Managing the Home Organization Policy

13.1 About Home Organization Policy

Home organization policy lets you to determine the home organizations of the self-registering users. The Home Organization Policy page in the Identity System Administration allows you to view, create, delete, and modify rules in the home organization policy.

When an user submits a request for self-registration, the home organization of the user gets determined by the home organization policy. The organization name (as determined by the home organization policy) is filled in the request submitted. The approver can override the home organization of the user while approving the request. If a pre-process custom handler is defined to determine the home organization during self-registration, then home organization policy will not be evaluated. If workflow policy is defined, then it takes precedence over the home organization policy.

The home organization policy allows you to define rules based on user attributes. The return value of the rule is the organization name. Rules are evaluated, in the order in which they appear on the Home Organization Policy page, starting from first rule to the last rule. Rules can be re-ordered from the Home Organization Policy page. Evaluation of rules is stopped on first rule match and the organization name is returned, remaining rules are not evaluated.

During Oracle Identity Manager initialization (deployment) a default home organization policy called Home Organization Determination Policy and a default rule called Default All Users To Single Organization is seeded if not present. New home organization policies cannot be defined by the customer, however new rules can be created under the default home organization policy.

The Default All Users To Single Organization rule is satisfied by every user. If for any reason the default rule is deleted, and if a user does not satisfy any other rule, then home organization of that user is left blank in the request submitted. The approver can fill in the home organization name before approving. In SOA OFF mode, this is not supported and hence blank home organization field will result in request failure. It is recommended to ensured that rules are defined in such a way that every user will satisfy at least one rule and a home organization is assigned.

Rules in home organization policy can be defined using Text, Number, Checkbox and Date Type UDFs. However, LookUp Type UDFs can not be added to self-registration page. List of operators available to build the IF condition is different for each type of UDF.

13.2 Use Cases for the Home Organization Policy

Supported use cases for the home organization policy includes self-registration using default, simple, or complex rules, use cases for rule evaluation order, and self-registration when SOA is turned off.

Following use cases shows how the home organization policy works:

13.2.1 Self-Registration Use Case Using Default Rule

Default rule is named as Default All Users To Single Organization Rule. This rule can be modified but cannot be deleted.

The condition defined is:

IF user.User Login  Equals  $(user.User Login) THEN organization equals "Xellerate Users"

The default condition always evaluates to True. Thus, if any other rule defined in the home organization policy does not get satisfied, the default rule will definitely be satisfied and will provide the home organization name.

For example, when an user with userLogin User1 submits a self-registration request, and if no other rule is defined or satisfied, default rule is evaluated. And the home organization is set to Xellerate Users.

13.2.2 Self-Registration Use Case Using Simple Rule

A simple rule is a rule created with a single IF condition and without using any operator, such as AND or OR.

For example, if a rule called ExampleSimpleRule is defined with the following condition:

IF user.Nickname Starts with "Test" THEN organization equals "testOrg2"

Here, user.Nickname is a text UDF attribute.

Now, if a user with nickname as TestUser2 submits a self-registration request, then the rule condition is satisfied and the home organization is set to testOrg2.

13.2.3 Self-Registration Use Case Using Complex Rule

A complex rule is a rule created with more than one IF condition and uses AND or OR operators to form the rule.

For example, if a rule called ExampleComplexRule is defined with the following condition:

IF user.Nickname Starts with "Test" AND user.Display Name Ends with "User" THEN organization equals "testOrg3"

Here, user.Nickname is a UDF attribute and user.Display Name is default attribute.

Now, if a user with nickname as TestUser3 and display name as testUser submits a self-registration request, then the rule condition is satisfied and the home organization is set to testOrg3.

13.2.4 Use Case for Rule Evaluation Order

When a user self-registers, the first rule that is evaluated is the top rule on the list that appears on the home organization page, followed by the next rule up to the last rule.

Evaluation stops as soon as a match is found. For example, if the ExampleSimpleRule is created followed by ExampleComplexRule as shown in Figure 13-1.

Figure 13-1 List of Rules defined in Home Organization Policy Page

Description of "Figure 13-1 List of Rules defined in Home Organization Policy Page"

Then, when a user self-registers, user attribute values are evaluated against ExampleComplexRule first, if it does not match, it proceeds to evaluate against ExampleSimpleRule. If this also does not match it is evaluated against Default All Users To Single Organization Rule which is the default rule.

If evaluation against ExampleSimpleRule is satisfied, then the home organization of the user is set according to the condition in the rule.

13.2.5 Self-Registration Use Case When SOA is Off

When SOA is turned off, and a self-registration request is submitted, the request gets auto-approved and the status of the request is shown as completed.

