Page 1
Novell®
www.novell.com
Policies in iManager
Policies in iManager
novdocx (en) 13 May 2009
AUTHORIZED DOCUMENTATION
3.6.1
June 05, 2009
Policies in iManager for Identity Manager 3.6.1
Page 2
Legal Notices
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on
the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws.
You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the
Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on
exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export
approvals.
novdocx (en) 13 May 2009
Copyright © 2008-2009 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this
document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.
patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or
more additional patents or pending patent applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for this and other Novell products, see
the Novell Documentation Web page (http://www.novell.com/documentation).
Page 3
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/
trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
novdocx (en) 13 May 2009
Page 4
novdocx (en) 13 May 2009
4 Policies in iManager for Identity Manager 3.6.1
Page 5
Contents
About This Guide 11
1Overview 13
2 Managing Policies with Policy Builder 15
2.1 Accessing the Policy Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2.1 Creating a Policy in a Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.2.2 Creating a Policy in a Library. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.3 Defining Individual Rules within a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.4 Creating Arguments within a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.5 Modifying a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.6 Removing a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.7 Renaming a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.8 Deleting a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.9 Exporting a Policy to an XML File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.10 Importing a Policy from an XML File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.11 Creating a Policy Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
novdocx (en) 22 June 2009
3 Using Additional Builders 25
3.1 Argument Actions Builder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.2 Argument Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.2.1 Argument Builder Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.3 Match Attribute Builder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.3.1 Match Attribute Builder Tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.4 Action Argument Component Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.5 Argument Value List Builder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.5.1 Argument Value List Builder Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.6 String Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.7 Condition Argument Component Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
4 Defining Schema Mapping Policies 35
4.1 Accessing Schema Mapping Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4.2 Editing the Schema Mapping Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4.2.1 Placement of the Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
4.2.2 Schema Map Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5 Controlling the Flow of Objects with the Filter 41
5.1 Accessing the Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
5.2 Editing the Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
5.2.1 Removing a Class or an Attribute from the Filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
5.2.2 Adding a Class. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
5.2.3 Adding an Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
5.2.4 Copying a Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Contents 5
Page 6
5.2.5 Setting a Template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
5.2.6 Changing the Filter Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
6 Using Predefined Rules 47
6.1 Command Transformation - Create Departmental Container - Part 1 and Part 2 . . . . . . . . . . 48
6.1.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
6.1.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
6.1.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
6.2 Command Transformation - Publisher Delete to Disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
6.2.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
6.2.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
6.2.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
6.3 Creation - Require Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
6.3.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
6.3.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
6.3.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
6.4 Creation - Publisher - Use Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
6.4.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
6.4.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
6.4.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
6.5 Creation - Set Default Attribute Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
6.5.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
6.5.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
6.5.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
6.6 Creation - Set Default Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
6.6.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
6.6.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
6.6.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
6.7 Event Transformation - Scope Filtering - Include Subtrees . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
6.7.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
6.7.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
6.7.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
6.8 Event Transformation - Scope Filtering - Exclude Subtrees . . . . . . . . . . . . . . . . . . . . . . . . . . 56
6.8.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
6.8.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
6.8.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
6.9 Input or Output Transformation - Reformat Telephone Number from (nnn) nnn-nnnn to nnn-nnn-
nnnn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
6.9.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
6.9.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
6.9.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
6.10 Input or Output Transformation - Reformat Telephone Number from nnn-nnn-nnnn to (nnn) nnn-
nnnn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
6.10.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
6.10.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
6.10.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
6.11 Matching - Publisher Mirrored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
6.11.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
6.11.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
6.11.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
6.12 Matching - Subscriber Mirrored - LDAP Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
6.12.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
6.12.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
6.12.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
6.13 Matching - By Attribute Value. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
novdocx (en) 22 June 2009
6 Policies in iManager for Identity Manager 3.6.1
Page 7
6.13.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
6.13.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
6.13.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
6.14 Placement - Publisher Mirrored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
6.14.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
6.14.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
6.14.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
6.15 Placement - Subscriber Mirrored - LDAP Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
6.15.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
6.15.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
6.15.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
6.16 Placement - Publisher Flat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
6.16.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
6.16.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
6.16.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
6.17 Placement - Subscriber Flat - LDAP Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
6.17.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
6.17.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
6.17.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
6.18 Placement - Publisher By Dept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
6.18.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
6.18.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
6.18.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
6.19 Placement - Subscriber By Dept - LDAP Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
6.19.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
6.19.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
6.19.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
novdocx (en) 22 June 2009
7 Storing Information in Resource Objects 73
7.1 Library Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
7.1.1 Managing Libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
7.1.2 Adding Objects to the Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
7.1.3 Using a Policy Stored in the Library. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
