7 Building Membership and Eligibility Rules

You use XML to create membership rules and eligibility rules. Membership and eligibility rules are used while creating roles. This chapter describes the various elements used to build rules using XML.

The XML files located in the ORM_HOME/samples/role_expressions directory contain sample rules for your reference.

As mentioned earlier, the standard data model consists of objects, which are required for Oracle Role Manager to function as designed. Examples of objects available in the standard data model of Oracle Role Manager are organization, role, abstractOrg, abstractIdentity, and so on. See Table A-1 for a complete list of objects available in the standard data model of Oracle Role Manager.

See Also:

Oracle Role Manager Developer's Guide for detailed information about every object in the standard data model

The predicate element is the root element in XML used to define rules. The XML namespace is specified as an attribute of the predicate element as follows:

<predicate xmlns=http://xmlns.oracle.com/iam/rm/rule/predicate/config/1_0 input-type="person">

The predicate element can contain any one or a combination of the expressions discussed in this chapter.

This chapter includes the following sections:

• Section 7.1, "Attribute Expressions"

• Section 7.2, "Hierarchy Expressions"

• Section 7.3, "Relative Object Expressions"

• Section 7.4, "Role Membership Expressions"

• Section 7.5, "Logical Expressions"

7.1 Attribute Expressions

You can use the attribute-expression element whenever your rule requires some constraint on the person object in Oracle Role Manager.

Example 7-1 shows XML for a sample rule that uses an attribute expression. This rule is as follows:

All individuals whose job title is Manager.

Example 7-1 Sample XML That Uses the Attribute Expression

<predicate xmlns="http://xmlns.oracle.com/iam/rm/rule/predicate/config/1_0" input-type="person">
   <attribute-expression>
      <attribute attribute-id="jobTitle"/>
      <equals>
         <string-constant>Manager</string-constant>
      </equals>
   </attribute-expression>
</predicate>

The attribute-expression element must contain the following:

• attribute Element

• Comparison Operator Element

• Constant Element

attribute Element

The attribute element is an empty element. An empty element is an element that has no content and has only attributes. In other words, an empty element does not contain child elements.

The attribute element has the attribute-id attribute. The attribute-id attribute is a mandatory attribute, which can take values with respect to the person object.

For example, the attribute-id attribute can take values givenName (as shown in Example 7-1), employeeNumber, departmentNumber, telephoneNumber (as shown in Example 7-2), and so on.

See Appendix A for details about available values that the attribute-id attribute can take when the object is person.

Comparison Operator Element

All attribute-expression elements must contain one of the comparison operator elements described in Table 7-1.

Table 7-1 Comparison Operator Used in the attribute-expression Element

Comparison Operator	Data Types with Which the Operator Can Be Used
equals	All data types
not-equals	All data types
greater-than	Integer, decimal, and datetime
greater-than-equals	Integer, decimal, and datetime
less-than	Integer, decimal, and datetime
less-than-equals	Integer, decimal, and datetime
starts-with	String
ends-with	String

Example 7-1 and Example 7-2 show attribute expressions containing the equals and not-equals comparison operator elements, respectively.

Constant Element

You can select various constant elements depending on the attribute used. You must specify the corresponding value that the attribute-id attribute can take using one of the following elements:

• integer-constant

• string-constant

• decimal-constant

• boolean-constant

• datetime-constant (in the YYYY-MM-DDThh:MM:ss.SSS format, for example, 2008-06-20T15:20:00.000)

• null-constant

Example 7-1 and Example 7-2 show attribute expressions containing the string-constant and null-constant elements, respectively.

Example 7-2 Sample XML for Attribute Expression That Uses the null-constant Element

<predicate xmlns="http://xmlns.oracle.com/iam/rm/rule/predicate/config/1_0" input-type="person">
   <attribute-expression>
      <attribute attribute-id="telephoneNumber"/>
      <not-equals>
         <null-constant>null</null-constant>
      </not-equals>
   </attribute-expression>
</predicate>

7.2 Hierarchy Expressions

You can use the hierarchy expression when your rule contains an organizational hierarchy constraint. For example, you might want to create a dynamic business role that must be granted only to persons belonging to a specific organization. In this case, your rule requires a constraint on a specific organization. Therefore, you must use the hierarchy expression for creating the rule.

Begin a hierarchy expression with the hierarchy-expression element. Example 7-3 shows a sample XML for a rule that uses a hierarchy expression. This rule is as follows:

All individuals who are members of the Banking reporting organization and all it's child organizations.

