Correlation Rules (Sun Identity Manager 8.1 Business Administrator's Guide)

Sun Identity Manager 8.1 Business Administrator's Guide

Correlation Rules

Input for any correlation rule is a map of the action fields. Output must be one of the following:

String (containing user name or ID)
List of String elements (each a user name or ID)
List of WSAttribute elements
List of AttributeCondition elements

A typical correlation rule generates a list of user names based on values of the fields in the action. A correlation rule may also generate a list of attribute conditions (referring to queryable attributes of Type.USER) that will be used to select users.

A correlation rule should be relatively inexpensive but as selective as possible. If possible, defer expensive processing to a confirmation rule.

Attribute conditions must refer to queryable attributes of Type.USER. These are configured in the Identity Manager configuration object named IDM Schema Configuration.

Correlating on an extended attribute requires special configuration:

The extended attribute must be specified as queryable.

To Set an Extended Attribute as Queryable

Open IDM Schema Configuration. You must have the IDM Schema Configuration capability to view or edit IDM Schema Configuration.

Locate the <IDMObjectClassConfiguration name=’User’> element.

Locate the <IDMObjectClassAttributeConfiguration name=’ xyz ’> element, where xyz is the name of the attribute that you want to set as queryable.

Set queryable=’true’

In Correlation Rules the email extended attribute is defined as queryable.

Example 3–1 XML Excerpt That Defines the Email Extended Attribute as Queryable

<IDMSchemaConfiguration>
  <IDMAttributeConfigurations>
    <IDMAttributeConfiguration name=’email’ syntax=’STRING’/>
    </IDMAttributeConfiguration>
  </IDMAttributeConfigurations>
  <IDMObjectClassConfigurations>
    <IDMObjectClassConfiguration name=’User’ extends=’Principal’ description=’User description’>
      <IDMObjectClassAttributeConfiguration name=’email’ queryable=’true’/>
    </IDMObjectClassConfiguration>
  </IDMObjectClassConfigurations>
 </IDMSchemaConfiguration>

You must restart the Identity Manager application (or the application server) for the IDM Schema Configuration change to take effect.