The ExcludedAccountsRule supports the exclusion of resource accounts from resource operations.
Inputs:
Accepts the following arguments:
accountId: String account ID being tested.
You can compare the accountId argument to one or more resource accounts that should be excluded from Waveset.
operation: Resource operation to be performed.
The rule can use the operation argument to have finer control over which resource accounts are exempt from the actions specified by the operation parameter. If an operation parameter is not used within the rule, every account identified by the rule is excluded from all of the listed operations.
The operation parameter can contain the following values:
create
update
delete
rename (used when the only detected change is a new account ID)
rename_with_update
list
iapi_create (only used within Active Sync)
iapi_update (only used within Active Sync)
iapi_delete (only used within Active Sync)
You must specify the following for a custom ExcludedAccountsRule rule:
The following example exemplifies subType use and excludes specified resource accounts for UNIX adapters.
<Rule name=’ExcludedResourceAccounts’ authType=’ExcludedAccountsRule’> <RuleArgument name=’accountID’/> <defvar name ’excludedList’> <List> <String>root</String> <String>daemon</String> <String>bin</String> <String>sys</String> <String>adm</String> <String>uucp</String> <String>nuucp</String> <String>listen</String> <String>lp</String> </List> <defvar> <cond> <eq> <contains> <ref>excludedList</ref> <ref>accountID</ref> </contains> <i>1</i> </eq> <Boolean>true</Boolean> <Boolean>false</Boolean> </cond> </defvar> </Rule>
The next example shows how to use the operation parameter. This parameter allows you to manipulate the “Test User” resource account— without impacting Waveset— if Active Sync is running against the resource.
This example shows an ExcludedAccountsRule for RACF.
<Rule name="RACF EAR" authType="ExcludedAccountsRule"> <RuleArgument name="accountID"/> <block> <defvar name="excludedList"> <List> <String>irrcerta</String> <String>irrmulti</String> <String>irrsitec</String> <String>IBMUSER</String> </List> </defvar> <cond> <eq> <containsAny> <ref>excludedList</ref> <list> <upcase> <ref>accountID</ref> </upcase> <ref>accountID</ref> </list> </containsAny> <i>1</i> </eq> <Boolean>true</Boolean> <Boolean>false</Boolean> </cond> </block> </Rule> |
This final example shows an ExcludedAccountsRule for RACF LDAP.
<Rule name="Test RACF_LDAP Case Insensitive Excluded Resource Accounts" authType="ExcludedAccountsRule"> <RuleArgument name="accountID"/> <block> <defvar name="excludedList"> <List> <String>irrcerta</String> <String>irrmulti</String> <String>irrsitec</String> <String>IBMUSER</String> </List> </defvar> <defvar name="convertedId"> <get> <split> <get> <split> <ref>accountID</ref> <s>,</s> </split> <i>0</i> </get> <s>=</s> </split> <i>1</i> </get> </defvar> <cond> <eq> <containsAny> <ref>excludedList</ref> <list> <upcase> <ref>convertedId</ref> </upcase> <ref>convertedId</ref> |