test

Sun Identity Manager Deployment Reference

Identity Manager Rules

You can use the following rules and rule libraries to customize Identity Manager.

AccessEnforcerLibrary

The AccessEnforcerLibrary is a default library of rules that enable you to manage certain types of objects because the Access Enforcer resource adapter does not provide a way for you to fetch these objects.

Inputs: See Table 4–2.

You must specify the following for a custom AccessEnforcerLibrary rule:

Argument 

Description 

AuthType 

Library 

SubType 

listRules

Returns 

See Table 4–2

Predefined Rules 

Not specified 

The following table describes the example AccessEnforcerLibrary rules.

Table 4–2 Example AccessEnforcerLibrary Rules

Rule Name 

Input Variables 

Description 

getApplications 

  • resName (Resource name)

  • Specify Access Enforcer object names by manually entering the names as strings.

Returns a list of applications that are available in SAP GRC Access Enforcer. If resName was specified, fetches the applications from Access Enforcer. Otherwise, returns the list specified statically.

getRoles 

resName (Resource name)

Returns a list of roles that are available in SAP GRC Access Enforcer that are the same as the roles available in the back-end system. 

These values are manually created and must be in sync with the corresponding values in SAP GRC Access Enforcer. 

getRequestTypes 

None 

Returns a list of Request types that are available in SAP GRC Access Enforcer. 

These values are manually created and must be in sync with the corresponding values in SAP GRC Access Enforcer. 

getPriorities 

None 

Returns a list of Priority values that are available in SAP GRC Access Enforcer 

These values are manually created and must be in sync with the corresponding values in SAP GRC Access Enforcer. 

getEmployeeTypes 

None 

Returns a list of Employee types that are available in SAP GRC Access Enforcer. 

These values are manually created and must be in sync with the corresponding values in SAP GRC Access Enforcer. 

getSLAs 

None 

Returns a list of Service Levels that are available in SAP GRC Access Enforcer. 

These values are manually created and must be in sync with the corresponding values in SAP GRC Access Enforcer. 

getSupporttedVersions 

resName (Resource name)

Returns a list of SAP GRC Access Enforcer versions that are supported by Identity Manager. These values must be the same as values that the adapter facet understands. 

ActiveSync Rules

When the Flat File Active Sync adapter detects a change to an account on a resource, it either maps the incoming attributes to an Identity Manager user, or it creates an Identity Manager user account. The adapter uses process, correlation, and delete rules to determine what to do with the user.

Note –

Active Sync rules must use context, not display.session. Correlation and Delete rules do not get a session, but Confirmation rules do. For more information, see Correlation Rule and Confirmation Rule.

Inputs: These rulesaAccept resource account attributes in the activeSync namespace. For example, activeSync.firstname.

You must specify the following for a custom ActiveSync rule:

Argument 

Description 

AuthType 

Not specified 

SubType 

Not specified 

Namespace 

Provide resource account attributes in the activeSync namespace. For example,

activeSync.firstname

Predefined Rules 

ActiveSyncRules’ predefined rules include: 

  • ActiveSync has isDeleted set: Used by migration from resources when you set the Process deletes as updates parameter to false.

    Note –

    Do not change this rule name. If you want to use a different rule name, duplicate the rule content and rename the new rule.

  • No Correlation Rule: Use this default rule if you do not want correlation.

  • No Confirmation Rule: Use this default rule if you do not want confirmation.

ADRules Library

The default library of ADRules enables you to create a list of the servers

Inputs: None

You must specify the following for a custom ADRules rule:

AuthType 

Not specified 

SubType 

Not specified 

Called 

 

Returns 

A list of zero or more string values. 

Predefined Rules 

None 

Table 4–3 Example ADRules Rules

Rule Name  

Description 

Exchange Servers 

Returns a list of the Exchange servers in your environment. 

You can update this list to include the Exchange servers in your environment. 

Home Directory Servers 

Returns a list of the Home Directory Servers in your environment. 

You can update this list to include the systems that serve home directory drives in your environment. 

AD Login Scripts 

Returns a list of the user login scripts being used in your environment. 

You can update this list to include the login batch scripts in your environment. 

Home Directory Drive Letter 

Returns a list of the home directory mapped drive letters in your environment. 

You can update this list to include the common home directory map drive letters in your environment. 

Home Directory Volumes 

Returns a list of the home directory volume names in your environment. 

You can update this list to include the common home directory volume names in your environment. Identity Manager uses this value with the Home Directory Server to create a user’s home directory. This volume must exist and be shared on the selected home directory server. 

AlphaNumeric Rules Library

The AlphaNumeric Rules Library is a default library of rules that enable you to control how numbers and letters are ordered and displayed in Identity Manager forms and workflows.

Note –

This library is displayed as the Alpha Numeric Rules library object in the Identity Manager IDE.

Inputs: See Table 4–4

You must specify the following for a custom rule:

AuthType 

EndUserRule

SubType 

Not specified 

Returns 

A list of zero or more strings. 

The following table describes rules in the AlphaNumeric Rules library.

Table 4–4 Example Alphanumeric Rules

Rule Name  

Input Variable  

Description  

AlphaCapital 

None 

Returns a list of English capital alpha characters 

AlphaLower 

None 

Returns a list of English lowercase alpha characters 

Numeric 

None 

Returns a list of numeric characters 

WhiteSpace 

None 

Returns a list of white space characters 

SpecialCharacters 

None 

Returns a list of common special characters 

legalEmailCharacters 

None 

Returns a list of legal special characters for email 

stringToChars 

testStr

Converts the given string to a list composed of the string’s individual characters 

isNumeric 

testStr

Tests to see if testStr contains all numeric characters

isAlpha 

testStr

Tests to see if testStr contains only alpha characters

hasSpecialChar 

testStr

Tests to see if testStr contains any special characters

hasWhiteSpace 

testStr

Tests to see if testStr contains any white space characters

isLegalEmail 

testStr

Tests to see if testStr consists of only legal email address characters

StripNonAlphaNumeric 

testStr

Removes any non-alpha or non-numeric characters from testStr

Approval Transaction Message

The Approval Transaction Message rule is a default rule used to format approval transaction text. You can customize this rule to provide more information for a user to sign.

