Sun Identity Manager 8.1 Business Administrator's Guide

ProcedureTo Create a Rule Expression

  1. Select a user attribute from the list of available attributes. This attribute will directly correspond to a rule variable.

  2. Select a logical condition from the list. Valid conditions include = (equal to), != (not equal to), < (less than), <= (less than or equal to), > (greater than), >= (greater than or equal to), is true, is null, is not null, is empty, and contains. For the purpose of this example, you could select contains from the list of possible attribute conditions.

  3. Enter a value for the expression. For example, if you enter Payable user, you are specifying an Oracle ERP user with the value of Payable user in the responsibilityKeys attribute.

  4. (Optional) Click the AND or OR operators to add another line and create another expression.

    Figure 14–4 Audit Policy Wizard: Select Rule Expression Screen

    Figure showing the Select Rule Expression screen in the
Audit Policy wizard

    This rule returns a Boolean value. If both statements are true, then the policy rule returns a value of TRUE, which causes a policy violation.

    Note –

    Identity Manager does not support the control of rule nesting. In addition, using the Audit Policy Wizard to create policies with different Boolean operators between the rules can produce unpredictable results because the order of evaluation is unspecified.

    For complex Rule expressions, create the rules using an XML editor instead of using the Audit Policy Wizard. Using an XML editor allows you to negate where necessary to only use a single Boolean operator between rules.

    The following code example shows the XML for the rule you have created in this screen:

    <Description>Payable User/Receivable User</Description>
      <RuleArgument name=’resource’ value=’Oracle ERP’>
        <Comments>Resource specified when  audit policy was created.</Comments>
        <String>Oracle ERP</String>
            <ref>accounts[Oracle ERP].responsibilityKeys</ref>
            <s>Receivable User</s>
            <ref>accounts[Oracle ERP].responsibilityKeys</ref>
            <s>Payables User</s>
          <ObjectRef type=’ObjectGroup’ id=’#ID#Top’ name=’Top’/>

    To remove an expression from the rule, select the attribute condition and then click Remove.

    Click Next to continue in the Audit Policy Wizard. You will have the opportunity to add more rules, either by adding existing rules, or by again using the wizard.