This section describes the default rules and rule libraries supplied with Identity Manager. The information is organized as follows:
You can use the Identity Manager IDE to customize these rules and rule libraries.
You can use the following rules and rule libraries to customize Identity Manager.
The AccessEnforcerLibrary is a default library of rules that enable you to manage certain types of objects because the Access Enforcer resource adapter does not provide a way for you to fetch these objects.
Inputs: See Table 4–2.
You must specify the following for a custom AccessEnforcerLibrary rule:
Argument |
Description |
---|---|
AuthType |
Library |
SubType |
listRules |
Returns |
See Table 4–2 |
Predefined Rules |
Not specified |
The following table describes the example AccessEnforcerLibrary rules.
Table 4–2 Example AccessEnforcerLibrary Rules
When the Flat File Active Sync adapter detects a change to an account on a resource, it either maps the incoming attributes to an Identity Manager user, or it creates an Identity Manager user account. The adapter uses process, correlation, and delete rules to determine what to do with the user.
Active Sync rules must use context, not display.session. Correlation and Delete rules do not get a session, but Confirmation rules do. For more information, see Correlation Rule and Confirmation Rule.
Inputs: These rulesaAccept resource account attributes in the activeSync namespace. For example, activeSync.firstname.
You must specify the following for a custom ActiveSync rule:
The default library of ADRules enables you to create a list of the servers
Inputs: None
You must specify the following for a custom ADRules rule:
AuthType |
Not specified |
SubType |
Not specified |
Called | |
Returns |
A list of zero or more string values. |
Predefined Rules |
None |
Table 4–3 Example ADRules Rules
Rule Name |
Description |
---|---|
Exchange Servers |
Returns a list of the Exchange servers in your environment. You can update this list to include the Exchange servers in your environment. |
Home Directory Servers |
Returns a list of the Home Directory Servers in your environment. You can update this list to include the systems that serve home directory drives in your environment. |
AD Login Scripts |
Returns a list of the user login scripts being used in your environment. You can update this list to include the login batch scripts in your environment. |
Home Directory Drive Letter |
Returns a list of the home directory mapped drive letters in your environment. You can update this list to include the common home directory map drive letters in your environment. |
Home Directory Volumes |
Returns a list of the home directory volume names in your environment. You can update this list to include the common home directory volume names in your environment. Identity Manager uses this value with the Home Directory Server to create a user’s home directory. This volume must exist and be shared on the selected home directory server. |
The AlphaNumeric Rules Library is a default library of rules that enable you to control how numbers and letters are ordered and displayed in Identity Manager forms and workflows.
This library is displayed as the Alpha Numeric Rules library object in the Identity Manager IDE.
Inputs: See Table 4–4
You must specify the following for a custom rule:
AuthType |
EndUserRule |
SubType |
Not specified |
Returns |
A list of zero or more strings. |
The following table describes rules in the AlphaNumeric Rules library.
Table 4–4 Example Alphanumeric Rules
Rule Name |
Input Variable |
Description |
---|---|---|
AlphaCapital |
None |
Returns a list of English capital alpha characters |
AlphaLower |
None |
Returns a list of English lowercase alpha characters |
Numeric |
None |
Returns a list of numeric characters |
WhiteSpace |
None |
Returns a list of white space characters |
SpecialCharacters |
None |
Returns a list of common special characters |
legalEmailCharacters |
None |
Returns a list of legal special characters for email |
stringToChars |
testStr |
Converts the given string to a list composed of the string’s individual characters |
isNumeric |
testStr |
Tests to see if testStr contains all numeric characters |
isAlpha |
testStr |
Tests to see if testStr contains only alpha characters |
hasSpecialChar |
testStr |
Tests to see if testStr contains any special characters |
hasWhiteSpace |
testStr |
Tests to see if testStr contains any white space characters |
isLegalEmail |
testStr |
Tests to see if testStr consists of only legal email address characters |
StripNonAlphaNumeric |
testStr |
Removes any non-alpha or non-numeric characters from testStr |
The Approval Transaction Message rule is a default rule used to format approval transaction text. You can customize this rule to provide more information for a user to sign.
Inputs: Accepts the following arguments:
workItemList: A set of workitems that are being approved.
variablesList: A set of variables corresponding to each workitem in workitemList.
approverName: User being asked to approve the workitems.
You must specify the following for a custom Approval Transaction Message rule:
AuthType |
Not specified |
SubType |
Not specified |
Returns |
Formatted transaction text for the list of workitems in workItemList |
Predefined Rules |
None |
The Approval Transaction Message Helper rule returns the formatted transaction text for the approval of a single workitem.
Inputs: Accepts the following arguments:
workItem: The workitem that is being approved.
variables: The workitem variables.
You must specify the following for a custom Approval Transaction Message Helper rule:
AuthType |
Not specified |
SubType |
Not specified |
Returns |
Formatted transaction text for the approval of a single workitem |
Predefined Rules |
None |
The Attestation Remediation Transaction Message rule is a default rule used to format attestation remediation transaction text. You can customize this rule to provide more information for the user to sign.
Inputs: Accepts the following arguments:
workItemList: A set of workitems that are being approved.
variablesList: A set of variables corresponding to each workitem in workitemList.
approverName: User being asked to approve the workitems.
action: Expected to be remediate.
actionComments: Comments that are entered as part of the remediation.
You must specify the following for a custom Attestation Remediation Transaction Message rule:
AuthType |
EndUserAuditorRule |
SubType |
Not specified |
Returns |
Formatted attestation remediation transaction text |
Predefined Rules |
None |
The Attestation Remediation Transaction Message Helper rule returns the formatted transaction text for the attestation remediation of a single workitem.
Inputs: Accepts the following arguments:
workItem: The workitem that is being approved.
variables: The workitem variables.
You must specify the following for a custom Attestation Remediation Transaction Message Helper rule:
AuthType |
EndUserAuditorRule |
SubType |
Not specified |
Returns |
Formatted transaction text for the attestation remediation of a single workitem. |
Predefined Rules |
None |
The Attestation Transaction Message rule a default rule used to format attestation transaction text. You can customize this rule to provide more information for the user to sign.
Inputs: Accepts the following arguments:
workItemList: A set of workitems that are being approved.
variablesList: A set of variables corresponding to each workitem in workitemList.
approverName: User being asked to approve the workitems.
action: Expected to be aproved or approve.
actionComments: Comments that are entered as part of the attestation.