Inputs: Accepts the following arguments:

You must specify the following for a custom Approval Transaction Message rule:

AuthType 

Not specified 

SubType 

Not specified 

Returns 

Formatted transaction text for the list of workitems in workItemList

Predefined Rules 

None 

Approval Transaction Message Helper

The Approval Transaction Message Helper rule returns the formatted transaction text for the approval of a single workitem.

Inputs: Accepts the following arguments:

You must specify the following for a custom Approval Transaction Message Helper rule:

AuthType 

Not specified 

SubType 

Not specified 

Returns 

Formatted transaction text for the approval of a single workitem

Predefined Rules 

None 

Attestation Remediation Transaction Message

The Attestation Remediation Transaction Message rule is a default rule used to format attestation remediation transaction text. You can customize this rule to provide more information for the user to sign.

Inputs: Accepts the following arguments:

You must specify the following for a custom Attestation Remediation Transaction Message rule:

AuthType 

EndUserAuditorRule

SubType 

Not specified 

Returns 

Formatted attestation remediation transaction text 

Predefined Rules 

None 

Attestation Remediation Transaction Message Helper

The Attestation Remediation Transaction Message Helper rule returns the formatted transaction text for the attestation remediation of a single workitem.

Inputs: Accepts the following arguments:

You must specify the following for a custom Attestation Remediation Transaction Message Helper rule:

AuthType 

EndUserAuditorRule

SubType 

Not specified 

Returns 

Formatted transaction text for the attestation remediation of a single workitem.

Predefined Rules 

None 

Attestation Transaction Message

The Attestation Transaction Message rule a default rule used to format attestation transaction text. You can customize this rule to provide more information for the user to sign.

Inputs: Accepts the following arguments:

You must specify the following for a custom Attestation Transaction Message rule:

AuthType 

EndUserAuditorRule

SubType 

Not specified 

Returns 

Formatted attestation transaction text. 

Predefined Rules 

None 

Attestation Transaction Message Helper

The Attestation Transaction Message Helper rule returns the formatted transaction text for the a single attestation.

Inputs:

Accepts the following arguments:

You must specify the following for a custom Attestation Transaction Message Helper rule:

AuthType 

EndUserAuditorRule

SubType 

Not specified 

Returns 

Formatted transaction text for a single attestation 

Predefined Rules 

None 

CheckDictionaryWord

Use the CheckDictionaryWord rule to run a JDBC query against a dictionary to check if a password exists in the dictionary.

Inputs:

Accepts the following arguments:

You must specify the following for a custom CheckDictionaryWord rule:

AuthType 

Not specified 

SubType 

Not specified 

Returns 

A list of zero or more strings 

Predefined Rules 

None 

DateLibrary

The DateLibrary is a default library of rules that control how dates and times are displayed in a deployment.

Note –

This library is displayed as the Date Library library object in the Identity Manager IDE.

Inputs:

See Table 4–5.

You must specify the following for a custom DateLibrary rule:

AuthType 

Rule

SubType 

Not specified 

Returns 

Boolean values of true or false. See Table 4–5.

The following table describes the example DateLibrary rules.

Table 4–5 Example DateLibrary Rules

Rule 

Input Variables 

Description 

Date Validation

mm/dd/yy yy

Determines valid date strings. If month or day values are provided in with single digits, the rule accounts for them appropriately. 

  • true if the string provided contains valid date components.

  • false if the string provided contains invalid date components.

Validate Day Month Year

  • month

  • day

  • year

Determines valid day, month, and year strings. If the month or the day values are provided in with single digits, the rule accounts for them appropriately. 

  • true if the string provided is a valid date.

  • false if the string provided is a invalid date.

Validate Time

HH:mm:ss

Determines valid time strings. If the time string is not in this format, or the components are out of bounds (for example, if the hour is less than zero or greater than 23), the rule returns a false.

  • true if the string provided is a valid time.

  • false if the string provided is a invalid time.

End User Controlled Organizations

The End User Controlled Organizations rule determines the set of organizations that are controlled by a user logging into the End User interface. These organizations, together with the End User organization, define the scope of control over which a user is granted the permissions specified in the EndUser capability (AdminGroup). Because this is a rule, it allows the scope of control to vary depending on which user is logging into the End User interface.

Inputs:

User view of the authenticating end user

You must specify the following for a custom End User Controlled Organizations rule:

AuthType 

EndUserControlledOrganizationsRule

SubType 

Not specified 

Returns 

A single controlled organization (string) or a list of controlled organizations. Each value can be an organization name or ID. If an organization name is returned, it must be fully qualified up to Top (for example, Top:Marketing:South)

Predefined Rules 

Defaults to returning the organization of which the user is a member (for example, waveset.organization)

EndUserRuleLibrary

The EndUserRuleLibrary is a default library of rules that Identity Manager uses to determine or to verify end-user account information.

Note –

By default, Identity Manager’s End User Anonymous Enrollment processing generates values for accountId and emailAddress by using user-supplied first names (firstName), last names (lastName) and employee IDs (employeeID). Anonymous enrollment can cause non-ASCII characters to display in email addresses and account IDs.

