Enter the name of the new policy and a brief description in the Audit Policy Wizard (shown in Figure 14–1).
Audit policy names cannot contain these characters: ’ (apostrophe), . (period), | (pipe), [ (left bracket), ] (right bracket), , (comma), : (colon), $ (dollar sign), “ (double quote), \ (backslash), or = (equals sign).
You should also avoid using the following characters: _ (underscore), % (percent-sign), ^ (caret), and * (asterisk).
If you want only selected resources to be accessed when executing the scan, select the Restrict target resources option.
If you want a remediation of a violation to result in an immediate rescan of the user, then select the Allow violation re-scans option.
If the audit policy does not restrict resources, then all resources for which a user has accounts will be accessed during the scan. If the rules only use a few resources, then it is more efficient to restrict the policy to those resources.
Click Next to proceed to the next page.
Use this page to start the process of defining or including rules in your policy. (The bulk of your work while creating a policy is defining and creating rules.)
As shown in the following figure, you can choose to create your own rule by using the Identity Manager Rule wizard, or you can incorporate an existing rule. The Rule Wizard only allows one resource to be used in a rule. Imported rules can reference as many resources as needed.
Decide whether you want to create a new rule or use an existing rule.
Choose one of the following options:
To create a new rule, choose the Rule Wizard option (default setting).
To incorporate an existing rule you created using the Identity Manager IDE, choose the Existing Rule option.
Based on your selection in step 1, continue to one of the following sections:
To include an existing rule in the new policy, select Existing Rule on the Select Rule Type Screen and click Next. Then, select an existing audit policy rule from the Select Existing Rule drop-down menu.
If you cannot see the name of a rule that you have previously imported into Identity Manager, confirm that you have added to the rule the additional attributes that are described in Creating a Policy with Audit Policy Rules.
Skip to the section Adding Rules.
If you choose to create a rule by using the Rule Wizard selection in the Audit Policy Wizard, proceed by entering information on the pages discussed in the following sections.
Optionally name and describe the new rule. Use this page to enter descriptive text that appears next to the rule name whenever Identity Manager displays the rule. Enter a concise and clear description that is meaningful in describing the rule. This description is displayed within Identity Manager in the Review Policy Violations page.
For example, if you are creating a rule that will identify users who have both an Oracle ERP responsibilityKey attribute value of Payable User and a Receivable User attribute value, you could enter the following text in the Description field: Identifies users with both Payable User and Receivable User responsibilities.
Use the Comments field to provide any additional information about the rule.
Use this page to select the resource that the rule will reference. Each rule variable must correspond to an attribute on this resource. All resources that you have view access to will appear in this options list. In this example, Oracle ERP is selected.
Most, but not all, attributes of each available resource adapter are supported. For information on the specific attributes that are available, see Sun Identity Manager 8.1 Resources Reference.
Click Next to move to the next page.
Use this screen to enter the rule expression for your new rule. This example creates a rule in which a user with an Oracle ERP responsibilityKey attribute value of Payable User cannot also have a Receivable User attribute value.
Select a user attribute from the list of available attributes. This attribute will directly correspond to a rule variable.
Select a logical condition from the list. Valid conditions include = (equal to), != (not equal to), < (less than), <= (less than or equal to), > (greater than), >= (greater than or equal to), is true, is null, is not null, is empty, and contains. For the purpose of this example, you could select contains from the list of possible attribute conditions.
Enter a value for the expression. For example, if you enter Payable user, you are specifying an Oracle ERP user with the value of Payable user in the responsibilityKeys attribute.
(Optional) Click the AND or OR operators to add another line and create another expression.
This rule returns a Boolean value. If both statements are true, then the policy rule returns a value of TRUE, which causes a policy violation.
Identity Manager does not support the control of rule nesting. In addition, using the Audit Policy Wizard to create policies with different Boolean operators between the rules can produce unpredictable results because the order of evaluation is unspecified.
For complex Rule expressions, create the rules using an XML editor instead of using the Audit Policy Wizard. Using an XML editor allows you to negate where necessary to only use a single Boolean operator between rules.
The following code example shows the XML for the rule you have created in this screen:
<Description>Payable User/Receivable User</Description> <RuleArgument name=’resource’ value=’Oracle ERP’> <Comments>Resource specified when audit policy was created.</Comments> <String>Oracle ERP</String> </RuleArgument> <and> <contains> <ref>accounts[Oracle ERP].responsibilityKeys</ref> <s>Receivable User</s> </contains> <contains> <ref>accounts[Oracle ERP].responsibilityKeys</ref> <s>Payables User</s> </contains> </and> <MemberObjectGroups> <ObjectRef type=’ObjectGroup’ id=’#ID#Top’ name=’Top’/> </MemberObjectGroups> </Rule>
To remove an expression from the rule, select the attribute condition and then click Remove.
Click Next to continue in the Audit Policy Wizard. You will have the opportunity to add more rules, either by adding existing rules, or by again using the wizard.