You must specify the following for a custom Attestation Transaction Message rule:
AuthType |
EndUserAuditorRule |
SubType |
Not specified |
Returns |
Formatted attestation transaction text. |
Predefined Rules |
None |
The Attestation Transaction Message Helper rule returns the formatted transaction text for the a single attestation.
Inputs:
Accepts the following arguments:
workItem: The workitem that is being approved.
variables: The workitem variables.
You must specify the following for a custom Attestation Transaction Message Helper rule:
AuthType |
EndUserAuditorRule |
SubType |
Not specified |
Returns |
Formatted transaction text for a single attestation |
Predefined Rules |
None |
Use the CheckDictionaryWord rule to run a JDBC query against a dictionary to check if a password exists in the dictionary.
Inputs:
Accepts the following arguments:
type
driverClass
driverPrefix
url
host
port
database
context
user
password
sql
arg1
You must specify the following for a custom CheckDictionaryWord rule:
AuthType |
Not specified |
SubType |
Not specified |
Returns |
A list of zero or more strings |
Predefined Rules |
None |
The DateLibrary is a default library of rules that control how dates and times are displayed in a deployment.
This library is displayed as the Date Library library object in the Identity Manager IDE.
Inputs:
See Table 4–5.
You must specify the following for a custom DateLibrary rule:
AuthType |
Rule |
SubType |
Not specified |
Returns |
Boolean values of true or false. See Table 4–5. |
The following table describes the example DateLibrary rules.
Table 4–5 Example DateLibrary Rules
The End User Controlled Organizations rule determines the set of organizations that are controlled by a user logging into the End User interface. These organizations, together with the End User organization, define the scope of control over which a user is granted the permissions specified in the EndUser capability (AdminGroup). Because this is a rule, it allows the scope of control to vary depending on which user is logging into the End User interface.
Inputs:
User view of the authenticating end user
You must specify the following for a custom End User Controlled Organizations rule:
AuthType |
EndUserControlledOrganizationsRule |
SubType |
Not specified |
Returns |
A single controlled organization (string) or a list of controlled organizations. Each value can be an organization name or ID. If an organization name is returned, it must be fully qualified up to Top (for example, Top:Marketing:South) |
Predefined Rules |
Defaults to returning the organization of which the user is a member (for example, waveset.organization) |
The EndUserRuleLibrary is a default library of rules that Identity Manager uses to determine or to verify end-user account information.
By default, Identity Manager’s End User Anonymous Enrollment processing generates values for accountId and emailAddress by using user-supplied first names (firstName), last names (lastName) and employee IDs (employeeID). Anonymous enrollment can cause non-ASCII characters to display in email addresses and account IDs.
To ensure that Identity Manager maintains ASCII accountIds and email addresses during anonymous enrollment processing, international users must perform these steps:
Modify the following EndUserRuleLibrary rules:
Edit the End User Anon Enrollment Completion form to remove the firstName and lastName arguments from calls to the getAccountId and getEmailAddress rules.
This library is displayed as the EndUserRuleLibrary library object in the Identity Manager IDE.
Inputs:
See EndUserRuleLibrary and EndUserRuleLibrary.
You must specify the following for a custom EndUserLibrary rule:
AuthType |
EndUserLibrary |
SubType |
Not specified |
The following table describes the example EndUserRuleLibrary rules.
The next table describes the example EndUserRuleLibrary rules used for anonymous enrollment.
The ExcludedAccountsRule supports the exclusion of resource accounts from resource operations.
Inputs:
Accepts the following arguments:
accountId: String account ID being tested.
You can compare the accountId argument to one or more resource accounts that should be excluded from Identity Manager.
operation: Resource operation to be performed.
The rule can use the operation argument to have finer control over which resource accounts are exempt from the actions specified by the operation parameter. If an operation parameter is not used within the rule, every account identified by the rule is excluded from all of the listed operations.
The operation parameter can contain the following values:
create
update
delete
rename (used when the only detected change is a new account ID)
rename_with_update
list
iapi_create (only used within Active Sync)
iapi_update (only used within Active Sync)
iapi_delete (only used within Active Sync)
You must specify the following for a custom ExcludedAccountsRule rule:
The following example exemplifies subType use and excludes specified resource accounts for UNIX adapters.
<Rule name=’ExcludedResourceAccounts’ authType=’ExcludedAccountsRule’> <RuleArgument name=’accountID’/> <defvar name ’excludedList’> <List> <String>root</String> <String>daemon</String> <String>bin</String> <String>sys</String> <String>adm</String> <String>uucp</String> <String>nuucp</String> <String>listen</String> <String>lp</String> </List> <defvar> <cond> <eq> <contains> <ref>excludedList</ref> <ref>accountID</ref> </contains> <i>1</i> </eq> <Boolean>true</Boolean> <Boolean>false</Boolean> </cond> </defvar> </Rule>
The next example shows how to use the operation parameter. This parameter allows you to manipulate the “Test User” resource account— without impacting Identity Manager— if Active Sync is running against the resource.
This example shows an ExcludedAccountsRule for RACF.
<Rule name="RACF EAR" authType="ExcludedAccountsRule"> <RuleArgument name="accountID"/> <block> <defvar name="excludedList"> <List> <String>irrcerta</String> <String>irrmulti</String> <String>irrsitec</String> <String>IBMUSER</String> </List> </defvar> <cond> <eq> <containsAny> <ref>excludedList</ref> <list> <upcase> <ref>accountID</ref> </upcase> <ref>accountID</ref> </list> </containsAny> <i>1</i> </eq> <Boolean>true</Boolean> <Boolean>false</Boolean> </cond> </block> </Rule> |
This final example shows an ExcludedAccountsRule for RACF LDAP.
<Rule name="Test RACF_LDAP Case Insensitive Excluded Resource Accounts" authType="ExcludedAccountsRule"> <RuleArgument name="accountID"/> <block> <defvar name="excludedList"> <List> <String>irrcerta</String> <String>irrmulti</String> <String>irrsitec</String> <String>IBMUSER</String> </List> </defvar> <defvar name="convertedId"> <get> <split> <get> <split> <ref>accountID</ref> <s>,</s> </split> <i>0</i> </get> <s>=</s> </split> <i>1</i> </get> </defvar> <cond> <eq> <containsAny> <ref>excludedList</ref> <list> <upcase> <ref>convertedId</ref> </upcase> <ref>convertedId</ref> |
The getAvailableServerOptions rule determines the list of available server configuration options for the specified synchronization mechanism. Using the settings in Waveset.properties applies only for ActiveSync, and is a backwards-compatibility option.