To ensure that Identity Manager maintains ASCII accountIds and email addresses during anonymous enrollment processing, international users must perform these steps:

ProcedureTo Use EndUserRuleLibrary in Localized Environments

  1. Modify the following EndUserRuleLibrary rules:

    • getAccountId: Remove firstName, lastName, and letter substr. Use employeeId only.

      • getEmailAddress: Remove firstName, lastName, and "." Use employeeId only.

      • verifyFirstname: Change length check from 2 to 1 to allow single character Asian first names.

  2. Edit the End User Anon Enrollment Completion form to remove the firstName and lastName arguments from calls to the getAccountId and getEmailAddress rules.

    Note –

    This library is displayed as the EndUserRuleLibrary library object in the Identity Manager IDE.

    Inputs:

    See EndUserRuleLibrary and EndUserRuleLibrary.

    You must specify the following for a custom EndUserLibrary rule:

    AuthType 

    EndUserLibrary

    SubType 

    Not specified 

    The following table describes the example EndUserRuleLibrary rules.

    Rule 

    Input Variable 

    Description  

    getCallerSession

    None 

    Returns the internal session context (Lighthouse context) for the user executing a form. 

    getUserView

    • resourceTargets list

    • accountId string

    • includeAvailableRoleInfos boolean

    Returns the User view of the specified accountId, including a list of resource targets, and whether or not to include Role information. 

    getView

    • nameOrId string

    • type string

    • options map

    Returns a view of an object specified by the name or GUID, type of object, and a map of options. 

    getUnassignedResources

    • roles list

    • currentResources list

    • groups list

    Determines which resources are currently unassigned. 

    getDirectReports

    • manager string

    • options map

    Returns a list of direct reports for a specified manager. For example, a list of users whose idmManager attribute is specified by the manager input variable.

    getIndirectReports

    • manager string

    • options map

    Returns a list of indirect reports for a specified manager. For example, a list of users who are in the reporting structure of the user specified by the manager input variable, excluding direct reports.

    getResourceObjectParentId

    • resourceName string

    • resObjectName string

    • objType string

    • objAttr string

    Returns a GenericObject of the parent of a resource specified by the name, object type, and object attribute. 

    getObjectsByType

    • type string

    • attributeVal string

    • attributeName string

    Returns a list of GenericObjects specified by type and that match the attributeName=attributeVal condition.

    getRealName

    • accountId string

    • addAccountId boolean

    Determines a user’s “real name,” such as FirstName <space> LastName, when an accountId has been provided.

    • If the addAccountId argument is true, Identity Manager returns the FirstName LastName (accountId) string.

    • If the FirstName or LastName attributes cannot be determined, the rule returns just the accountId.

    NOTES:

    • You can easily modify this rule if you want the real name to display as LastName, FirstName.

    • The user must have the appropriate permissions to be able to search for other users.

    The next table describes the example EndUserRuleLibrary rules used for anonymous enrollment.

    getAccountId

    • firstName string

    • lastName string

    • employeeId string

    Generates an account ID from the first name, last name, and employee ID. First initial + last intial + employee ID

    Note: International users must modify this rule to ensure that Identity Manager maintains ASCII accountIds and email addresses during anonymous enrollment processing.

    getEmailAddress

    • firstName string

    • lastName string

    • emailDomain string

    Generates an email address from the first name, last name, and email domain provided. firstname.lastname@emailDomain

    Note: International users must modify this rule to ensure that Identity Manager maintains ASCII accountIds and email addresses during anonymous enrollment processing.

    getIdmManager

    employeeId string

    Returns the account ID of the Identity Manager manager associated with an employee ID for a user being created. You must customize this rule for your deployment environment. (Default is configurator.)

    getOrganization

    None 

    Returns the name of the organization to which a user will be assigned. You must customize this rule for your deployment environment. (Default is Top.)

    runValidation

    None 

    Invokes verifyFirstname, verifyLastname, verifyEmployeeId, and verifyEligibility rules.

    verifyFirstname

    firstName string

    Validates the first name provided by a user for the End User Anonymous Enrollment process. This sample rule verifies a first name is not null. You must customize this rule for your deployment environment. 

    Note: International users must modify this rule to ensure that Identity Manager maintains ASCII accountIds and email addresses during anonymous enrollment processing.

    verifyLastname

    lastName string

    Validates the last name provided by a user for the End User Anonymous Enrollment process. This sample rule verifies a last name is not null. You must customize this rule for your deployment environment. 

    verifyEmployeeId

    employeeId string

    Validates the employee ID provided by a user for the End User Anonymous Enrollment process. This sample rule verifies that an employee ID is valid. You must customize this rule for your deployment environment. 

    verifyEligibility

    • firstName string

    • lastName string

    • employeeId string

    Can be used to validate the employee ID provided by a user for the End User Anonymous Enrollment process. This rule must be customized for deployment. 

ExcludedAccountsRule

The ExcludedAccountsRule supports the exclusion of resource accounts from resource operations.

Inputs:

Accepts the following arguments:

You must specify the following for a custom ExcludedAccountsRule rule:

AuthType 

ExcludedAccountsRule

SubType 

Not specified 

Returns 

A list of zero or more strings 

Predefined Rules 

  • Microsoft SQL Server Excluded Resource Accounts

  • Sun Access Manager Excluded Resource Accounts

  • Unix Excluded Resource Accounts

  • Windows Excluded Resource Accounts

The following example exemplifies subType use and excludes specified resource accounts for UNIX adapters.

