Sun Identity Manager Deployment Reference

Review Determination Rule

During an access review, every User view is passed to the Review Determination rule to determine whether the corresponding user entitlement record can be automatically approved or rejected, automatically placed into remediation state, or if the record must be manually attested. A user entitlement is a complete User view (in which some resources might be omitted) and some tracking data.

You can use the Review Determination rule to significantly increase the efficiency of an access review by

   <s><reason the attestation was auto-approved/rejected></s>
   <s><hint to attestor></s>

<set name=’viewCompare’>
<!-- compare the entire view (3rd argument can specify sub-path) -->
   <invoke name=’compareUserViews’ class=’com.sun.idm.auditor.ui.FormUtil’>

This argument compares User views and allows the caller to specify a subpath of the complete User view using GenericObject path expressions. If you just want to compare particular account data, the subpath can specify that data. If you compare just the accounts subpath of the User view, you are less likely to encounter differences that are not reflected on a real resource.

Differences found in the User view comparison are returned in the reason element of the output map. The audit log captures this difference data if the rule returns 0 (reject attestation) or 2 (approve attestation), just as the predefined Reject Changed Users rule does.

You can use the Reject Changed Users rule to verify exactly what Identity Manager thinks is different and you can look at the auditable attributes in the resulting audit log records.


Accepts the following arguments:

You must specify the following for a custom Review Determination rule:






During access scan, after evaluating all audit policies and before dispatching the user entitlement 


An integer or a map 

  • If the rule returns an integer, its value is interpreted as follows:

    • -1: No attestation required

    • 0: Automatically reject attestation

    • 1: Manual attestation

    • 2: Automatically approve attestation

    • 3: Automatically remediate attestation

      When the attestation is set to auto-remediating mode, Identity Manager creates an AccessReviewRemediation work item and routes the work item through the Remediator rule associated with the access scan.

  • If the rule returns a map, the output must be similar to one of the following examples:

    Example 1: Manually attests the user entitlement, and the rule provides a hint to the manual attestor.

       <s><reason that the attestation was auto-approved/rejected></s>
       <s><hint to attestor></s>

    Note –

    The attestorHint value in the output map must be a string or a list of strings.

    Example 2: Automatically rejects the user entitlement. The rejection comment indicates that group membership is disallowed.

      <s>User belongs to group Domain Administrators</s>

    Note –

    The value of attestorHint is shown to the attestor through the user interface. The value of reason is recorded in the attestation history.

Predefined Rules 

  • Reject Changed Users: Automatically rejects user entitlements that have changed since the last approval state, and automatically approves user entitlements that are unchanged. The rule only compares the accounts section of the User view.

    Each unknown User view is forwarded for manual attestation.

  • Review Changed Users: Automatically approves any users whose account data has not changed since their last approved entitlement. The rule only compares the accounts section of the User view.

    Users with changed account data or no approved data must be manually attested.

  • Review Everyone: Forwards all user entitlement records for manual attestation.


Compliance > Manage Access Scans > Access Scan > Review Determination Rule