,DC=bravurasecurity,DC=com" = {
  "desc" = "arch_frv_owners"
  "hassubgroups" ="false"
  "member" = "true"
  "owners" "" = {
    "owner" = "steven.benes"
  }
  "perm" "" = {
      "read" = "true"
      "write" = "true"
  }
} 

Output

For each item, one output KVGroup is expected on stdout, with an optional "filter" = "true" pair to indicate that the item should not be displayed:

"" "" = {
"filter" = "true|false"
       # If false, the user is displayed
       # If true, the user is not displayed
"retval" = "<#>"
       # Optional, if non-zero returned, abort the plugin
} 

A plugin that encounters errors in its processing can add standard output pairs for individual items, which should cause the plugin execution to be aborted.

This mode can be used to reduce processing time in environments with large numbers of users.

In callback mode the network resource filter plugin uses two functions:

OnFilterInit(const $inkvg, output $detail) This function is called once to initialize the environment based on the cgi user.

OnItemFilter(const $inkvg, output $msg, output $allow) This function is called once per item to determine what network resources the user can view or manage.