Example 4–27 Exemplifying authType Use

<Rule name=’ExcludedResourceAccounts’ authType=’ExcludedAccountsRule’> 
   <RuleArgument name=’accountID’/> 
   <defvar name ’excludedList’> 
   <List> 
      <String>root</String> 
      <String>daemon</String> 
      <String>bin</String> 
      <String>sys</String> 
      <String>adm</String> 
      <String>uucp</String> 
      <String>nuucp</String> 
      <String>listen</String> 
      <String>lp</String> 
   </List> 
   <defvar>
      <cond> 
         <eq> 
            <contains> 
               <ref>excludedList</ref> 
               <ref>accountID</ref> 
            </contains> 
            <i>1</i> 
         </eq> 
         <Boolean>true</Boolean> 
      <Boolean>false</Boolean> 
      </cond> 
   </defvar>
</Rule>

The next example shows how to use the operation parameter. This parameter allows you to manipulate the “Test User” resource account— without impacting Identity Manager— if Active Sync is running against the resource.

Example 4–28 Example Using operation Parameter


<Rule name=’Example Excluded Resource Accounts’ authType=’ExcludedAccountsRule’> 
<!-- Exclude all operations on ’Administrator’ account Exclude activeSync events 
on ’Test User’ account --> 
   <RuleArgument name=’accountID’/> 
   <RuleArgument name=’operation’/> 
   <!-- List of IAPI Operations --> 
   <defvar name=’iapiOperations’> 
      <List> 
         <String>iapi_create</String> 
         <String>iapi_update</String> 
         <String>iapi_delete</String> 
      </List> 
   </defvar>
   <or> 
      <!-- Always ignore the administrator account. --> 
      <cond> 
         <eq> 
            <s>Administrator</s> 
            <ref>accountID</ref> 
         </eq> 
         <Boolean>true</Boolean> 
         <Boolean>false</Boolean> 
      </cond> 
      <!-- Ignore IAPI events for the ’Test User’ account --> 
      <and> 
         <cond> 
            <eq> 
               <contains> 
                  <ref>iapiOperations</ref> 
                  <ref>operation</ref> 
              </contains> 
              <i>1</i> 
            </eq> 
            <Boolean>true</Boolean> 
            <Boolean>false</Boolean> 
         </cond> 
         <cond> 
            <eq> 
               <ref>accountID</ref> 
                  <s>Test User</s> 
            </eq> 
            <Boolean>true</Boolean> 
            <Boolean>false</Boolean> 
         </cond> 
      </and>
    </or> 
</Rule>

This example shows an ExcludedAccountsRule for RACF.

Example 4–29 ExcludedAccountsRule for RACF


<Rule name="RACF EAR" authType="ExcludedAccountsRule"> 
   <RuleArgument name="accountID"/> 
   <block> 
      <defvar name="excludedList"> 
         <List> 
            <String>irrcerta</String> 
            <String>irrmulti</String> 
            <String>irrsitec</String> 
            <String>IBMUSER</String> 
         </List> 
      </defvar> 
      <cond> 
         <eq> 
            <containsAny> 
               <ref>excludedList</ref> 
               <list> 
                  <upcase> 
                     <ref>accountID</ref> 
                  </upcase> 
                  <ref>accountID</ref> 
               </list> 
            </containsAny> 
            <i>1</i> 
         </eq> 
      <Boolean>true</Boolean> 
      <Boolean>false</Boolean> 
      </cond> 
   </block> 
</Rule>

This final example shows an ExcludedAccountsRule for RACF LDAP.

Example 4–30 Excluded Accounts Rule for RACF LDAP


<Rule name="Test RACF_LDAP Case Insensitive Excluded Resource Accounts" 
authType="ExcludedAccountsRule"> 
   <RuleArgument name="accountID"/> 
   <block> 
      <defvar name="excludedList"> 
         <List> 
            <String>irrcerta</String> 
            <String>irrmulti</String> 
            <String>irrsitec</String> 
            <String>IBMUSER</String> 
         </List> 
      </defvar> 
      <defvar name="convertedId"> 
         <get> 
            <split> 
               <get> 
                  <split> 
                     <ref>accountID</ref> 
                     <s>,</s> 
                  </split> 
                  <i>0</i> 
               </get> 
               <s>=</s> 
            </split> 
            <i>1</i> 
         </get> 
      </defvar> 
      <cond> 
         <eq> 
            <containsAny> 
               <ref>excludedList</ref> 
               <list> 
                  <upcase> 
                     <ref>convertedId</ref> 
                  </upcase> 
               <ref>convertedId</ref>

getAvailableServerOptions

The getAvailableServerOptions rule determines the list of available server configuration options for the specified synchronization mechanism. Using the settings in Waveset.properties applies only for ActiveSync, and is a backwards-compatibility option.

Inputs:

Accepts the targetObjectType argument

Note –

If IDMXUser, then viaWavesetProperties is not returned in the list.

You must specify the following for a custom getAvailableServerOptions rule:

AuthType 

Not specified 

SubType 

Not specified 

Predefined Rules 

None 

InsertDictionaryWord

Use the InsertDictionaryWord rule to run a JDBC command against the Identity Manager dictionary to load new words into the database.

Inputs:

Accepts the following arguments:

You must specify the following for a custom InsertDictionaryWord rule:

AuthType 

Not specified 

SubType 

Not specified 

Returns 

A list of zero or more strings 

Predefined Rules 

None 

IS_DELETE

The IS_DELETE rule is a sample rule, written for the PeopleSoft Active Sync adapter, that determines whether the Active Sync event should delete a user.

Inputs:

None

You must specify the following for a custom IS_DELETE rule:

AuthType 

Not specified 

SubType 

Not specified 

Predefined Rules 

None 

Is Manager

The Is Manager rule tests specified accountIds to see whether they are managers for any other users in the system.

Inputs:

Accepts the managerId argument (<RuleArgument name=’managerId’/>)

You must specify the following for a custom Is Manager rule:

AuthType 

RoleConditionRule

SubType 

Not specified 

Returns 

True if managerId is declared as the idmManager for any user in the system, otherwise returns false.