For steps to disable SOA server, refer to Disabling SOA Server.

Now, when a user submits a self-registration, the request is auto-approved and the status is shown as complete. Evaluation of the home organization rule is same as explained in the examples above.

13.3 Creating a Rule in Home Organization Policy

Using the Home Organization Policy page, you can create and configure a rule by using the condition builder, or instead you can use scripts to perform the rule setting operation.

To create a rule:

Login to Oracle Identity System Administration.
In the left pane, under System Configuration, click Home Organization Policy to open the Home Organization Policy page.
Click Create on the toolbar to open the Add Home Org Policy Rule page.
Under the Create Rule section, enter Name, Description, Owner, and Status for the new rule. Set the Status of the rule to Enable or Disable. If the Status is set to Disable, then when a user self-registers, this rule is skipped during evaluation.
Set the rule condition in Condition Builder section. For example, If Display name contains Test and Last name contains User, then Organization is Vision North America. In this example Attribute is Display name, Condition is Contains and Value is Test.

You can set the rule using Condition Builder (Step 6) or Script(Step 7).
To set rule using Condition Builder:
1. Under IF part of the rule, click the Condition Builder icon to open the Condition Builder window.
  
  As an example, Figure 13-2 shows the Create Rule page with Condition Builder option to set rule.
  
  Figure 13-2 Creating rule with Condition Builder Option
  
  Description of "Figure 13-2 Creating rule with Condition Builder Option"
2. Select the user attribute for the attribute list, list of UDF and default attribute associated with the user is listed.
  
  Search for the particular attribute from the list or type the name of the attribute in the field and click the Search icon. Select the attribute form the list and click OK.
3. Select the condition from the conditions list. The available conditions are, Equal, Not Equal, Contains, Does Not Contain, Begins With, Does Not Begins With, Ends With, and Does Not Ends With.
  
  Note:
  
  This list varies based on the type of attribute. The list above is for text type. Number type attributes can have values Greater than, Lesser than and so on.
4. To enter value, type the value in the field and click OK or click the Value icon to open the Condition Builder window.
  
  In the Condition Builder, you can enter Value or Expression.
  
  If you select Value, list of value is displayed. Select the required value or type the value in the field and click OK.
  
  If you select Expression, list of condition is displayed. Select the required value and click OK.
5. To enter the THEN part of the rule, click the organization icon. The Condition Builder window is displayed. Select organization and click OK.
6. Condition is by default set to Equals and cannot be changed.
7. To select the organization, click the organization name icon. The Condition Builder window is displayed. Select the organization name from the list and click OK.
8. To set complex rules click Add Condition. Select AND or OR condition and set additional rule.
To set rule using a Script, perform the following:
1. When Script is selected, this section shows the existing script. For example, if user has department number configured, then set organization value as department number. If department number is Oracle, Oracle-HQ, or Oracle-IDC, then organization value is set to department number. Make sure that organization with name Oracle, Oracle-IDC, Oracle-HQ exists in the system.
```
String deptNum= vo.getString("user.Department Number");
if(deptNum)
{
	ValueObject rvo = new ValueObject();
	rvo.put("organization",deptNum);
	return rvo;
}
```
  As an example, Figure 13-3 shows the Create Rule page with Script option to set rule.
  
  Figure 13-3 Creating rule with Script Option
  
  Description of "Figure 13-3 Creating rule with Script Option"
2. Enter any word you would want to find and click the Search icon. Find and Replace panel is displayed.
3. To jump to a particular line, enter line number and click the Search icon.
Click Create.
The Home Organization Policies page lists all the rules defined. The defined rule can be moved up or down in the list to change its order, to do so click the Up or Down arrow in the Order column of the rule.

13.4 Modifying a Rule in Home Organization Policy

You can edit the existing rules in the home organization policy by opening the policy, modifying the rule details, and saving the modified policy.

To modify a rule in home organization policies:

Login to Oracle Identity System Administration.
In the left pane, under System Configuration, click Home Organization Policy to open the Home Organization Policy window.
Select the required home organization policy from the list and click Open.
Modify the required details and click Update.

If you do not wish to update the changes made to the rule, click Revert. The rule is restored to the original rule.

13.5 Deleting a Rule in Home Organization Policy

Delete the rules in the home organization policy that are not required or are not in use.

To delete a rule in home organization policy:

Login to Oracle Identity System Administration.
In the left pane, under System Configuration, click Home Organization Policy to open the Home Organization Policy window.
Select the home organization policy rule that needs to be deleted, and click Delete.