ExcludedAccountsRule (Sun Identity Manager Deployment Reference)

Sun Identity Manager Deployment Reference

ExcludedAccountsRule

The ExcludedAccountsRule supports the exclusion of resource accounts from resource operations.

Inputs:

Accepts the following arguments:

accountId: String account ID being tested.

You can compare the accountId argument to one or more resource accounts that should be excluded from Identity Manager.
operation: Resource operation to be performed.

The rule can use the operation argument to have finer control over which resource accounts are exempt from the actions specified by the operation parameter. If an operation parameter is not used within the rule, every account identified by the rule is excluded from all of the listed operations.

The operation parameter can contain the following values:
- create
- update
- delete
- rename (used when the only detected change is a new account ID)
- rename_with_update
- list
- iapi_create (only used within Active Sync)
- iapi_update (only used within Active Sync)
- iapi_delete (only used within Active Sync)

You must specify the following for a custom ExcludedAccountsRule rule:

AuthType	`ExcludedAccountsRule`
SubType	Not specified
Returns	A list of zero or more strings
Predefined Rules	Microsoft SQL Server Excluded Resource Accounts Sun Access Manager Excluded Resource Accounts Unix Excluded Resource Accounts Windows Excluded Resource Accounts

The following example exemplifies subType use and excludes specified resource accounts for UNIX adapters.

Example 4–27 Exemplifying `authType` Use

<Rule name=’ExcludedResourceAccounts’ authType=’ExcludedAccountsRule’> 
   <RuleArgument name=’accountID’/> 
   <defvar name ’excludedList’> 
   <List> 
      <String>root</String> 
      <String>daemon</String> 
      <String>bin</String> 
      <String>sys</String> 
      <String>adm</String> 
      <String>uucp</String> 
      <String>nuucp</String> 
      <String>listen</String> 
      <String>lp</String> 
   </List> 
   <defvar>
      <cond> 
         <eq> 
            <contains> 
               <ref>excludedList</ref> 
               <ref>accountID</ref> 
            </contains> 
            <i>1</i> 
         </eq> 
         <Boolean>true</Boolean> 
      <Boolean>false</Boolean> 
      </cond> 
   </defvar>
</Rule>

The next example shows how to use the operation parameter. This parameter allows you to manipulate the “Test User” resource account— without impacting Identity Manager— if Active Sync is running against the resource.

Example 4–28 Example Using `operation` Parameter

<Rule name=’Example Excluded Resource Accounts’ authType=’ExcludedAccountsRule’> 
<!-- Exclude all operations on ’Administrator’ account Exclude activeSync events 
on ’Test User’ account --> 
   <RuleArgument name=’accountID’/> 
   <RuleArgument name=’operation’/> 
   <!-- List of IAPI Operations --> 
   <defvar name=’iapiOperations’> 
      <List> 
         <String>iapi_create</String> 
         <String>iapi_update</String> 
         <String>iapi_delete</String> 
      </List> 
   </defvar>
   <or> 
      <!-- Always ignore the administrator account. --> 
      <cond> 
         <eq> 
            <s>Administrator</s> 
            <ref>accountID</ref> 
         </eq> 
         <Boolean>true</Boolean> 
         <Boolean>false</Boolean> 
      </cond> 
      <!-- Ignore IAPI events for the ’Test User’ account --> 
      <and> 
         <cond> 
            <eq> 
               <contains> 
                  <ref>iapiOperations</ref> 
                  <ref>operation</ref> 
              </contains> 
              <i>1</i> 
            </eq> 
            <Boolean>true</Boolean> 
            <Boolean>false</Boolean> 
         </cond> 
         <cond> 
            <eq> 
               <ref>accountID</ref> 
                  <s>Test User</s> 
            </eq> 
            <Boolean>true</Boolean> 
            <Boolean>false</Boolean> 
         </cond> 
      </and>
    </or> 
</Rule>

This example shows an ExcludedAccountsRule for RACF.

Example 4–29 ExcludedAccountsRule for RACF

<Rule name="RACF EAR" authType="ExcludedAccountsRule"> 
   <RuleArgument name="accountID"/> 
   <block> 
      <defvar name="excludedList"> 
         <List> 
            <String>irrcerta</String> 
            <String>irrmulti</String> 
            <String>irrsitec</String> 
            <String>IBMUSER</String> 
         </List> 
      </defvar> 
      <cond> 
         <eq> 
            <containsAny> 
               <ref>excludedList</ref> 
               <list> 
                  <upcase> 
                     <ref>accountID</ref> 
                  </upcase> 
                  <ref>accountID</ref> 
               </list> 
            </containsAny> 
            <i>1</i> 
         </eq> 
      <Boolean>true</Boolean> 
      <Boolean>false</Boolean> 
      </cond> 
   </block> 
</Rule>

This final example shows an ExcludedAccountsRule for RACF LDAP.

Example 4–30 Excluded Accounts Rule for RACF LDAP

<Rule name="Test RACF_LDAP Case Insensitive Excluded Resource Accounts" 
authType="ExcludedAccountsRule"> 
   <RuleArgument name="accountID"/> 
   <block> 
      <defvar name="excludedList"> 
         <List> 
            <String>irrcerta</String> 
            <String>irrmulti</String> 
            <String>irrsitec</String> 
            <String>IBMUSER</String> 
         </List> 
      </defvar> 
      <defvar name="convertedId"> 
         <get> 
            <split> 
               <get> 
                  <split> 
                     <ref>accountID</ref> 
                     <s>,</s> 
                  </split> 
                  <i>0</i> 
               </get> 
               <s>=</s> 
            </split> 
            <i>1</i> 
         </get> 
      </defvar> 
      <cond> 
         <eq> 
            <containsAny> 
               <ref>excludedList</ref> 
               <list> 
                  <upcase> 
                     <ref>convertedId</ref> 
                  </upcase> 
               <ref>convertedId</ref>