Sun Identity Manager Deployment Reference

User Scope Rules

If an access scan has users scoped by a rule, the User Scope rule is evaluated to determine a list of users to scan.


Accepts the lhcontext argument

You must specify the following for a custom User Scope rule:






At the beginning of an access scan 


An Identity Manager user name or a list of Identity Manager user names. Each name must be a valid Identity Manager user name.

  • If the results contain any names that cannot be resolved to valid Identity Manager user names, the rule returns an error.

  • If the results contain any duplicate user names, the rule returns an error.

Note –
  • An access scan that scans the same user multiple times might fail to create the attestation workflow for a subsequent instance of the same user. Therefore, a customized implementation of the User Scope rule should provide checks to avoid duplicate users in the output.

  • This rule can return accounts that are not available to the administrator running the scan. In this case, the scan will attempt to get the account’s User view and fail; resulting in an error in the scan task.

Predefined Rules 

  • All Administrators: Returns all users with administrative capabilities assigned.

  • All Non-Administrators: Returns all users with no administrative capabilities assigned.

  • Users Without Manager: Returns all user accounts with no manager (idmManager) assigned.


Compliance > Manage Access Scans > Access Scan > User Scope Rule