This rule issues a query in the repository using the caller’s display.session session, meaning this rule can only be called from a Form. The check only matches users that are within organizations controlled by the caller, so the rule might return false if the managerId is the manager of users outside of the callers scope of control.

Predefined Rules 

None 

LoginCorrelationRules

The LoginCorrelationRules map user login information to an Identity Manager user. You specify logic in LoginCorrelationRules that enables the rule to search for an Identity Manager user and return a list of one or more AttributeConditions.

Inputs:

None

You must specify the following for a custom LoginCorrelationRules rule:

AuthType 

LoginCorrelationRule

SubType 

Not specified 

Called 

By a LoginModule to map login information to the Identity Manager user 

Returns 

A list of zero or more AttributeConditions

Predefined Rules 

  • Correlate via X509 Certificate SubjectDN

  • Correlate via LDAP Uid

My Direct Reports

The My Direct Reports rule returns the names of all Identity Manager users that are direct reports of the caller. Management is typically a hierarchical structure, however this rule only returns the names of users that have the caller specified as their manager. The management hierarchy is not traversed by this rule.

Inputs:

None

You must specify the following for a custom My Direct Reports rule:

AuthType 

AccessScanRule

SubType 

USER_SCOPE_RULE

Returns 

A list of Identity Manager user names that have the caller specified as their manager. 

Predefined Rules 

None 

NamingRules Library

The NamingRules Library is a default library of rules that enable you to control how names are displayed after rule processing.

Note –

This library is displayed as the NamingRules library object in the Identity Manager IDE.

Inputs:

None

You must specify the following for a custom NamingRulesLibrary rule:

AuthType 

Not specified 

SubType 

Not specified 

Predefined Rules 

None 

The following table lists the example NamingRules.

Table 4–6 Example NamingRules

Rule Name  

Description/Output  

AccountName— First dot Last 

Marcus.Aurelius 

AccountName— First initial Last 

MAurelius 

AccountName— First underscore Last 

Marcus_Aurelius 

Email 

marcus.aurelius@example.com  

Note –

You must append an AccountName rule to the mail domain.

Fullname— First space Last 

Marcus Aurelius 

Fullname— First space MI space Last 

Marcus A Aurelius 

Fullname— Last comma First 

Aurelius, Marcus 

NewUsernameRules

The NewUsernameRule is a standard repository initialization file that you can use to extract the value of a user distinguished name’s (DN) left most relative distinguished name (RDN).

Inputs:

None

You must specify the following for a custom NewUsernameRules rule:

AuthType 

NewUserNameRule

SubType 

Not specified 

Returns 

A proposed user name for new users upon registration. For example, Use SubjectDN Common Name extracts the jsmith from cn=jsmith,ou=engineering,dc=acme,dc=com.

Predefined Rules 

Use SubjectDN Common Name 

Object Approvers As Attestors

The Object Approvers As Attestors rule returns the provided objectapprovers parameter value if it is not null. If the objectapprovers list is not provided, this rule creates a new list and includes the Configurator user.

Inputs:

Accepts the following arguments:

You must specify the following for a custom Object Approvers As Attestors rule:

AuthType 

AccessScanRule

SubType 

ATTESTORS_RULE

Called 

By running Access Review 

Returns 

 

Predefined Rules 

None 

Object Owners As Attestors

The Object Approvers As Attestors rule returns the objectowners parameter if it is not null. If the objectowners list is not provided, the rule creates a new list and includes the Configurator user.

Inputs:

Accepts the following arguments:

You must specify the following for a custom Object Approvers As Attestors rule:

AuthType 

AccessScanRule

SubType 

ATTESTORS_RULE

Called 

By running Access Review 

Returns 

A list of Identity Manager user names 

Predefined Rules 

None 

Organization Names

The Organization Names rule returns a List of Display Names for all organizations within the current context.

Inputs:

None

You must specify the following for a custom Organization Names rule:

AuthType 

Not specified 

SubType 

Not specified 

Returns 

 

Predefined Rules 

None 

OS400UserFormRules

Use the OS400UserFormRules to manage the default User Form values for an OS400 resource.

Inputs:

None

You must specify the following for a custom OS400UserFormRules rule:

AuthType 

EndUserLibrary

SubType 

Not specified 

Called 

 

Returns 

See Table 4–7

Predefined Rules 

OS400 User Form Default Values 

The following table lists the example OS400UserFormRules.

Table 4–7 Example OS400UserFormRules

Rule Name 

Description 

Default Password Expiration Interval 

Returns the default value for the password expiration interval. The returned value is 90. 

Default Initial Program Call 

Returns the default initial program called for a user. The returned value is *LIB/CCTC00CLP.

Max Storage List Choices 

Returns a list of Max Storage Defaults. The values are in Kilobytes and equate to: No maximum, 10MB, 50MB, 100MB. 

Initial Menu Default 

Returns the initial menu default value. The returned value is *SIGNOFF.

Language ID Default 

Returns the default language ID value. The returned value is *SYSVAL.

Country ID Default 

Returns the default country ID value. The returned value is *SYSVAL.

Character Set Default 

Returns a list of the default character set values. The returned value is *SYSVAL.

UID Default 

Returns the UID default value. The returned value is *GEN.

Home Directory Prepend 

Path to prepend to user ID to form home directory. 

RACFUserFormRules

Use the RACFUserFormRules to specify default settings for your RACF resource account.

Inputs:

None

You must specify the following for a custom RACFUserFormRules rule:

AuthType 

EndUserLibrary

SubType 

Not specified 

Called 

From RACF User Form 

Returns 

A list of zero or more string values 

Predefined Rules 

RACF User Form Default Values 

The following table lists the example RACFUserFormRules.

