test

Sun Identity Manager Deployment Guide

Using Rules

When the Active Sync-enabled adapter detects a change to an account on a resource, it either maps the incoming attributes to an Identity Manager user, or creates an Identity Manager user account if none can be matched and if the Active Sync resource has been configured to do so.

The Active Sync wizard allows you to specify rules to control what happens when various conditions occur. The following table describes each type of rule.

Table 3–4 Rule Types

Parameter  

Description  

Process Rule 

Either the name of a TaskDefinition, or a rule that returns the name of a TaskDefinition, to run for every record in the feed. The process rule gets the resource account attributes in the activeSync namespace, as well as the resource ID and name.

A process rule controls all functionality that occurs when the system detects any change on the resource. It is used when full control of the account processing is required. As a result, a process rule overrides all other rules. 

If a process rule is specified, the process will be run for every row regardless of any other settings on this adapter. 

At minimum, a process rule must perform the following functions: 

  • Query for a matching User view.

  • If the User exists, checkout the view. If not, create the User.

  • Update or populate the view.

  • Checkin the User view.

    It is possible to synchronize objects other than User, such as LDAP Roles.

Correlation Rule 

If no Identity Manager user’s resource info is determined to own the resource account, Identity Manager invokes the Correlation Rule to determine a list of potentially matching users/accountIDs or Attribute Conditions, used to match the user, based on the resource account attributes (in the account namespace). 

The rule returns one of the following pieces of information that can be used to correlate the entry with an existing Identity Manager account: 

  • Identity Manager user name

  • WSAttributes object (used for attribute-based search)

  • List of items of type AttributeCondition or WSAttribute (AND-ed attribute-based search)

  • List of items of type String (each item is the Identity Manager ID or the user name of an Identity Manager account)

    If more than one Identity Manager account can be identified by the correlation rule, you need a confirmation rule or resolve process rule to handle the matches.

    For the Database Table, Flat File, and PeopleSoft Component Active Sync adapters, the default correlation rule is inherited from the reconciliation policy on the resource.

    The same correlation rule can be used for reconciliation and Active Sync. See Correlation and Confirmation Rules for more information.

Confirmation Rule 

Rule that is evaluated for all users that are returned by a correlation rule. For each user, the full User view of the correlation Identity Manager identity and the resource account information (placed under the “account.” namespace) are passed to the confirmation rule. The confirmation rule is then expected to return a value that can be expressed like a Boolean value. For example, “true” or “1” or “yes” and “false” or “0” or null.

For the Database Table, Flat File, and PeopleSoft Component Active Sync adapters, the default confirmation rule is inherited from the reconciliation policy on the resource. 

The same confirmation rule can be used for reconciliation and Active Sync. See Correlation and Confirmation Rules for more information.

Delete Rule 

A rule that can expect a map of all values with keys of the form activeSync. or account. A LighthouseContext object (display.session) based on the proxy administrator’s session is made available to the context of the rule. The rule is then expected to return a value that can be expressed like a Boolean value. For example, “true” or “1” or “yes” and “false” or “0” or null.

If the rule returns true for an entry, the account deletion request will be processed through forms and workflow, depending on how the adapter is configured. 

Resolve Process Rule 

Either the name of the TaskDefinition or a rule that returns the name of a TaskDefinition to run in case of multiple matches to a record in the feed. The Resolve Process rule gets the resource account attributes as well as the resource ID and name.

This rule is also needed if there were no matches and Create Unmatched Accounts is not selected.

This workflow could be a process that prompts an administrator for manual action. 

Create Unmatched Accounts 

If set to true, creates an account on the resource when no matching Identity Manager user is found. If false, Identity Manager does not create the account unless the process rule is set and the workflow it identifies determines that a new account is warranted. The default is true. 

Populate Global 

If set to true, populates the global namespace in addition to the activeSync namespace. The default value is false.