Inputs:
Accepts the targetObjectType argument
If IDMXUser, then viaWavesetProperties is not returned in the list.
You must specify the following for a custom getAvailableServerOptions rule:
AuthType |
Not specified |
SubType |
Not specified |
Predefined Rules |
None |
Use the InsertDictionaryWord rule to run a JDBC command against the Identity Manager dictionary to load new words into the database.
Inputs:
Accepts the following arguments:
type
driverClass
driverPrefix
url
host
port
database
context
user
password
sql
arg1
argList
You must specify the following for a custom InsertDictionaryWord rule:
AuthType |
Not specified |
SubType |
Not specified |
Returns |
A list of zero or more strings |
Predefined Rules |
None |
The IS_DELETE rule is a sample rule, written for the PeopleSoft Active Sync adapter, that determines whether the Active Sync event should delete a user.
Inputs:
None
You must specify the following for a custom IS_DELETE rule:
AuthType |
Not specified |
SubType |
Not specified |
Predefined Rules |
None |
The Is Manager rule tests specified accountIds to see whether they are managers for any other users in the system.
Inputs:
Accepts the managerId argument (<RuleArgument name=’managerId’/>)
You must specify the following for a custom Is Manager rule:
AuthType |
RoleConditionRule |
SubType |
Not specified |
Returns |
True if managerId is declared as the idmManager for any user in the system, otherwise returns false. This rule issues a query in the repository using the caller’s display.session session, meaning this rule can only be called from a Form. The check only matches users that are within organizations controlled by the caller, so the rule might return false if the managerId is the manager of users outside of the callers scope of control. |
Predefined Rules |
None |
The LoginCorrelationRules map user login information to an Identity Manager user. You specify logic in LoginCorrelationRules that enables the rule to search for an Identity Manager user and return a list of one or more AttributeConditions.
Inputs:
None
You must specify the following for a custom LoginCorrelationRules rule:
The My Direct Reports rule returns the names of all Identity Manager users that are direct reports of the caller. Management is typically a hierarchical structure, however this rule only returns the names of users that have the caller specified as their manager. The management hierarchy is not traversed by this rule.
Inputs:
None
You must specify the following for a custom My Direct Reports rule:
AuthType |
AccessScanRule |
SubType |
USER_SCOPE_RULE |
Returns |
A list of Identity Manager user names that have the caller specified as their manager. |
Predefined Rules |
None |
The NamingRules Library is a default library of rules that enable you to control how names are displayed after rule processing.
This library is displayed as the NamingRules library object in the Identity Manager IDE.
Inputs:
None
You must specify the following for a custom NamingRulesLibrary rule:
AuthType |
Not specified |
SubType |
Not specified |
Predefined Rules |
None |
The following table lists the example NamingRules.
Table 4–6 Example NamingRules
Rule Name |
Description/Output |
---|---|
AccountName— First dot Last |
Marcus.Aurelius |
AccountName— First initial Last |
MAurelius |
AccountName— First underscore Last |
Marcus_Aurelius |
|
marcus.aurelius@example.com Note – You must append an AccountName rule to the mail domain. |
Fullname— First space Last |
Marcus Aurelius |
Fullname— First space MI space Last |
Marcus A Aurelius |
Fullname— Last comma First |
Aurelius, Marcus |
The NewUsernameRule is a standard repository initialization file that you can use to extract the value of a user distinguished name’s (DN) left most relative distinguished name (RDN).
Inputs:
None
You must specify the following for a custom NewUsernameRules rule:
AuthType |
NewUserNameRule |
SubType |
Not specified |
Returns |
A proposed user name for new users upon registration. For example, Use SubjectDN Common Name extracts the jsmith from cn=jsmith,ou=engineering,dc=acme,dc=com. |
Predefined Rules |
Use SubjectDN Common Name |
The Object Approvers As Attestors rule returns the provided objectapprovers parameter value if it is not null. If the objectapprovers list is not provided, this rule creates a new list and includes the Configurator user.
Inputs:
Accepts the following arguments:
userEntitlement: View of a UserEntitlement object
lhcontext: LighthouseContext of the caller
objectowners: List of Identity Manager user names that are considered owners
objectapprovers: List of Identity Manager user names that are considered approvers
You must specify the following for a custom Object Approvers As Attestors rule:
AuthType |
AccessScanRule |
SubType |
ATTESTORS_RULE |
Called |
By running Access Review |
Returns | |
Predefined Rules |
None |
The Object Approvers As Attestors rule returns the objectowners parameter if it is not null. If the objectowners list is not provided, the rule creates a new list and includes the Configurator user.
Inputs:
Accepts the following arguments:
userEntitlement: View of a UserEntitlement object
lhcontext: LighthouseContext of the caller
objectowners: List of Identity Manager user names that are considered owners
objectapprovers: List of Identity Manager user names that are considered approvers
You must specify the following for a custom Object Approvers As Attestors rule:
AuthType |
AccessScanRule |
SubType |
ATTESTORS_RULE |
Called |
By running Access Review |
Returns |
A list of Identity Manager user names |
Predefined Rules |
None |
The Organization Names rule returns a List of Display Names for all organizations within the current context.
Inputs:
None
You must specify the following for a custom Organization Names rule:
AuthType |
Not specified |
SubType |
Not specified |
Returns | |
Predefined Rules |
None |
Use the OS400UserFormRules to manage the default User Form values for an OS400 resource.
Inputs:
None
You must specify the following for a custom OS400UserFormRules rule:
AuthType |
EndUserLibrary |
SubType |
Not specified |
Called | |
Returns |
See Table 4–7 |
Predefined Rules |
OS400 User Form Default Values |
The following table lists the example OS400UserFormRules.