Table 4–8 Example RACFUserFormRules

Rule Name 

Description 

Prepend RACF Home Dir Path 

Path prepended to accountId to form home directory.

RACF OMVS Program 

Specify a default OMVS program value. 

RACF TSO Command 

Specify a default OMVS TSO value. 

RACF Master Catalog 

Specify a default OMVS program value. 

RACF User Catalog 

Specify a default OMVS program value. 

RACF Delete TSO Segment 

Specify a default Delete TSO Segment value. 

Reconciliation Rules

The following table provides information about the common Identity Manager processes or tasks related to the reconciliation rules category:

Correlation Rule

Identity Manager invokes the Correlation rule during reconciliation to associate a resource account with one or more Identity Manager users.

Inputs:

Accepts a WSUser representing a resource account as returned by ResourceAdapter#getUser(WSUser)

You must specify the following for a custom Correlation rule:

AuthType 

Not specified 

SubType 

SUBTYPE_ACCOUNT_CORRELATION_RULE

Namespace 

All attribute values for the resource account defined in the schema are provided in the following format: 

account. LHS Attr Name

Called 

During reconciliation 

Returns 

Criteria you can use to select existing users that might own the specified account. A correlation rule can return criteria in any of the following forms:

  • A string that is interpreted as a WSUser NAME

  • A list of string elements that are each interpreted as a WSUser NAME

  • A list of com.waveset.object.WSAttribute elements

  • A list of com.waveset.object.AttributeCondition elements

    Identity Manager uses any set of criteria returned by a correlation rule to query the repository for matching users.

Predefined Rules 

Default Correlation 

Confirmation Rule

Identity Manager invokes the Confirmation rule during reconciliation to compare a resource account with one or more Identity Manager users.

Inputs:

Accepts the following arguments:

You must specify the following for a custom Confirmation rule:

AuthType 

None 

SubType 

SUBTYPE_ACCOUNT_CONFIRMATION_RULE

Namespace 

All attribute values for the resource account and all attributes in the User view are provided in the following format:

  • account.LHS Attr Name

  • user.accounts[*].*

  • user.waveset.*

  • user.accountInfo.*

Called 

During reconciliation 

Returns 

Logical true or false (1 or 0) depending on whether there is a match.

Predefined Rules 

Default Confirmation 

RegionalConstants Library

The RegionalConstants Library is a default library of rules that enable you to control how states, days, months, countries, and provinces are displayed.

Note –

This library is displayed as the RegionalConstants Rules library object in the Identity Manager IDE.

Inputs:

See Table 4–9.

You must specify the following for a custom RegionalConstants Library rule:

AuthType 

EndUserRule

SubType 

Not specified 

Returns 

A list of strings 

Predefined Rules 

Regional Constants 

The following table lists the example RegionalConstants rules.

Table 4–9 Example Regional Constants Rules

Rule Name 

Input Variable 

Description  

US States 

None 

Returns a list of the US state names. 

US State Abbreviations 

None 

Returns a list of the standard US state abbreviations. 

Days of the Week 

None 

Returns a list of the full names of the seven days of the week. 

Work Days 

None 

Returns a list of the five work days of the week (U.S.). 

Months of the Year 

None 

Returns a list of the full names of the months of the year. 

Month Abbreviations 

None 

Returns a list of the standard abbreviation for the selected month. 

Numeric Months of the Year 

None 

Returns a list of 12 months. 

Days of the Month 

None 

Returns a list of 31 days. 

Smart Days of the Month 

  • month: Month whose dates are to be calculated.

  • year: Year for the month whose dates are to be calculated.

Returns a list based on a numeric month and four-digit year. 

Countries 

None 

Lists the names, in English, of the countries of the world. 

Canadian Provinces 

None 

Lists the names, in English, of the Canadian provinces. 

Remediation Transaction Message

The Remediation Transaction Message rule is a default rule that is used to format the remediation or mitigation transaction text. You can customize this rule to provide more information for the user to sign.

Inputs:

Accepts the following arguments:

You must specify the following for a custom Remediation Transaction Message rule:

AuthType 

EndUserAuditorRule

SubType 

Not specified 

Returns 

Formatted remediation or mitigation transaction text 

Predefined Rules 

None 

Remediation Transaction Message Helper

The Remediation Transaction Message Helper rule returns the formatted transaction text for the remediation or mitigation of a single workitem.

Inputs:

Accepts the following arguments:

You must specify the following for a custom Remediation Transaction Message Helper rule:

AuthType 

EndUserAuditorRule

SubType 

Not specified 

Returns 

Formatted remediation or mitigation transaction text 

Predefined Rules 

None 

ResourceFormRules

The ResourceFormRules library is a default library of rules that enable you to customize values and choices used in several of the UserForms, which in turn are frequently used to select user attributes for resources.

Inputs:

See Table 4–10.

You must specify the following for a custom ResourceFormRules rule:

AuthType 

EndUserLibrary

SubType 

Not specified 

Called 

By UserForms, specifically

  • sample\forms\AccessEnforcerUserForm.xml

  • sample\forms\ADUserForm.xml

  • sample\forms\AIXUserForm.xml

  • sample\forms\HP-UXUserForm.xml

  • sample\forms\NDSUserForm.xml

  • sample\forms\RedHatLinuxUserForm.xml

  • sample\forms\SolarisUserForm.xml

  • sample\forms\SUSELinuxUserForm.xml

Returns 

A list of strings 

Predefined Rule: 

ResourceFormRuleLibrary 

Predefined Rules 

None 

The following table describes the example ResourceFormRules.

