14 Managing Home Organization Policy

When an user submits a request for self-registration, the home organization of the user gets determined by the home organization policy. The organization name, as determined by the home organization policy, is filled in the request submitted. The approver can override the home organization of the user while approving the request. If a pre-process custom handler is defined to determine the home organization during self-registration, then home organization policy is not evaluated. If workflow policy is defined, then it takes precedence over the home organization policy.

In home organization policy, you can define rules based on user attributes. The return value of the rule is the organization name. Rules are evaluated in the order in which they appear on the Home Organization Policy page in Oracle Identity System Administration, starting from first rule to the last rule. Rules can be re-ordered from the Home Organization Policy page. Rule evaluation stops when a rule matches and the organization name is returned. The remaining rules are not evaluated.

This chapter includes the following sections:

Features of Home Organization Policy
Creating a Rule in Home Organization Policy
Modifying a Rule in Home Organization Policy
Deleting a Rule in Home Organization Policy

14.1 Features of Home Organization Policy

During Oracle Identity Manager deployment, a default home organization policy called Home Organization Determination Policy and a default rule called Default All Users To Single Organization is seeded, if not already present. Oracle Identity Manager does not allow you to define new home organization policies. However, new rules can be created under the default home organization policy.

The Default All Users To Single Organization rule is satisfied by every user. If for any reason the default rule is deleted, then if a user does not satisfy any other rule, then home organization of that user is left blank in the request submitted. The approver can fill in the home organization name before approving. When SOA server is disabled, approver cannot fill in the home organization name, hence blank home organization field will result in request failure. Ensure that rules are defined in such a way that every user will satisfy at least one rule and a home organization is assigned.

Rules in home organization policy can be defined using Text, Number, Checkbox and Date Type UDFs. However, LookUp Type UDFs cannot be added to the self-registration page. List of operators available to build the IF condition is different for each type of UDF.

Following use cases shows how Home Organization Policy works:

Self Registration Use Case Using Default Rule
Self Registration Use Case Using Simple Rule
Self Registration Use Case Using Complex Rule
Rule Evaluation Order
Self Registration Use Case When SOA is OFF

14.1.1 Self Registration Use Case Using Default Rule

Default rule is named as Default All Users To Single Organization Rule. This rule can be modified but cannot be deleted.

The condition defined is:

IF user.User Login  Equals  $(user.User Login) THEN organization equals "Xellerate Users"

The default condition always evaluates to True. Thus if any other rule defined in Home Organization Policy does not get satisfied, the default rule will definitely be satisfied and will provide the home organization name.

For example, when an user with userLogin User1 submits a self registration request, and if no other rule is defined or satisfied, default rule is evaluated. And the home organization is set to Xellerate Users.

14.1.2 Self Registration Use Case Using Simple Rule

A simple rule is a rule created with a single IF condition and with out using any operator like AND/OR.

For example, if a rule called ExampleSimpleRule is defined with the following condition:

IF user.Nickname Starts with "Test" THEN organization equals "testOrg2"

Here, user.Nickname is a text UDF attribute.

Now if a user with nickname as TestUser2 submits a self-registration request, then the rule condition is satisfied and home organization is set to testOrg2.

14.1.3 Self Registration Use Case Using Complex Rule

A complex rule is a rule created with more than one IF condition and uses AND/OR operators to form the rule.

For example, if a rule called ExampleComplexRule is defined with the following condition:

IF user.Nickname Starts with "Test" AND user.Display Name Ends with "User" THEN organization equals "testOrg3"

Here, user.Nickname is a UDF attribute and user.Display Name is default attribute.

Now if a user with nickname as TestUser3 and display name as testUser submits a self-registration request, then the rule condition is satisfied and home organization is set to testOrg3.

14.1.4 Rule Evaluation Order

When a user self registers, the first rule that is evaluated is the top rule on the list that appears on the home organization page, followed by the next rule up to the last rule. Evaluation stops as soon as a match is found. For example, if the ExampleSimpleRule is created followed by ExampleComplexRule as shown in Figure 14-1.

Figure 14-1 List of Rules Defined in Home Organization Policy Page

Description of ''Figure 14-1 List of Rules Defined in Home Organization Policy Page''

Then when a user self registers, user attribute values are evaluated against ExampleComplexRule first, if it does not match, it proceeds to evaluate against ExampleSimpleRule. If this also does not match it is evaluated against Default All Users To Single Organization Rule which is the default rule.

If evaluation against ExampleSimpleRule is satisfied, then home organization of the user is set according to the condition in the rule.

