Oracle® Role Manager User's Guide Release 10g (10.1.4.2) Part Number E14609-02 |
|
|
View PDF |
You use XML to create membership rules and eligibility rules. Membership and eligibility rules are used while creating roles. This chapter describes the various elements used to build rules using XML.
The XML files located in the ORM_HOME/samples/role_expressions directory contain sample rules for your reference.
As mentioned earlier, the standard data model consists of objects, which are required for Oracle Role Manager to function as designed. Examples of objects available in the standard data model of Oracle Role Manager are organization,
role, abstractOrg, abstractIdentity,
and so on. See Table A-1 for a complete list of objects available in the standard data model of Oracle Role Manager.
See Also:
Oracle Role Manager Developer's Guide for detailed information about every object in the standard data modelThe predicate
element is the root element in XML used to define rules. The XML namespace is specified as an attribute of the predicate
element as follows:
<predicate xmlns=http://xmlns.oracle.com/iam/rm/rule/predicate/config/1_0 input-type="person">
The predicate
element can contain any one or a combination of the expressions discussed in this chapter.
This chapter includes the following sections:
You can use the attribute-expression
element whenever your rule requires some constraint on the person
object in Oracle Role Manager.
Example 7-1 shows XML for a sample rule that uses an attribute expression. This rule is as follows:
All individuals whose job title is Manager.
Example 7-1 Sample XML That Uses the Attribute Expression
<predicate xmlns="http://xmlns.oracle.com/iam/rm/rule/predicate/config/1_0" input-type="person"> <attribute-expression> <attribute attribute-id="jobTitle"/> <equals> <string-constant>Manager</string-constant> </equals> </attribute-expression> </predicate>
The attribute-expression
element must contain the following:
The attribute
element is an empty element. An empty element is an element that has no content and has only attributes. In other words, an empty element does not contain child elements.
The attribute
element has the attribute-id
attribute. The attribute-id
attribute is a mandatory attribute, which can take values with respect to the person
object.
For example, the attribute-id
attribute can take values givenName
(as shown in Example 7-1), employeeNumber, departmentNumber, telephoneNumber
(as shown in Example 7-2), and so on.
See Appendix A for details about available values that the attribute-id
attribute can take when the object is person
.
Comparison Operator Element
All attribute-expression
elements must contain one of the comparison operator elements described in Table 7-1.
Table 7-1 Comparison Operator Used in the attribute-expression Element
Comparison Operator | Data Types with Which the Operator Can Be Used |
---|---|
|
All data types |
|
All data types |
|
Integer, decimal, and datetime |
|
Integer, decimal, and datetime |
|
Integer, decimal, and datetime |
|
Integer, decimal, and datetime |
|
String |
|
String |
Example 7-1 and Example 7-2 show attribute expressions containing the equals
and not-equals
comparison operator elements, respectively.
You can select various constant elements depending on the attribute used. You must specify the corresponding value that the attribute-id
attribute can take using one of the following elements:
integer-constant
string-constant
decimal-constant
boolean-constant
datetime-constant
(in the YYYY-MM-DDThh:MM:ss.SSS
format, for example, 2008-06-20T15:20:00.000
)
null-constant
Example 7-1 and Example 7-2 show attribute expressions containing the string-constant
and null-constant
elements, respectively.
Example 7-2 Sample XML for Attribute Expression That Uses the null-constant Element
<predicate xmlns="http://xmlns.oracle.com/iam/rm/rule/predicate/config/1_0" input-type="person"> <attribute-expression> <attribute attribute-id="telephoneNumber"/> <not-equals> <null-constant>null</null-constant> </not-equals> </attribute-expression> </predicate>
You can use the hierarchy expression when your rule contains an organizational hierarchy constraint. For example, you might want to create a dynamic business role that must be granted only to persons belonging to a specific organization. In this case, your rule requires a constraint on a specific organization. Therefore, you must use the hierarchy expression for creating the rule.
Begin a hierarchy expression with the hierarchy-expression
element. Example 7-3 shows a sample XML for a rule that uses a hierarchy expression. This rule is as follows:
All individuals who are members of the Banking reporting organization and all it's child organizations.