Example 7-3 Sample XML That Uses the Hierarchy Expression

<predicate xmlns="http://xmlns.oracle.com/iam/rm/rule/predicate/config/1_0" input-type="person">
   <hierarchy-expression hierarchy-id="reportingHierarchy" cascade="true">
      <hierarchy-member>
         <aliased-reference 
            object-type="organization"
            attribute-id="displayName" 
            attribute-value="Banking"/>
      </hierarchy-member>
   </hierarchy-expression>
</predicate>

The hierarchy-expression element contains the following attributes:

• hierarchy-id

  This is a mandatory attribute, which refers to the name of an existing hierarchy in Oracle Role Manager. It can take the values reportingHierarchy, costCenterHierarchy, and locationHierarchy.

• cascade

  This is a mandatory attribute, and it can take a value of either True or False.

  If the value of the cascade attribute is True, then the expression will include the specified hierarchy members and all its sub-hierarchy members.

  If the value of the cascade attribute is False, then the expression will include only the specified hierarchy members.

  Example 7-3 shows a hierarchy expression containing the cascade attribute with the value True.

The hierarchy-expression element contains the hierarchy-member element, which in turn contains the aliased-reference element.

The aliased-reference element must contain the following attributes:

• object-type

  This is a mandatory attribute, and it can take abstractOrg and all objects (such as organization,ou,country, and floor) that have been inherited from the abstractOrg object as its value.

  See Table A-1 for a complete list of objects that have been inherited from the abstractOrg object type.

• attribute-id

  This is a mandatory attribute, and it can take values based on the object specified.

  For example, if the value of the object-type attribute is organization, then the attribute-id attribute can take values such as displayName (as shown in Example 7-3) and orgHead_id.

  See Appendix A for details about available values for the attribute-id attribute.

• attribute-value

  This is also a mandatory attribute, and it can take values based on the attribute-id attribute specified.

  For example, if the attribute-id is displayName, then attribute-value can take values such as Banking, Marketing, and Financial Services.

Note:

The following are some points to note when using hierarchy expressions:

• Changes to the organizational hierarchies such as change of display name have no impact on the XML rule created.

• Change in rules in response to changes in organizational hierarchy details are not dynamic.

• Oracle Role Manager administrators who create rules must be aware of the changes that affect these rules to avoid invalidating the rule unintentionally.

7.3 Relative Object Expressions

You can use the relative object expression if you have to define a rule in terms of relationships. In other words, it is used to define relative roles. All relative object expressions contain a subject, an object, and a relationship between the two.

Example 7-4 shows a sample XML for a rule that uses a relative object expression. This rule is as follows:

All people who have a manager relationship to at least one other person.

Example 7-4 Sample XML That Uses the Relative Object Expression

<predicate xmlns="http://xmlns.oracle.com/iam/rm/rule/predicate/config/1_0" input-type="person">
   <relative-object-expression
      subject-type="person"
      relationship-path-id="managedPeople"
      relative-object-type="person"/>
</predicate>

Relative object expressions begin with the relative-object-expression element. This element contains the following attributes:

• subject-type

  This is a mandatory attribute. It can take object values organization, person, and role.

• relative-object-type

  This is a mandatory attribute. It can take object values organization, person, and role.

• relationship-path-id

  This is also a mandatory attribute. It takes a value that can determine the relationship between the subject and the object. That is, it determines the relationship between the entities mentioned in the subject-type and the relative-object-type attributes.

  For example, you can use the relationship-path-id attribute that takes the manager value to determine the relationship between two person objects.

  Another example is to use the relationship-path-id attribute that takes the managedPeople value (as shown in Example 7-4) to determine people who are managers to at least one other person.

You can have relationships between a person and another person, person and roles, and organization and organization.

See Appendix A for details about the available relationships for various objects.

The relative-object-expression element can contain an attribute-expression element as its child element. The behavior of an attribute-expression element in the role-member-expression element and the attribute-expression element (described in "Attribute Expressions") is similar. However, the attribute-expression element when used independently, considers only person as the object type. The attribute-expression element when used with the role-membership-expression element considers the value that is specified in the relative-object-type attribute as the object type.

For example, you might want to create a role that must be granted to persons who have a manager named John. Therefore, there is a relationship that exists between John and the persons to whom you want to grant the role.

Example 7-5 shows a sample XML for a rule that uses a relative object expression with the attribute expression as the child element. This rule is as follows:

All people who have a manager by the name Jane Doe.

Example 7-5 Sample XML That Uses the Relative Object Expression and the Attribute Expression Element

<predicate xmlns="http://xmlns.oracle.com/iam/rm/rule/predicate/config/1_0" input-type="person">
   <relative-object-expression
      subject-type="person"
      relationship-path-id="manager"
      relative-object-type="person">
      <attribute-expression>
         <attribute attribute-id="displayName"/>
         <equals>
            <string-constant>Jane Doe</string-constant>
         </equals>
      </attribute-expression>
   </relative-object-expression>
</predicate>

For example, you might want to create a rule that will grant a person membership to a dynamic business role, based on the person's location.

