Sun Identity Manager Deployment Reference

Audit Policy Rule

An audit policy contains a set of rules that it applies to data representing an object being audited. Each rule can return a boolean value (plus some optional information).

To determine whether a policy has been violated, the audit policy evaluates a logical operation on the results of each rule. If the audit policy has been violated, a compliance violation object might result, with (typically) one compliance violation object per policy, rule, or whatever was being audited. For example, an audit policy with five rules might result in five violations.



You must specify the following for a custom Audit Policy rule:



Note –

When you use the Audit Policy Wizard to create an Audit Policy rule, the wizard uses the AuditPolicyRule authType by default.

If you use the Identity Manager IDE to create an Audit Policy rule, be sure to specify the AuditPolicyRule authType.


  • SUBTYPE_AUDIT_POLICY_RULE (for an audit policy rule)

  • SUBTYPE_AUDIT_POLICY_SOD_RULE (for an audit policy SOD rule)

    SOD (separation of duties or segregation of duties) rules differ from regular rules in that they are expected to produce a list element in the rule output. A list element is not required; but if one is not present, it causes any corresponding violations to be ignored in SOD reporting.


During an Audit Policy Evaluation 


An audit policy rule must return an integer value, but the value can be expressed as one of the following: 

  • A pure integer:

  • An integer within a map of additional data:


    If the audit policy returns a map, other elements can affect the resulting compliance violation. These elements include:

    • resources element: Causes the compliance violation to refer to two resources, resource one and resource two. These values must be real resource names because the compliance violation contains actual object references (so the names are resolved to IDs). (Default is no resource.)

          <s>resource one</s>
          <s>resource two</s>
    • severity element: Causes the compliance violation to have the specified severity. (Default is 1.)

    • priority element: Causes the compliance violation to have the specified priority. (Default is 1.)

    • violation element: Prevents the audit scanner from creating a rule violation— even if the audit policy evaluates to true.

      By default, if the audit policy evaluates to true, it creates compliance violations for each rule that returns a non-zero. Setting this element to zero allows the rule to return true, but does not create a violation for the rule.


Note –

The Audit Policy Wizard only creates rules that reference a single resource and return an integer value (not a map).

To use any of the preceding map-related features, you must write the rule yourself. Some very sophisticated audit policy rule examples are provided in sample/auditordemo.xml.

Predefined Rules 

  • Compare Accounts to Roles: Compares user accounts to accounts specified by roles. Any account not referenced by a role is considered an error.

  • Compare Roles to Actual Resource Values: Compares current resource attributes with those specified by current Roles. Any differences are considered errors, and any resources or resource attributes not specified by a role are ignored.

Note –

The RULE_EVAL_COUNT value equals the number of rules that were evaluated during a policy scan. Identity Manager calculates this value as follows:

RULE_EVAL_COUNT = # of users scanned x (# of rules in policy + 1)

The +1 is included in the calculation because Identity Manager also counts the policy rule, which is the rule that actually decides if a policy is violated. The policy rule inspects the audit rule results, and performs the boolean logic to come up with a policy result.

For example, if you have Policy A with three rules and Policy B with two rules, and you scanned ten users, the RULE_EVAL_COUNT value equals 70 because

10 users x (3 + 1 + 2 + 1 rules)