Table 4–7 Example OS400UserFormRules
Rule Name |
Description |
---|---|
Default Password Expiration Interval |
Returns the default value for the password expiration interval. The returned value is 90. |
Default Initial Program Call |
Returns the default initial program called for a user. The returned value is *LIB/CCTC00CLP. |
Max Storage List Choices |
Returns a list of Max Storage Defaults. The values are in Kilobytes and equate to: No maximum, 10MB, 50MB, 100MB. |
Initial Menu Default |
Returns the initial menu default value. The returned value is *SIGNOFF. |
Language ID Default |
Returns the default language ID value. The returned value is *SYSVAL. |
Country ID Default |
Returns the default country ID value. The returned value is *SYSVAL. |
Character Set Default |
Returns a list of the default character set values. The returned value is *SYSVAL. |
UID Default |
Returns the UID default value. The returned value is *GEN. |
Home Directory Prepend |
Path to prepend to user ID to form home directory. |
Use the RACFUserFormRules to specify default settings for your RACF resource account.
Inputs:
None
You must specify the following for a custom RACFUserFormRules rule:
AuthType |
EndUserLibrary |
SubType |
Not specified |
Called |
From RACF User Form |
Returns |
A list of zero or more string values |
Predefined Rules |
RACF User Form Default Values |
The following table lists the example RACFUserFormRules.
Table 4–8 Example RACFUserFormRules
Rule Name |
Description |
---|---|
Prepend RACF Home Dir Path |
Path prepended to accountId to form home directory. |
RACF OMVS Program |
Specify a default OMVS program value. |
RACF TSO Command |
Specify a default OMVS TSO value. |
RACF Master Catalog |
Specify a default OMVS program value. |
RACF User Catalog |
Specify a default OMVS program value. |
RACF Delete TSO Segment |
Specify a default Delete TSO Segment value. |
The following table provides information about the common Identity Manager processes or tasks related to the reconciliation rules category:
Identity Manager invokes the Correlation rule during reconciliation to associate a resource account with one or more Identity Manager users.
Inputs:
Accepts a WSUser representing a resource account as returned by ResourceAdapter#getUser(WSUser)
You must specify the following for a custom Correlation rule:
Identity Manager invokes the Confirmation rule during reconciliation to compare a resource account with one or more Identity Manager users.
Inputs:
Accepts the following arguments:
A WSUser representing an existing IDM user
A WSUser representing a resource account as returned by ResourceAdapter#getUser(WSUser)
You must specify the following for a custom Confirmation rule:
The RegionalConstants Library is a default library of rules that enable you to control how states, days, months, countries, and provinces are displayed.
This library is displayed as the RegionalConstants Rules library object in the Identity Manager IDE.
Inputs:
See Table 4–9.
You must specify the following for a custom RegionalConstants Library rule:
AuthType |
EndUserRule |
SubType |
Not specified |
Returns |
A list of strings |
Predefined Rules |
Regional Constants |
The following table lists the example RegionalConstants rules.
Table 4–9 Example Regional Constants Rules
The Remediation Transaction Message rule is a default rule that is used to format the remediation or mitigation transaction text. You can customize this rule to provide more information for the user to sign.
Inputs:
Accepts the following arguments:
workItemList: A set of workitems that are being approved.
variablesList: A set of variables corresponding to each workitem in workitemList.
approverName: User being asked to approve the workitems.
action: Expected to be remediate or mitigate.
Comments: Comments that are entered as part of the remediation.
expiration: ISO date string for the remediation end date, which is needed only if the action is mitigate.
You must specify the following for a custom Remediation Transaction Message rule:
AuthType |
EndUserAuditorRule |
SubType |
Not specified |
Returns |
Formatted remediation or mitigation transaction text |
Predefined Rules |
None |
The Remediation Transaction Message Helper rule returns the formatted transaction text for the remediation or mitigation of a single workitem.
Inputs:
Accepts the following arguments:
workItem: The workitem that is being approved.
variables: The workitem variables.
You must specify the following for a custom Remediation Transaction Message Helper rule:
AuthType |
EndUserAuditorRule |
SubType |
Not specified |
Returns |
Formatted remediation or mitigation transaction text |
Predefined Rules |
None |
The ResourceFormRules library is a default library of rules that enable you to customize values and choices used in several of the UserForms, which in turn are frequently used to select user attributes for resources.
Inputs:
See Table 4–10.
You must specify the following for a custom ResourceFormRules rule:
The following table describes the example ResourceFormRules.
Table 4–10 Example ResourceFormRules
The Resource Name rule returns a list of Resources within the current context.
Inputs:
None
You must specify the following for a custom Resource Names rule:
AuthType |
Not specified |
SubType |
Not specified |
Returns |
A list of resources |
Predefined Rules |
None |
The Role Approvers rule provides a list of users who are approvers for a specified role.
Inputs:
Accepts the roleName argument
You must specify the following for a custom Role Approvers rule:
AuthType |
RoleUserRule |
SubType |
Not specified |
Returns |
A list of the statically defined approvers for a given role |
Predefined Rules |
None |
The Role Notifications rule provides a list of users who are designated to be notified when a role is assigned to a user.
Inputs:
Accepts the roleName argument
You must specify the following for a custom Role Notifications rule:
AuthType |
RoleUserRule |
SubType |
Not specified |
Returns |
A list of the statically defined approvers for a given role |
Predefined Rules |
None |
The Role Owners rule provides a list of users who are the owners of a specified role.
Inputs:
Accepts the roleName argument
You must specify the following for a custom Role Owners rule:
AuthType |
RoleUserRule |
SubType |
Not specified |
Returns |
A list of the statically defined approvers for a given role |
Predefined Rules |
None |
The Sample On Local Network rule is an example of a LoginConstraintRule evaluated during login to determine if the login module group will be applied to the user login.
Inputs:
None
You must specify the following for a custom Sample On Local Network rule:
The SAP Portal User Form Default Values library is a default library of rules that provide default values for the SAP Portal User Form.
Inputs:
None
You must specify the following for a custom SAP Portal User Form Default Values rule:
AuthType |
Library |
SubType |
Not specified |
Called |
During login processing by the login module group |
Returns |
See Table 4–11. |
Predefined Rules |
None |
The following table describes the example SAP Portal User Form Default Values.
Table 4–11 Example SAP Portal User Form Default Values Rules
Rule Name |
Input Variable |
Description |
---|---|---|
Countries-ISO3166 Map |
None |
Returns a map of ISO3166 country codes. |
Currency Code Map |
None |
Returns a map of country codes. |
Locale Map |
None |
Returns a map of locales. |
TimeZones |
None |
Returns a list of timezone IDs. |
The ShellRules library consists of one rule, called getDefaultShell. Multiple forms use the getDefaultShell rule to return the default shell for a particular Unix resourceType.