Example 7-3 Sample XML That Uses the Hierarchy Expression
<predicate xmlns="http://xmlns.oracle.com/iam/rm/rule/predicate/config/1_0" input-type="person"> <hierarchy-expression hierarchy-id="reportingHierarchy" cascade="true"> <hierarchy-member> <aliased-reference object-type="organization" attribute-id="displayName" attribute-value="Banking"/> </hierarchy-member> </hierarchy-expression> </predicate>
The hierarchy-expression
element contains the following attributes:
This is a mandatory attribute, which refers to the name of an existing hierarchy in Oracle Role Manager. It can take the values reportingHierarchy
, costCenterHierarchy
, and locationHierarchy.
This is a mandatory attribute, and it can take a value of either True
or False
.
If the value of the cascade attribute is True
, then the expression will include the specified hierarchy members and all its sub-hierarchy members.
If the value of the cascade attribute is False
, then the expression will include only the specified hierarchy members.
Example 7-3 shows a hierarchy expression containing the cascade
attribute with the value True.
The hierarchy-expression
element contains the hierarchy-member
element, which in turn contains the aliased-reference
element.
The aliased-reference
element must contain the following attributes:
This is a mandatory attribute, and it can take abstractOrg
and all objects (such as organization,ou,country,
and floor
) that have been inherited from the abstractOrg
object as its value.
See Table A-1 for a complete list of objects that have been inherited from the abstractOrg
object type.
This is a mandatory attribute, and it can take values based on the object specified.
For example, if the value of the object-type
attribute is organization
, then the attribute-id
attribute can take values such as displayName
(as shown in Example 7-3) and orgHead_id.
See Appendix A for details about available values for the attribute-id
attribute.
This is also a mandatory attribute, and it can take values based on the attribute-id
attribute specified.
For example, if the attribute-id is displayName
, then attribute-value can take values such as Banking
, Marketing
, and Financial Services.
Note:
The following are some points to note when using hierarchy expressions:Changes to the organizational hierarchies such as change of display name have no impact on the XML rule created.
Change in rules in response to changes in organizational hierarchy details are not dynamic.
Oracle Role Manager administrators who create rules must be aware of the changes that affect these rules to avoid invalidating the rule unintentionally.
You can use the relative object expression if you have to define a rule in terms of relationships. In other words, it is used to define relative roles. All relative object expressions contain a subject, an object, and a relationship between the two.
Example 7-4 shows a sample XML for a rule that uses a relative object expression. This rule is as follows:
All people who have a manager relationship to at least one other person.
Example 7-4 Sample XML That Uses the Relative Object Expression
<predicate xmlns="http://xmlns.oracle.com/iam/rm/rule/predicate/config/1_0" input-type="person"> <relative-object-expression subject-type="person" relationship-path-id="managedPeople" relative-object-type="person"/> </predicate>
Relative object expressions begin with the relative-object-expression
element. This element contains the following attributes:
This is a mandatory attribute. It can take object values organization
, person
, and role
.
This is a mandatory attribute. It can take object values organization
, person
, and role
.
This is also a mandatory attribute. It takes a value that can determine the relationship between the subject and the object. That is, it determines the relationship between the entities mentioned in the subject-type and the relative-object-type attributes.
For example, you can use the relationship-path-id
attribute that takes the manager
value to determine the relationship between two person
objects.
Another example is to use the relationship-path-id
attribute that takes the managedPeople
value (as shown in Example 7-4) to determine people who are managers to at least one other person.
You can have relationships between a person and another person, person and roles, and organization and organization.
See Appendix A for details about the available relationships for various objects.
The relative-object-expression
element can contain an attribute-expression
element as its child element. The behavior of an attribute-expression
element in the role-member-expression
element and the attribute-expression
element (described in "Attribute Expressions") is similar. However, the attribute-expression
element when used independently, considers only person
as the object type. The attribute-expression
element when used with the role-membership-expression
element considers the value that is specified in the relative-object-type
attribute as the object type.
For example, you might want to create a role that must be granted to persons who have a manager named John. Therefore, there is a relationship that exists between John and the persons to whom you want to grant the role.
Example 7-5 shows a sample XML for a rule that uses a relative object expression with the attribute expression as the child element. This rule is as follows:
All people who have a manager by the name Jane Doe.
Example 7-5 Sample XML That Uses the Relative Object Expression and the Attribute Expression Element
<predicate xmlns="http://xmlns.oracle.com/iam/rm/rule/predicate/config/1_0" input-type="person"> <relative-object-expression subject-type="person" relationship-path-id="manager" relative-object-type="person"> <attribute-expression> <attribute attribute-id="displayName"/> <equals> <string-constant>Jane Doe</string-constant> </equals> </attribute-expression> </relative-object-expression> </predicate>
For example, you might want to create a rule that will grant a person membership to a dynamic business role, based on the person's location.
