Sun Identity Manager 8.1 Business Administrator's Guide

Correlation and Confirmation Rules

Use correlation and confirmation rules when you do not have the Identity Manager user name available to put in the user field of your actions. If you do not specify a value for the user field, then you must specify a correlation rule when launching the bulk action. If you do specify a value for the user field, then the correlation and confirmation rules will not be evaluated for that action.

A correlation rule looks for Identity Manager users that match the action fields. A confirmation rule tests an Identity Manager user against the action fields to determine whether the user is a match. This two-stage approach allows Identity Manager to optimize correlation by quickly finding possible users (based on name or attributes), and by performing expensive checks only on the possible users.

Create a correlation or confirmation rule by creating a rule object with a subtype of SUBTYPE_ACCOUNT_CORRELATION_RULE or SUBTYPE_ACCOUNT_CONFIRMATION_RULE, respectively.

For more information about correlation and confirmation rules, see Chapter 4, Data Loading and Synchronization, in Sun Identity Manager Deployment Guide.

Correlation Rules

Input for any correlation rule is a map of the action fields. Output must be one of the following:

A typical correlation rule generates a list of user names based on values of the fields in the action. A correlation rule may also generate a list of attribute conditions (referring to queryable attributes of Type.USER) that will be used to select users.

A correlation rule should be relatively inexpensive but as selective as possible. If possible, defer expensive processing to a confirmation rule.

Attribute conditions must refer to queryable attributes of Type.USER. These are configured in the Identity Manager configuration object named IDM Schema Configuration.

Correlating on an extended attribute requires special configuration:

The extended attribute must be specified as queryable.

ProcedureTo Set an Extended Attribute as Queryable

  1. Open IDM Schema Configuration. You must have the IDM Schema Configuration capability to view or edit IDM Schema Configuration.

  2. Locate the <IDMObjectClassConfiguration name=’User’> element.

  3. Locate the <IDMObjectClassAttributeConfiguration name=’ xyz ’> element, where xyz is the name of the attribute that you want to set as queryable.

  4. Set queryable=’true’

    In Correlation Rules the email extended attribute is defined as queryable.

Example 3–1 XML Excerpt That Defines the Email Extended Attribute as Queryable

    <IDMAttributeConfiguration name=’email’ syntax=’STRING’/>
    <IDMObjectClassConfiguration name=’User’ extends=’Principal’ description=’User description’>
      <IDMObjectClassAttributeConfiguration name=’email’ queryable=’true’/>

You must restart the Identity Manager application (or the application server) for the IDM Schema Configuration change to take effect.

Confirmation Rules

Inputs to any confirmation rule are as follows:

A confirmation rule returns a string-form Boolean value of true if the user matches the action fields; otherwise, it returns a value of false.

A typical confirmation rule compares internal values from the user view to the values of the action fields. As an optional second stage in correlation processing, the confirmation rule performs checks that cannot be expressed in a correlation rule (or that are too expensive to evaluate in a correlation rule).

In general, you need a confirmation rule only for the following situations:

A confirmation rule is run once for each matching user returned by the correlation rule.