Inputs:
Accepts the resourceType argument.
The only valid resourceTypes are Solaris, AIX, HP-UX, and Red Hat Linux
Each resourceType must have the same default shell as specified in the ResourceAdapter.
You must specify the following for a custom ShellRules rule:
AuthType |
Not specified |
SubType |
Not specified |
Returns |
A string that contains the default shell for the specified resourceType. |
Predefined Rules |
None |
The SIEBEL_NAV_RULE is a sample navigation rule that could be specified as the AdvancedNavRule, as discussed in the “Advanced Navigation” section of the Siebel CRM documentation.
Inputs:
None
You must specify the following for a custom SiebelNavigationRule:
AuthType |
Not specified |
SubType |
Not specified |
Predefined Rules |
None |
Use the TestDictionary rule to run a JDBC query against the Identity Manager dictionary to test the connection.
Inputs:
Accepts the following arguments:
type
driverClass
driverPrefix
url
host
port
database
context
user
password
sql
arg1
You must specify the following for a custom TestDictionary rule:
AuthType |
Not specified |
SubType |
Not specified |
Predefined Rules |
None |
Use the TopSecretUserFormRules to specify default settings for your TopSecret resource account.
Inputs:
None
You must specify the following for a custom TopSecretUserFormRules rule:
AuthType |
EndUserLibrary |
SubType |
Not specified |
Called |
From TopSecret User Form |
Returns |
See Table 4–12. |
Predefined Rules |
None |
The following table describes the example TopSecretUserFormRules.
Table 4–12 Example TopSecretUserFormRules
Rule Name |
Description |
---|---|
TopSecret Default OMVS |
Determines the default OMVS shell. |
TopSecret Default TSO |
Determines the default TSO Process. |
TopSecret Home Prepend Path |
Path to prepend to accountId to create home directory. |
TopSecret Attribute List |
Returns a list of attributes that can be assigned to a user. |
The User Members Rule enables you to dynamically control a single organization’s user membership, based on who is logged in. For example, if you assign the User Members Rule to the My Employees organization, the rule dynamically controls the organization’s user membership as follows:
If Bob logs in and controls the My Employees organization, then Bob can only see and manage his employees in the My Employees organization.
If Mary logs in and also controls the My Employees organization, she can only see and manage her employees. She cannot see or manage Bob’s or anyone else’s employees.
Inputs:
User view of the authenticated admin user, context or Identity Manager session of authenticated administrator user
userMemberRuleOrganizationDisplayName:The display name of an organization. (Optional)
userMemberRuleOrganizationPathName:The full, colon delimited, organization path name. (Optional)
You must specify the following for a custom User Members Rule rule:
The USER_EMAIL_MATCHES_ACCOUNT_EMAIL_CONF rule is a confirmation rule that compares an Identity Manager user to an account.
Inputs:
None
You must specify the following for a custom USER_EMAIL_MATCHES_ACCOUNT_EMAIL_CONF rule:
AuthType |
Not specified |
SubType |
SUBTYPE_ACCOUNT_CONFIRMATION_RULE |
Returns |
True if the email attribute values match |
Predefined Rules |
None |
The USER_EMAIL_MATCHES_ACCOUNT_EMAIL_CORR rule is a correlation rule that searches for a Identity Manager user with an email attribute value that matches the email attribute value in the specified account.
Inputs:
None
You must specify the following for a custom USER_EMAIL_MATCHES_ACCOUNT_EMAIL_CORR rule:
AuthType |
Not specified |
SubType |
SUBTYPE_ACCOUNT_CORRELATION_RULE |
Returns |
A list of attribute conditions |
Predefined Rules |
None |
The USER_FIRST_AND_LAST_NAMES_MATCH_ACCOUNT rule is a confirmation rule that compares an Identity Manager user to an account by looking for a fullname attribute.
Inputs:
None
You must specify the following for a custom USER_FIRST_AND_LAST_NAMES_MATCH_ACCOUNT rule:
AuthType |
Not specified |
SubType |
SUBTYPE_ACCOUNT_CONFIRMATION_RULE |
Return |
True if first name and last name values match, otherwise returns false |
Predefined Rules |
None |
The USER_NAME_MATCHES_ACCOUNT_ID rule is a correlation rule that searches for an Identity Manager user with the same name as the user in the specified account.
Inputs:
None
You must specify the following for a custom USER_NAME_MATCHES_ACCOUNT_ID rule:
AuthType |
Not specified |
SubType |
SUBTYPE_ACCOUNT_CORRELATION_RULE |
Return |
Returns a string value |
Predefined Rules |
None |
The USER_OWNS_MATCHING_ACCOUNT_ID rule is a correlation rule that searches for any Identity Manager user that owns an accountId matching the name of the specified account.
Inputs:
None
You must specify the following for a custom USER_OWNS_MATCHING_ACCOUNT_ID rule:
AuthType |
Not specified |
SubType |
SUBTYPE_ACCOUNT_CORRELATION_RULE |
Return |
A list of attribute conditions |
Predefined Rules |
None |
The Users Without a Manager rule determines which Identity Manager users are administrators.
Inputs:
None
This rule uses the lhcontext variable from the calling scope.
You must specify the following for a custom Users Without a Manager rule:
AuthType |
AccessScanRule |
SubType |
USER_SCOPE_RULE |
Returns |
A list of user names that do not have a manager defined. |
Predefined Rules |
None |
The Use SubjectDN Common Name rule to return a subject’s common name from the subject’s DN.
Inputs:
None
You must specify the following for a custom Use SubjectDN Common Name rule:
AuthType |
NewUserNameRule |
SubType |
Not specified |
Returns |
A common name |
Predefined Rules |
None |
To achieve a high level of configurability with minimal complexity, Identity Auditor makes judicious use of rules in audit policy and access scan object configuration.
Table 4–13 provides an overview of the rules you can use to customize how audit policy remediation works and how access scans operate.
