Sun Identity Manager Deployment Reference

Why Use Rules?

You can call a rule wherever XPRESS is allowed— most notably in forms, Java code, and workflows. Rules allow you to encapsulate data, such as a fragment of logic or a static value, that can then be reused in many locations.

The benefits of organizing XPRESS logic or static values for reuse include:

You can secure rules to protect sensitive data, such as user credentials or personal information from being accessed by unauthorized administrators. For more information, see Securing Rules.

Using Rules in Forms

You typically call a rule in forms to calculate the value of a field or to control field visibility within a <Disable> expression. Within forms, rules could be the most efficient mechanism for storing and reusing:

When calling rules from forms, it is particularly important that you properly secure those rules. Imagine a rule used in a critical form, but the implementation of the rule could be modified by anyIdentity Manager user! For information about securing rules, see Securing Rules.

The following example rule returns a list of job titles.

Example 4–2 Returning a Job Titles List

<Rule name=’Job Titles’> 
      <String>Accounting Manager</String> 
      <String>Customer Service Representative</String> 

Rules such as this are often used in Identity Manager forms to calculate lists of names for selection. To add or change a new job title, you only have to modify this rule instead of modifying each form that references the rule.

In the next example, the global.jobTitle field calls the Job Titles rule defined in Using Rules in Forms to use the job titles list in a select box:

Note –

This example uses a lowercase r in the rule element because you are calling a rule, not defining a rule.

Example 4–3 Using a Job Titles List in a Select Box

<Field name=’global.jobTitle’> 
   <Display class=’Select’> 
      <Property name=’title’ value=’Job Title’/> 
      <Property name=’allowedValues’> 
         <rule name=’Job Titles’/> 

Identity Manager forms also support rules that dynamically calculate the name of another rule to call. The following example shows how a form field calls a rule that calculates a department code:

Example 4–4 Calling a Rule that Calculates a Department Code

<Field name=’DepartmentCode’> 
   <Display class=’Text’> 
      <Property name=’title’ value=’DepartmentCode’/> 
            <s>AdminRule</s> <s>DefaultRule</s> 

Using Rules in Roles

In Identity Manager, a role is an object that allows you to efficiently group and assign resources to users. Roles have designated owners and approvers, where:

You can directly assign role owners and approvers to a role or use a role-assignment rule to dynamically assign them to a role.

You can use a rule to set the value of any resource attribute in a role definition. When Identity Manager evaluates the rule, it can reference any attribute of the user view.

Note –

For more information about roles, see the Business Administrator's Guide.

The following example shows how to use a rule to set an attribute value for a particular resource. When you create a user and associate this rule with that user’s role, the rule automatically sets the description value.

Example 4–5 Setting the Value for a User’s Resource Description

<Rule name=’account description’> 
      <string>Account for </string> 

Using Rules in Workflows

In general terms, an Identity Manager workflow is a logical, repeatable process during which documents, information, or tasks are passed from one participant to another for action, according to a defined set of procedural rules. A participant is a person, machine, or both.

In workflow, you can use a rule anywhere you can use an expression. You can use rules in a workflow to:

For example, you can use a manual action to send an approval request to an administrator, specify a timeout value for this action. If the administrator does not respond within the specified time, you can terminate the action, and escalate the workflow approval to a different administrator.

Workflow activities can also contain subprocesses containing a rule that dynamically calculates a subprocess name. For example.

Example 4–6 Calculating a Rule Name Dynamically

<Activity id=’0’ name=’activity1’> 
   <Variable name=’ValueSetByRule’> 
         <argument name=’arg1’> <ref>variable</ref> </argument>