Table 4–10 Example ResourceFormRules

Rule Name 

Input Variable 

Description 

ListObjects 

  • resourceType

  • resourceName

  • resourceInstance

Returns a list of resource objects, such as groups, that can be used by multiple forms.

ListGroups 

  • resourceName

  • resourceInstance

Returns a list of groups that can be used by multiple forms. NOTE: This rule is provided for backward compatibility.

getDefaultShell 

resourceType

Returns a the default shell for a particular resourceType that can be used by multiple forms. Ensure that each resourceType has the same default shell as specified in the ResourceAdapter. 

Exchange Servers 

None 

Returns a list of Exchange servers. 

You can update this list to include the Exchange servers in your environment. 

Home Directory Servers 

None 

Returns a list of systems serving user home directories. 

You can update this list to include the systems that serve home directory drives in your environment. 

AD Login Scripts 

None 

Returns a list of user login scripts. 

You can update this list to include the login batch scripts in your environment. 

Home Directory Drive Letters 

None 

Returns a list of home directory mapped drive letters. 

You can update this list to include the common home directory map drive letters in your environment. 

Home Directory Volumes 

None 

Returns a list of home directory volume names. 

You can update this list to include the common home directory volume names in your environment. Identity Manager uses this value with the Home Directory server to create a user’s home directory. The volume must exist and it must be shared on the selected home directory server. 

NDS Home Directory Servers 

None 

Returns a list of systems serving user home directories. 

You can update this list to include the systems that serve home directory drives in your environment. 

NDS Home Directory Types 

None 

Returns a list of home directory mapped drive letters. 

You can update this list to include the common home directory map drive letters in your environment. 

NDS Home Directory Volumes 

None 

Returns a list of home directory volume names. 

You can update this list to include the common home directory volume names in your environment. Identity Manager uses this value with the Home Directory server to create a user’s home directory. The volume must exist and it must be shared on the selected home directory server. 

NDS Template 

  • resourceName

  • ndsTemplate

  • attrList

Returns an NDS Template object. 

Is Mail User 

objectClasses 

Returns 1 if the objectClasses list contains all the following classes, otherwise returns 0:

  • inetuser

  • ipuser

  • inetmailuser

  • inetlocalmailrecipient

  • userpresenceprofile

getResourceAttribute 

  • resName

  • attrNam

Returns the value of the requested resource attribute. 

Resource Names

The Resource Name rule returns a list of Resources within the current context.

Inputs:

None

You must specify the following for a custom Resource Names rule:

AuthType 

Not specified 

SubType 

Not specified 

Returns 

A list of resources 

Predefined Rules 

None 

Role Approvers

The Role Approvers rule provides a list of users who are approvers for a specified role.

Inputs:

Accepts the roleName argument

You must specify the following for a custom Role Approvers rule:

AuthType 

RoleUserRule

SubType 

Not specified 

Returns 

A list of the statically defined approvers for a given role 

Predefined Rules 

None 

Role Notifications

The Role Notifications rule provides a list of users who are designated to be notified when a role is assigned to a user.

Inputs:

Accepts the roleName argument

You must specify the following for a custom Role Notifications rule:

AuthType 

RoleUserRule

SubType 

Not specified 

Returns 

A list of the statically defined approvers for a given role 

Predefined Rules 

None 

Role Owners

The Role Owners rule provides a list of users who are the owners of a specified role.

Inputs:

Accepts the roleName argument

You must specify the following for a custom Role Owners rule:

AuthType 

RoleUserRule

SubType 

Not specified 

Returns 

A list of the statically defined approvers for a given role 

Predefined Rules 

None 

Sample On Local Network

The Sample On Local Network rule is an example of a LoginConstraintRule evaluated during login to determine if the login module group will be applied to the user login.

Inputs:

None

You must specify the following for a custom Sample On Local Network rule:

AuthType 

LoginConstraintRule

SubType 

Not specified 

Called 

During login processing by the login module group 

Returns 

  • Returns 1 (true) if the user IP address matches a specific subnet so the login module group should be applied.

  • Returns 0 (false) if the user IP address does not match a specific subnet.

Predefined Rules 

None 

SAP Portal User Form Default Values

The SAP Portal User Form Default Values library is a default library of rules that provide default values for the SAP Portal User Form.

Inputs:

None

You must specify the following for a custom SAP Portal User Form Default Values rule:

AuthType 

Library

SubType 

Not specified 

Called 

During login processing by the login module group 

Returns 

See Table 4–11.

Predefined Rules 

None 

The following table describes the example SAP Portal User Form Default Values.

Table 4–11 Example SAP Portal User Form Default Values Rules

Rule Name 

Input Variable 

Description 

Countries-ISO3166 Map 

None 

Returns a map of ISO3166 country codes. 

Currency Code Map 

None 

Returns a map of country codes. 

Locale Map 

None 

Returns a map of locales. 

TimeZones 

None 

Returns a list of timezone IDs. 

ShellRules

The ShellRules library consists of one rule, called getDefaultShell. Multiple forms use the getDefaultShell rule to return the default shell for a particular Unix resourceType.

Inputs:

Accepts the resourceType argument.

The only valid resourceTypes are Solaris, AIX, HP-UX, and Red Hat Linux

Note –

Each resourceType must have the same default shell as specified in the ResourceAdapter.

You must specify the following for a custom ShellRules rule:

AuthType 

Not specified 

SubType 

Not specified 

Returns 

A string that contains the default shell for the specified resourceType.

Predefined Rules 

None 

SIEBEL_NAV_RULE

The SIEBEL_NAV_RULE is a sample navigation rule that could be specified as the AdvancedNavRule, as discussed in the “Advanced Navigation” section of the Siebel CRM documentation.