Table 4–13 Auditor Rule Types Quick Reference
Rule Type |
Example Rules |
subTypes and authTypes |
Purpose |
---|---|---|---|
Attestor |
Default Attestor |
SubType: ATTESTORS_RULE AuthType: AccessScanRule |
Automates the attestation process by specifying a default attestor for manual entitlements. |
Attestor Escalation |
Default EscalationAttestor |
SubType: AttestorEscalationRule AuthType: AccessScanRule |
Automates the attestation process by specifying a default escalation user for manual attestation. |
Audit Policy |
Compare Accounts to Roles |
SubType: SUBTYPE_AUDIT_POLICY_RULE SubType: SUBTYPE_AUDIT_POLICY_SOD_RULE AuthType: AuditPolicyRule |
Compares user accounts to accounts specified by current Roles. |
Compare Roles to Actual Resource Values |
SubType: SUBTYPE_AUDIT_POLICY_RULE SubType: SUBTYPE_AUDIT_POLICY_SOD_RULE AuthType: AuditPolicyRule |
Compares current resource attributes with those specified by current Roles. |
|
Remediation User Form |
SubType: USER_FORM_RULE AuthType: Not specified |
Automates the attestation process by allowing audit policy authors to constrain which part of a User view is visible when responding to a particular policy violation. |
|
Remediator |
Default Remediator |
SubType: REMEDIATORS_RULE AuthType: AccessScanRule |
Automates the remediation process by specifying a remediator for any entitlements created in remediating state. |
Review Determination |
Reject Changed User |
SubType: REVIEW_REQUIRED_RULE AuthType: AccessScanRule |
Automates the attestation process by automatically rejecting user entitlement records. |
Review Changed Users |
SubType: REVIEW_REQUIRED_RULE AuthType: AccessScanRule |
Automates the attestation process by automatically approving user entitlement records. |
|
Review Everyone |
SubType: REVIEW_REQUIRED_RULE AuthType: AccessScanRule |
Automates the attestation process by requiring manual attestation for some user entitlement records. |
|
User Scope |
All Administrators |
SubType: USER_SCOPE_RULE AuthType: AccessScanRule |
Provides flexibility in selecting a list of users to be scanned by an access scan. |
All Non-Administrators |
SubType: USER_SCOPE_RULE AuthType: AccessScanRule |
Provides flexibility in selecting a list of users to be scanned by an access scan. |
|
Users Without a Manager |
SubType: USER_SCOPE_RULE AuthType: AccessScanRule |
Provides flexibility in selecting a list of users to be scanned by an access scan. |
|
ViolationPriority |
ViolationPriority |
SubType: Not specified AuthType: EndUserAuditorRule |
Customization— allows the deployment to specify what are valid violation priorities and the corresponding display strings. |
ViolationSeverity |
ViolationSeverity |
SubType: Not specified AuthType: EndUserAuditorRule |
Customization— allows the deployment to specify what are valid violation severities and the corresponding display strings. |
The following sections provide information about these Identity Auditor rules, how you might customize them, and why:
Every user entitlement that is created in a pending state must be attested by someone. During an access review, Identity Auditor passes each User view to the Attestor rule to determine who gets the initial attestation requests.
The idmManager attribute on the WSUser object contains the Identity Manager account name and ID of the user’s manager.
If you define a value for idmManager, the Attestor rule returns idmManager as the attestor for the user represented by the entitlement record.
If the idmManager value is null, the Attestor rule returns Configurator as the attestor.
You can use alternate implementations to designate both IdmManager and any Resource owners as attestors (for Resources included in the view). This rule takes the current User view and a LighthouseContext object as inputs, so you can use any data known to Identity Manager.
Inputs:
Accepts the following arguments:
userEntitlement: Current User view
lhcontext: LighthouseContext
objectowners:
objectapprovers:
You must specify the following for a custom Attestor rule:
AuthType |
AccessScanRule |
SubType |
ATTESTORS_RULE |
Called |
During access scan; after evaluating all audit policies, but before dispatching the user entitlement |
Returns |
A list of zero or more Identity Manager attestor names (users responsible for attesting a particular user entitlement) or NamedValue pairs.
|
Predefined Rules |
Default Attestor |
Location |
Compliance > Manage Policies > Access Scan > Attestor Rule |
A workflow calls the Attestor Escalation rule when an attestation times out because the attestor did not take action within a specified period of time. This rule returns the next person in the escalation chain based on the cycle count.
Inputs:
Accepts the following arguments:
wfcontext: WorkflowContext
userEntitlement: Current view of user entitlement, including User view
cycle: Escalation level. For the first escalation, the cycle is 1.
attestor: Name of attestor who failed to attest before the attestation request timed out.
You must specify the following for a custom Attestor Escalation rule:
AuthType |
AccessScanRule |
SubType |
AttestorEscalationRule |
Called |
During an attestation workflow when a workitem times out. (Default timeout is 0— never times out). |
Returns |
A single attestor name or a list of attestor names, which must be valid Identity Manager account names.
|
Predefined Rules |
Default EscalationAttestor |
Location |
Compliance > Manage Policies > Access Scan > Attestor Escalation Rule |
An audit policy contains a set of rules that it applies to data representing an object being audited. Each rule can return a boolean value (plus some optional information).
To determine whether a policy has been violated, the audit policy evaluates a logical operation on the results of each rule. If the audit policy has been violated, a compliance violation object might result, with (typically) one compliance violation object per policy, rule, or whatever was being audited. For example, an audit policy with five rules might result in five violations.
Inputs:
None
You must specify the following for a custom Audit Policy rule:
AuthType |
AuditPolicyRule Note – When you use the Audit Policy Wizard to create an Audit Policy rule, the wizard uses the AuditPolicyRule authType by default. If you use the Identity Manager IDE to create an Audit Policy rule, be sure to specify the AuditPolicyRule authType. |
||||||
SubType |
|
||||||
Called |
During an Audit Policy Evaluation |
||||||
Returns |
An audit policy rule must return an integer value, but the value can be expressed as one of the following:
Note – The Audit Policy Wizard only creates rules that reference a single resource and return an integer value (not a map). To use any of the preceding map-related features, you must write the rule yourself. Some very sophisticated audit policy rule examples are provided in sample/auditordemo.xml. |
||||||
Predefined Rules |
|
The RULE_EVAL_COUNT value equals the number of rules that were evaluated during a policy scan. Identity Manager calculates this value as follows:
RULE_EVAL_COUNT = # of users scanned x (# of rules in policy + 1)
The +1 is included in the calculation because Identity Manager also counts the policy rule, which is the rule that actually decides if a policy is violated. The policy rule inspects the audit rule results, and performs the boolean logic to come up with a policy result.
