Optionally name and describe the new rule. Use this page to enter descriptive text that appears next to the rule name whenever Identity Manager displays the rule. Enter a concise and clear description that is meaningful in describing the rule. This description is displayed within Identity Manager in the Review Policy Violations page.
For example, if you are creating a rule that will identify users who have both an Oracle ERP responsibilityKey attribute value of Payable User and a Receivable User attribute value, you could enter the following text in the Description field: Identifies users with both Payable User and Receivable User responsibilities.
Use the Comments field to provide any additional information about the rule.
Use this page to select the resource that the rule will reference. Each rule variable must correspond to an attribute on this resource. All resources that you have view access to will appear in this options list. In this example, Oracle ERP is selected.
Most, but not all, attributes of each available resource adapter are supported. For information on the specific attributes that are available, see Sun Identity Manager 8.1 Resources Reference.
Click Next to move to the next page.
Use this screen to enter the rule expression for your new rule. This example creates a rule in which a user with an Oracle ERP responsibilityKey attribute value of Payable User cannot also have a Receivable User attribute value.
Select a user attribute from the list of available attributes. This attribute will directly correspond to a rule variable.
Select a logical condition from the list. Valid conditions include = (equal to), != (not equal to), < (less than), <= (less than or equal to), > (greater than), >= (greater than or equal to), is true, is null, is not null, is empty, and contains. For the purpose of this example, you could select contains from the list of possible attribute conditions.
Enter a value for the expression. For example, if you enter Payable user, you are specifying an Oracle ERP user with the value of Payable user in the responsibilityKeys attribute.
(Optional) Click the AND or OR operators to add another line and create another expression.
This rule returns a Boolean value. If both statements are true, then the policy rule returns a value of TRUE, which causes a policy violation.
Identity Manager does not support the control of rule nesting. In addition, using the Audit Policy Wizard to create policies with different Boolean operators between the rules can produce unpredictable results because the order of evaluation is unspecified.
For complex Rule expressions, create the rules using an XML editor instead of using the Audit Policy Wizard. Using an XML editor allows you to negate where necessary to only use a single Boolean operator between rules.
The following code example shows the XML for the rule you have created in this screen:
<Description>Payable User/Receivable User</Description> <RuleArgument name=’resource’ value=’Oracle ERP’> <Comments>Resource specified when audit policy was created.</Comments> <String>Oracle ERP</String> </RuleArgument> <and> <contains> <ref>accounts[Oracle ERP].responsibilityKeys</ref> <s>Receivable User</s> </contains> <contains> <ref>accounts[Oracle ERP].responsibilityKeys</ref> <s>Payables User</s> </contains> </and> <MemberObjectGroups> <ObjectRef type=’ObjectGroup’ id=’#ID#Top’ name=’Top’/> </MemberObjectGroups> </Rule>
To remove an expression from the rule, select the attribute condition and then click Remove.
Click Next to continue in the Audit Policy Wizard. You will have the opportunity to add more rules, either by adding existing rules, or by again using the wizard.