Example 7-6 shows a sample XML for a rule that uses a relative object expression. In addition, this rule depicts a relationship between a person and a location. This rule is as follows:
All people who reside in the Americas location.
Example 7-6 Sample XML That Uses the Relative Object Expression to Depict the Person-Organization Combination
<predicate xmlns="http://xmlns.oracle.com/iam/rm/rule/predicate/config/1_0" input-type="person"> <relative-object-expression subject-type="person" relationship-path-id="parent_location_organization" relative-object-type="abstractOrg"> <attribute-expression> <attribute attribute-id="displayName"/> <equals> <string-constant>Americas</string-constant> </equals> </attribute-expression> </relative-object-expression> </predicate>
Example 7-7 shows a sample XML for a rule that uses a relative object expression. In addition, this rule depicts a relationship between a role and an organization. This rule is as follows:
All roles who reside in the Americas location.
Example 7-7 Sample XML That Uses the Relative Object Expression to Depict the Role-Organization Combination
<predicate xmlns="http://xmlns.oracle.com/iam/rm/rule/predicate/config/1_0" input-type="person"> <predicate xmlns="http://xmlns.oracle.com/iam/rm/rule/predicate/config/1_0" input-type="person"> <relative-object-expression subject-type="person" relationship-path-id="headedOrgs" relative-object-type="abstractOrg"> <attribute-expression> <attribute attribute-id="displayName" /> <equals> <string-constant>My Organization</string-constant> </equals> </attribute-expression> </relative-object-expression> </predicate>
Role membership expressions are used when you have to define a rule that considers members of another role, which is a static business role.
Note:
Role membership expressions must be used for static role references only.Role membership expressions are also used when you are referencing a role attribute and verifying whether a person is a member of the resulting set of roles. This is illustrated by the following example:
Suppose you are creating an XML rule for a dynamic business role. This XML rule grants the dynamic business role to all individuals whose job title is Manager and have membership to the Risk Manager static business role.
A sample XML for the example in the preceding section is shown in Example 7-8. This rule uses the role-member-expression
element.
Example 7-8 Sample XML That Uses the Role Membership Expression
<predicate xmlns="http://xmlns.oracle.com/iam/rm/rule/predicate/config/1_0" input-type="person"> <and-expression> <expressions> <attribute-expression> <attribute attribute-id="jobTitle"/> <equals> <string-constant>Manager</string-constant> </equals> </attribute-expression> <role-member-expression> <aliased-reference object-type="abstractRole" attribute-id="displayName" attribute-value="Risk Manager"/> </role-member-expression> </expressions> </and-expression> </predicate>
Role membership expressions begin with the role-member-expression
element. This element contains the aliased-reference
element. The behavior of the aliased-reference
element in the role-member-expression
element and the hierarchy-expression
element is the same. See Section 7.2, "Hierarchy Expressions" for information about aliased-reference
element.
Logical expressions can be formed by using the logical operators and, or,
and not.
Logical expressions enclose all the primary expressions such as attribute expressions, hierarchy expressions, role membership expressions, and relative object expressions.
You can use a logical expression when you have to use a combination of two or more primary expressions.
The logical expression elements that are available are as follows:
Each of these logical expression elements, except for the not-expression
element, must contain the expressions
element because the and,
and or
logical operators require two operands.
Example 7-9 is a sample XML for a rule that automatically grants a dynamic business role to all individuals in the Accounting subtree of the reporting organization and who are managed by a person named John:
Example 7-9 Sample XML That Uses the Logical Expression
<predicate xmlns="http://xmlns.oracle.com/iam/rm/rule/predicate/config/1_0" input-type="person"> <and-expression> <expressions> <hierarchy-expression hierarchy-id="reportingHierarchy" cascade="true"> <hierarchy-member> <aliased-reference object-type="organization" attribute-id="displayName" attribute-value="Accounting"/> </hierarchy-member> </hierarchy-expression> <relative-object-expression subject-type="person" relationship-path-id="manager" relative-object-type="person"> <attribute-expression> <attribute attribute-id="givenName"/> <starts-with> <string-constant>John</string-constant> </starts-with> </attribute-expression> </relative-object-expression> </expressions> </and-expression> </predicate>