For example, if you have Policy A with three rules and Policy B with two rules, and you scanned ten users, the RULE_EVAL_COUNT value equals 70 because
10 users x (3 + 1 + 2 + 1 rules)
The Remediation User Form rule allows audit policy authors to constrain which part of a User view is visible when they are responding to a particular policy violation.
When a remediator edits a user during entitlement remediation processing, a JSP (approval/remModifyUser.jsp) calls the Remediation User Form rule. This rule allows the access scan to specify an appropriate form for editing a user. If the remediator has already specified a user form, then the access scan uses that form instead.
Inputs:
Accepts the item argument (Remediation WorkItem)
You must specify the following for a custom Remediation User Form rule:
AuthType |
Not specified |
SubType |
USER_FORM_RULE |
Called |
During JSP form processing after the remediator clicks Edit User on the remediation form. |
Returns |
The name of a User Form or a null. |
Predefined Rules |
None |
Location |
|
During an access review, every User view is passed to the Remediator rule to determine who should get the initial remediation requests. This rule is analogous to the Attestors rule, except the Remediator rule is called when a workitem is created in the remediating state.
Inputs:
Accepts the following arguments:
lhcontext: LighthouseContext
userEntitlement: Current User view
You must specify the following for a custom Remediator rule:
AuthType |
AccessScanRule |
SubType |
REMEDIATORS_RULE |
Called |
During access scan, after evaluating all audit policies and before dispatching the user entitlement |
Returns |
A list of zero or more Identity Manager remediator names or NamedValue pairs.
Note – If the rule returns NamedValue pair elements, they are passed on without validation. |
Predefined Rules |
Default Remediator |
Location |
Compliance > Manage Policies > Access Scan > Remediator Rule |
During an access review, every User view is passed to the Review Determination rule to determine whether the corresponding user entitlement record can be automatically approved or rejected, automatically placed into remediation state, or if the record must be manually attested. A user entitlement is a complete User view (in which some resources might be omitted) and some tracking data.
You can use the Review Determination rule to significantly increase the efficiency of an access review by
Encapsulating any institutional knowledge that would allow a user to be automatically approved or rejected. If you express that knowledge in this rule, you reduce the number of manual attestations needed and improve overall review performance.
Configuring this rule to return information that is visible to the attestors as a “hint.” For example, when the rule determines that a user has privilege access to a resource, the rule provides a hint to the attestor, as shown in the following example:
<map> <result> <i>1</i> <s>reason</s> <s><reason the attestation was auto-approved/rejected></s> <s>attestorHint</s> <s><hint to attestor></s> </map> |
Configuring the rule to access the User view (including any Compliance Violations) and compare the user’s previous user entitlements, which allows the rule to approve or reject all user entitlements that are the same as (or different from) a previously approved user entitlement.
You can add an argument that allows the rule to compare subsets of the User view. For example:
<set name=’viewCompare’> <!-- compare the entire view (3rd argument can specify sub-path) --> <invoke name=’compareUserViews’ class=’com.sun.idm.auditor.ui.FormUtil’> <ref>userView</ref> <ref>lastUserView</ref> <s>accounts</s> </invoke> </set> |
This argument compares User views and allows the caller to specify a subpath of the complete User view using GenericObject path expressions. If you just want to compare particular account data, the subpath can specify that data. If you compare just the accounts subpath of the User view, you are less likely to encounter differences that are not reflected on a real resource.
Differences found in the User view comparison are returned in the reason element of the output map. The audit log captures this difference data if the rule returns 0 (reject attestation) or 2 (approve attestation), just as the predefined Reject Changed Users rule does.
You can use the Reject Changed Users rule to verify exactly what Identity Manager thinks is different and you can look at the auditable attributes in the resulting audit log records.
Inputs:
Accepts the following arguments:
context: LighthouseContext
review.scanId: Current access scan ID
review.username: Identity Manager account name of user being scanned
review.userId: Identity Manager ID of user being scanned
attestors: Attestors’ Identity Manager account names
userView: Current User view
You must specify the following for a custom Review Determination rule:
AuthType |
AccessScanRule |
||
SubType |
REVIEW_REQUIRED_RULE |
||
Called |
During access scan, after evaluating all audit policies and before dispatching the user entitlement |
||
Returns |
An integer or a map
|
||
Predefined Rules |
|
||
Location |
Compliance > Manage Access Scans > Access Scan > Review Determination Rule |
If an access scan has users scoped by a rule, the User Scope rule is evaluated to determine a list of users to scan.
Inputs:
Accepts the lhcontext argument
You must specify the following for a custom User Scope rule:
AuthType |
AccessScanRule |
SubType |
USER_SCOPE_RULE |
Called |
At the beginning of an access scan |
Returns |
An Identity Manager user name or a list of Identity Manager user names. Each name must be a valid Identity Manager user name.
Note –
|
Predefined Rules | |
Location |
Compliance > Manage Access Scans > Access Scan > User Scope Rule |
Use the ViolationPriority rule to allow a deployment to specify what the valid violation priorities are, and what the corresponding display strings will be.
Inputs:
None
You must specify the following for a custom ViolationPriority rule:
AuthType |
EndUserAuditorRule |
SubType |
Not specified |
Called |
When displaying the violation list and when changing violation priority. |
Returns |
A list of key/value pairs indicating priority integer value and a corresponding string. The integer values must be contiguous because the rule returns a list, not a map. Note – You can customize this rule to change the display value for any priority setting. When a ComplianceViolation is created, you can change priority values in the Remediation WorkItem list viewer. Select one or more Remediation WorkItems, and then select Prioritize, which enables you to change priority values. To see these values in the Remediation WorkItem list view, you must change the approval/remediate.jsp page by setting the includeCV option to true (default is false). However, enabling the more detailed view affects performance, which may be unacceptable for deployments with lots of Remediations. The custom value expects the ViolationPriority rule to be an array rather than a map. So, if you use 100 as the integer value, the rule must have 200 elements (alternate int/string). The list provides both string mapping for the integer and populates the selection in the form where you changed it. |
Predefined Rules |
ViolationPriority |
Location |
Called from the Remediation List Form |
Use the ViolationSeverity rule to allow a deployment to specify what the valid violation severities are, and what the corresponding display strings will be.