Inputs:

None

You must specify the following for a custom SiebelNavigationRule:

AuthType 

Not specified 

SubType 

Not specified 

Predefined Rules 

None 

TestDictionary

Use the TestDictionary rule to run a JDBC query against the Identity Manager dictionary to test the connection.

Inputs:

Accepts the following arguments:

You must specify the following for a custom TestDictionary rule:

AuthType 

Not specified 

SubType 

Not specified 

Predefined Rules 

None 

TopSecretUserFormRules

Use the TopSecretUserFormRules to specify default settings for your TopSecret resource account.

Inputs:

None

You must specify the following for a custom TopSecretUserFormRules rule:

AuthType 

EndUserLibrary

SubType 

Not specified 

Called 

From TopSecret User Form 

Returns 

See Table 4–12.

Predefined Rules 

None 

The following table describes the example TopSecretUserFormRules.

Table 4–12 Example TopSecretUserFormRules

Rule Name 

Description  

TopSecret Default OMVS 

Determines the default OMVS shell. 

TopSecret Default TSO 

Determines the default TSO Process. 

TopSecret Home Prepend Path 

Path to prepend to accountId to create home directory.

TopSecret Attribute List 

Returns a list of attributes that can be assigned to a user. 

User Members Rule

The User Members Rule enables you to dynamically control a single organization’s user membership, based on who is logged in. For example, if you assign the User Members Rule to the My Employees organization, the rule dynamically controls the organization’s user membership as follows:

Inputs:

You must specify the following for a custom User Members Rule rule:

AuthType 

UserMembersRule

SubType 

Not specified 

Called 

 

Returns 

  • A list of resource accountIds

    You can return resource accountIds by invoking the FormUtil.getResourceObjects call to, for example, return all user entries in a specified directory OU.

    Returned resource accountIds must be in one of the following formats:

    • resourceId:accountId

    • resourceId@accountId 


     <list>
    <s>res1:stevel</s>
    <s>res1:joem</s>
    <s>res1:sallyp</s>
  </list>

  • A list of Identity Manager AttributeConditions used to query the Identity Manager repository for users matching the specified condition.


    <list>
    <new class=’com.waveset.object.AttributeCondition>
      <s>idmManager</s>
      <s>equals</s>
      <ref>waveset.accountId</s>
    </new>
</list>

Predefined Rules 

None 

USER_EMAIL_MATCHES_ACCOUNT_EMAIL_CONF

The USER_EMAIL_MATCHES_ACCOUNT_EMAIL_CONF rule is a confirmation rule that compares an Identity Manager user to an account.

Inputs:

None

You must specify the following for a custom USER_EMAIL_MATCHES_ACCOUNT_EMAIL_CONF rule:

AuthType 

Not specified 

SubType 

SUBTYPE_ACCOUNT_CONFIRMATION_RULE

Returns 

True if the email attribute values match

Predefined Rules 

None 

USER_EMAIL_MATCHES_ACCOUNT_EMAIL_CORR

The USER_EMAIL_MATCHES_ACCOUNT_EMAIL_CORR rule is a correlation rule that searches for a Identity Manager user with an email attribute value that matches the email attribute value in the specified account.

Inputs:

None

You must specify the following for a custom USER_EMAIL_MATCHES_ACCOUNT_EMAIL_CORR rule:

AuthType 

Not specified 

SubType 

SUBTYPE_ACCOUNT_CORRELATION_RULE

Returns 

A list of attribute conditions 

Predefined Rules 

None 

USER_FIRST_AND_LAST_NAMES_MATCH_ACCOUNT

The USER_FIRST_AND_LAST_NAMES_MATCH_ACCOUNT rule is a confirmation rule that compares an Identity Manager user to an account by looking for a fullname attribute.

Inputs:

None

You must specify the following for a custom USER_FIRST_AND_LAST_NAMES_MATCH_ACCOUNT rule:

AuthType 

Not specified 

SubType 

SUBTYPE_ACCOUNT_CONFIRMATION_RULE

Return 

True if first name and last name values match, otherwise returns false

Predefined Rules 

None 

USER_NAME_MATCHES_ACCOUNT_ID

The USER_NAME_MATCHES_ACCOUNT_ID rule is a correlation rule that searches for an Identity Manager user with the same name as the user in the specified account.

Inputs:

None

You must specify the following for a custom USER_NAME_MATCHES_ACCOUNT_ID rule:

AuthType 

Not specified 

SubType 

SUBTYPE_ACCOUNT_CORRELATION_RULE

Return 

Returns a string value 

Predefined Rules 

None 

USER_OWNS_MATCHING_ACCOUNT_ID

The USER_OWNS_MATCHING_ACCOUNT_ID rule is a correlation rule that searches for any Identity Manager user that owns an accountId matching the name of the specified account.

Inputs:

None

You must specify the following for a custom USER_OWNS_MATCHING_ACCOUNT_ID rule:

AuthType 

Not specified 

SubType 

SUBTYPE_ACCOUNT_CORRELATION_RULE

Return 

A list of attribute conditions 

Predefined Rules 

None 

Users Without a Manager

The Users Without a Manager rule determines which Identity Manager users are administrators.

Inputs:

None

Note –

This rule uses the lhcontext variable from the calling scope.

You must specify the following for a custom Users Without a Manager rule:

AuthType 

AccessScanRule

SubType 

USER_SCOPE_RULE

Returns 

A list of user names that do not have a manager defined. 

Predefined Rules 

None 

Use SubjectDN Common Name

The Use SubjectDN Common Name rule to return a subject’s common name from the subject’s DN.

Inputs:

None

You must specify the following for a custom Use SubjectDN Common Name rule:

AuthType 

NewUserNameRule

SubType 

Not specified 

Returns 

A common name 

Predefined Rules 

None