Example 7-6 shows a sample XML for a rule that uses a relative object expression. In addition, this rule depicts a relationship between a person and a location. This rule is as follows:

All people who reside in the Americas location.

Example 7-6 Sample XML That Uses the Relative Object Expression to Depict the Person-Organization Combination

<predicate xmlns="http://xmlns.oracle.com/iam/rm/rule/predicate/config/1_0" input-type="person">
   <relative-object-expression
      subject-type="person"
      relationship-path-id="parent_location_organization"
      relative-object-type="abstractOrg">
      <attribute-expression>
         <attribute attribute-id="displayName"/>
         <equals>
            <string-constant>Americas</string-constant>
         </equals>
      </attribute-expression>
   </relative-object-expression>
</predicate>

Example 7-7 shows a sample XML for a rule that uses a relative object expression. In addition, this rule depicts a relationship between a role and an organization. This rule is as follows:

All roles who reside in the Americas location.

Example 7-7 Sample XML That Uses the Relative Object Expression to Depict the Role-Organization Combination

<predicate xmlns="http://xmlns.oracle.com/iam/rm/rule/predicate/config/1_0" input-type="person">
<predicate xmlns="http://xmlns.oracle.com/iam/rm/rule/predicate/config/1_0"
input-type="person">
   <relative-object-expression subject-type="person"
      relationship-path-id="headedOrgs" relative-object-type="abstractOrg">
     <attribute-expression>
       <attribute attribute-id="displayName" />
         <equals>
            <string-constant>My Organization</string-constant>
         </equals>
      </attribute-expression>
   </relative-object-expression>
 </predicate>

7.4 Role Membership Expressions

Role membership expressions are used when you have to define a rule that considers members of another role, which is a static business role.

Note:

Role membership expressions must be used for static role references only.

Role membership expressions are also used when you are referencing a role attribute and verifying whether a person is a member of the resulting set of roles. This is illustrated by the following example:

Suppose you are creating an XML rule for a dynamic business role. This XML rule grants the dynamic business role to all individuals whose job title is Manager and have membership to the Risk Manager static business role.

A sample XML for the example in the preceding section is shown in Example 7-8. This rule uses the role-member-expression element.

Example 7-8 Sample XML That Uses the Role Membership Expression

<predicate xmlns="http://xmlns.oracle.com/iam/rm/rule/predicate/config/1_0" input-type="person">
   <and-expression>
      <expressions>
         <attribute-expression>
            <attribute attribute-id="jobTitle"/>
            <equals>
               <string-constant>Manager</string-constant>
            </equals>
         </attribute-expression>
         <role-member-expression>
            <aliased-reference 
               object-type="abstractRole"
               attribute-id="displayName"
               attribute-value="Risk Manager"/>
         </role-member-expression>
      </expressions>
   </and-expression>
</predicate>

Role membership expressions begin with the role-member-expression element. This element contains the aliased-reference element. The behavior of the aliased-reference element in the role-member-expression element and the hierarchy-expression element is the same. See Section 7.2, "Hierarchy Expressions" for information about aliased-reference element.

7.5 Logical Expressions

Logical expressions can be formed by using the logical operators and, or, and not. Logical expressions enclose all the primary expressions such as attribute expressions, hierarchy expressions, role membership expressions, and relative object expressions.

You can use a logical expression when you have to use a combination of two or more primary expressions.

The logical expression elements that are available are as follows:

• and-expression

• or-expression

• not-expression

Each of these logical expression elements, except for the not-expression element, must contain the expressions element because the and, and or logical operators require two operands.

Example 7-9 is a sample XML for a rule that automatically grants a dynamic business role to all individuals in the Accounting subtree of the reporting organization and who are managed by a person named John:

Example 7-9 Sample XML That Uses the Logical Expression

<predicate xmlns="http://xmlns.oracle.com/iam/rm/rule/predicate/config/1_0" input-type="person">
   <and-expression>
      <expressions>
         <hierarchy-expression hierarchy-id="reportingHierarchy" cascade="true">
            <hierarchy-member>
               <aliased-reference 
                  object-type="organization"
                  attribute-id="displayName"
                  attribute-value="Accounting"/>
            </hierarchy-member>
         </hierarchy-expression>
         <relative-object-expression
            subject-type="person"
            relationship-path-id="manager"
            relative-object-type="person">
            <attribute-expression>
               <attribute attribute-id="givenName"/>
               <starts-with>
                  <string-constant>John</string-constant>
               </starts-with>
            </attribute-expression>
         </relative-object-expression>
      </expressions>
   </and-expression>
</predicate>