Inputs:
None
You must specify the following for a custom ViolationSeverity rule:
AuthType |
EndUserAuditorRule |
SubType |
Not specified |
Called |
When displaying the violation list and when changing violation severity. |
Returns |
A list of key/value pairs indicating severity integer value and a corresponding string. The integer values must be contiguous because the rule returns a list, not a map. Note – You can customize this rule to change the display value for any priority setting. When a ComplianceViolation is created, you can change severity values in the Remediation WorkItem list viewer. Select one or more Remediation WorkItems, and then select Priority, which enables you to change severity values. To see these values in the Remediation WorkItem list view, you must change the approval/remediate.jsp page by setting the includeCV option to true (default is false). However, enabling the more detailed view affects performance, which may be unacceptable for deployments with lots of Remediations. The custom value expects the ViolationSeverity rule to be an array rather than a map. So, if you use 100 as the integer value, the rule must have 200 elements (alternate int/string). The list provides both string mapping for the integer and populates the selection in the form where you changed it. |
Predefined Rules |
ViolationSeverity |
Location |
Called from the Remediation List Form |
The following example demonstrates how to use the Sample Auditor Rule Multiple Account Types rule. The location of the rule is
sample/rules/SampleAuditorRuleMultipleAccountTypes.xml |
Set up a resource with multiple account types.
<?xml version=’1.0’ encoding=’UTF-8’?> <!DOCTYPE Waveset PUBLIC ’waveset.dtd’ ’waveset.dtd’> <Waveset> <Rule subtype=’IdentityRule’ name=’Administrator Identity’> <concat> <s>adm</s> <ref>attributes.accountId</ref> </concat> </Rule> </Waveset> |
Add a user with two accounts on the resource and set up a user form so that the new resource attributes are directly assigned separately:
account[Simulated Resource].department account[Simulated Resource|admin].department |
Assign different values for each account and test the policy rule.
Location:
sample/rules/SampleAuditorRuleMultipleAccountTypes.xml |
ComplianceViolations support numeric severity and priority attributes that enable you to distinguish between violations by severity or priority. You can assign these attributes to the violation, based on Audit rule output.
For example, if the Audit rule provides the following output, the resulting ComplianceViolation will have a severity of 3 and a priority of 4.
<map> <s>result</s> <i>1</i> <s>severity</s> <i>3</i> <s>priority</s> <i>4</i> </map> |
The following rules map between a ComplianceViolation’s numeric value and its display string value:
ViolationSeverity: Indicates the seriousness of the violation.
ViolationPriority: Indicates the order in which a ComplianceViolation would be addressed.
Identity Auditor allows you to customize these rules by changing the display value for any severity or priority setting.
After creating a ComplianceViolation, you can view and change the severity and priority values in the Remediation WorkItem list viewer by selecting one or more Remediation WorkItems, and then clicking Prioritize.
To view severity and priority values in the Remediation WorkItem list viewer, you must change the approval/remediate.jsp page to set the includeCV option to true (default is false).
However, be aware that enabling a more-detailed view affects performance, which may be unacceptable for deployments with lots of Remediations.
This section describes the following example Service Provider rules:
The example Service Provider confirmation rules have access to the list of candidate accountIds under the candidates path and to the Service Provider User view under the view path.
Inputs:
None
You must specify the following for a custom Service Provider confirmation rule:
AuthType |
SPERule |
SubType |
SUBTYPE_SPE_LINK_CONFIRMATION_RULE |
Returns |
A null or a string representing the confirmed accountId |
Predefined Rules |
None |
The following table describes the example confirmation rules you can use to customize Service Provider.
Table 4–14 Example Service Provider Confirmation Rules
Rule Name |
Description |
---|---|
Service Provider Example Confirmation Rule Rejecting All Candidates |
Rejects all candidates from a link correlation rule.Returns a null. |
Service Provider Example Confirmation Rule Returning First Candidate |
Returns the first accountId from the candidate list. |
Service Provider Example Confirmation Rule Selecting Candidates Using AccountId |
Returns the candidate that matches the accountId in the view. If the rule cannot find the accountId from the view in the candidate list, then the rule returns a null. |
The example Service Provider correlation rules have access to the Service Provider User view.
Inputs:
None
You must specify the following for a custom Service Provider correlation rule:
AuthType |
SPERule |
SubType |
SUBTYPE_SPE_LINK_CORRELATION_RULE |
Return |
A single accountId, a list of accountIds, or an option map
|
Predefined Rules |
None |
The following table describes the example correlation rules you can use to customize Service Provider.
Table 4–15 Example Service Provider Correlation Rules
Rule Name |
Description |
---|---|
Service Provider Example Correlation Rule for LDAP Returning Option Map |
Returns an option map with a search filter to be used with an LDAP adapter. The LDAP Resource Adapter allows a filter to be passed to scope the search operation. The filter is expected to be an LDAP search filter. |
Service Provider Example Correlation Rule for Simulated Returning Option Map |
Returns an option map with a search filter to be used with a Simulated Resource Adapter. The Simulated Resource Adapter allows a filter to be passed to scope the search operation. This adapter expects the search filter to be an AttributeExpression. |
Service Provider Example Correlation Rule Returning List of Identities |
Returns a list of accountIds in LDAP DN format that are composed from the accountId in the view. |
Service Provider Example Correlation Rule Returning Single Identity |
Returns a single accountId in LDAP DN format composed from the account Id in the view. |
The example Service Provider account locking rules have access to the Service Provider User view and they lock or unlock accounts in a Sun Directory Server.
Inputs:
See Table 4–16.
You must specify the following for a custom Service Provider account locking rule:
AuthType |
SPERule |
SubType |
Not specified |
Returns |
Nothing |
Predefined Rules |
None |
The following table describes the example account locking rules you can use to customize Service Provider.
Table 4–16 Example Service Provider Account Locking Rules
Rule Name |
Input Variable |
Description |
---|---|---|
Service Provider Example Lock Account Rule |
lockExpirationDate: A possibly null java.util.Date at which the lock should expire. |
Locks an account in a Sun Directory Server. This rule modifies top-level attributes in the Service Provider user view. |
Service Provider Example Unlock Account Rule |
None |
Unlocks an account in a Sun Directory Server. This rule modifies top-level attributes in the Service Provider user view. |