14.1.5 Self Registration Use Case When SOA is OFF

When SOA is off, and a self registration request is submitted, then the request gets auto-approved and status of request is shown as completed.

For steps to disable SOA server refer to "Disabling SOA Server".

Now when a user submits a self registration, the status is shown as complete as the request is auto-approved. Evaluation of home organization rule is same as explained in the examples above.

14.2 Creating a Rule in Home Organization Policy

To create a rule in home organization policy:

Login to Oracle Identity System Administration.
In the left pane, under System Configuration, click Home Organization Policy. The Home Organization Policy window is displayed.
Click Create on the toolbar. The Add Home Org Policy Rule page is displayed.
Under the Create Rule section, enter Name, Description, Owner, and Status for the new rule. Status of a rule can be set to Enable or Disable. If the Status is set to Disable, then when a user self registers, this rule is skipped during evaluation.
Set the rule condition in Condition Builder section. For example, If Display name contains Test and Last name contains User, then Organization is Vision North America. In this example Attribute is Display name, condition is contains and value is test.

You can set the rule using Condition Builder or Script.
- To set rule using Condition Builder do the following:
  1. Under IF part of the rule, to enter attribute, click the Condition Builder icon. Condition builder pop-up screen is displayed.
    
    As an example, Figure 14-2 shows the Create Rule page with Condition Builder option to set rule.
    
    Figure 14-2 Creating Rule With Condition Builder Option
    
    Description of ''Figure 14-2 Creating Rule With Condition Builder Option''
  2. Select the User attribute for the attribute list, list of UDF and default attribute associated with User is listed.
    
    Search for the particular attribute from the list or type the name of the attribute in the text box and click the Search icon. Select the attribute form the list and click OK.
  3. Select the condition from the conditions drop-down. The available conditions are, Equal, Not Equal, Contains, Does Not Contain, Begins With, Does Not Begins With, Ends With, and Does Not Ends With.
    
    Note:
    This list varies based on the type of attribute. The list above is for text type. Number type attributes can have values Greater than, Lesser than and so on.
  4. To enter value, type the value in the text box and click OK or click the Value icon to open the condition builder pop-up screen.
    
    In the condition builder, you can opt to enter Value or Expression.
    
    If you select Value, list of value is displayed. Select the required value or type the value in the text box and click OK.
    
    If you select Expression, list of condition is displayed. Select the required value and click OK.
  5. To enter the THEN part of the rule, click the organization icon. Condition builder pop-up screen is displayed. Select organization and click OK.
  6. Condition is by default set to Equals and cannot be changed.
  7. To select the organization, click the organization name icon. Condition builder pop-up screen is displayed. Select the organization name from the list and click OK.
- Support for groovy expressions is provided by default, for which a script can be used.
  
  To set rule using a script, perform the following:
  1. When Script is selected, this section shows the existing script. For example, if user has department number configured, then set organization value as department number. If department number is Oracle, Oracle-HQ, or Oracle-IDC, then organization value is set to department number. Make sure that organization with name Oracle, Oracle-IDC, Oracle-HQ exists in the system.
```
String deptNum= vo.getString("user.Department Number");
if(deptNum)
{
        ValueObject rvo = new ValueObject();
        rvo.put("organization",deptNum);
        return rvo;
}
```
    As an example, Figure 14-3 shows the Create Rule page with Script option to set rule.
    
    Figure 14-3 Creating Rule With Script Option
    
    Description of ''Figure 14-3 Creating Rule With Script Option''
  2. Enter any word you would want to find and click the Search icon. Find and Replace panel is displayed.
  3. To jump to a particular line, enter line number and click the Search icon.
To set complex rules click Add Condition. Select AND or OR condition and set additional rule by following instruction in Step 5.
Click Create.
The Home Organization Policies page lists all the rules defined. The defined rule can be moved up or down in the list to change its order, to do so click the Up or Down arrow in the Order column of the rule.

14.3 Modifying a Rule in Home Organization Policy

To modify a rule in home organization policies:

Login to Oracle Identity System Administration.
In the left pane, under System Configuration, click Home Organization Policy. The Home Organization Policy window is displayed.
Select the required home organization policy from the list and click Open.
Modify the required details and click Update.

If you do not wish to update the changes made to the rule, click Revert. The rule is restored to the original rule.

14.4 Deleting a Rule in Home Organization Policy

To delete a rule in home organization policy:

Login to Oracle Identity System Administration.
In the left pane, under System Configuration, click Home Organization Policy. The Home Organization Policy window is displayed.
Select the home organization policy that needs to be deleted from the list and click Delete.