7.2 Mapping Table Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
7.2.1 Creating a Mapping Table Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
7.2.2 Adding a Mapping Table Object to a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
7.3 ECMAScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
7.4 Application Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
7.5 Repository Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
7.6 Resource Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
8 Using ECMAScript in Policies 83
8.1 Creating an ECMAScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
8.1.1 Creating an ECMAScript in a Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
8.1.2 Creating an ECMAScript in a Library. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
8.2 Using an Existing ECMAScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
8.2.1 Using an Existing ECMAScript in a Driver. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
8.2.2 Using an Existing ECMAScript in a Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
8.3 Examples of ECMAScripts with Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
8.3.1 DirXML Script Policy Calling an ECMAScript Function . . . . . . . . . . . . . . . . . . . . . . . 88
8.3.2 XSLT Policy Calling an ECMAScript Function at the Driver Level . . . . . . . . . . . . . . . 88
8.3.3 XSLT Policy Calling an ECMAScript Function in the Style Sheet . . . . . . . . . . . . . . . 90
Contents 7
Page 8
9 Conditions 91
If Association. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
If Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
If Class Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
If Destination Attribute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
If Destination DN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
If Entitlement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
If Global Configuration Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
If Local Variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
If Named Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
If Operation Attribute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
If Operation Property. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
If Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
If Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
If Source Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
If Source DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
If XML Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
If XPath Expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
novdocx (en) 22 June 2009
10 Actions 135
Add Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Add Destination Attribute Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Add Destination Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Add Source Attribute Value. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Add Source Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Append XML Element . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Append XML Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Break. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Clear Destination Attribute Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Clear Operation Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Clear SSO Credential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Clear Source Attribute Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Clone By XPath Expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Clone Operation Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Delete Destination Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Delete Source Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Find Matching Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
For Each . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Generate Event. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
If . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Implement Entitlement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Move Destination Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Move Source Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Reformat Operation Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Remove Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Remove Destination Attribute Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Remove Source Attribute Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Rename Destination Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Rename Operation Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Rename Source Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
8 Policies in iManager for Identity Manager 3.6.1
Page 9
Send Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Send Email from Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Set Default Attribute Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Set Destination Attribute Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Set Destination Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Set Local Variable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Set Operation Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Set Operation Class Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Set Operation Destination DN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Set Operation Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Set Operation Source DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Set Operation Template DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Set Source Attribute Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Set Source Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Set SSO Credential. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Set SSO Passphrase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Set XML Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Start Workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Strip Operation Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Strip XPath . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Trace Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Veto. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Veto If Operation Attribute Not Available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
While . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
novdocx (en) 22 June 2009
11 Noun Tokens 207
Added Entitlement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Attribute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Character . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Class Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Destination Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Destination DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Destination Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Entitlement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Generate Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Global Configuration Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Local Variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Named Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Operation Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Operation Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Removed Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Removed Entitlements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Resolve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Source Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Source DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Contents 9
Page 10
Source Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Unique Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Unmatched Source DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
XPath . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
12 Verb Tokens 245
Base64 Decode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Base64 Encode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Convert Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Escape Destination DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Escape Source DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Join . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Lowercase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Parse DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Replace All . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Replace First. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Split . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Substring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Uppercase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
XML Parse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
XML Serialize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
novdocx (en) 22 June 2009
A iManager Navigation 265
A.1 Accessing the Identity Manager Driver Set Overview Page. . . . . . . . . . . . . . . . . . . . . . . . . . 265
A.2 Accessing the Identity Manager Driver Overview Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
10 Policies in iManager for Identity Manager 3.6.1
Page 11
About This Guide
Novell® Identity Manager is a data sharing and synchronization service that enables applications,
directories, and databases to share information. It links scattered information and enables you to
establish policies that govern automatic updates to designated systems when identity changes occur.
Identity Manager provides the foundation for account provisioning, security, single sign-on, user
self-service, authentication, authorization, automated workflows, and Web services. It allows you to
integrate, manage, and control your distributed identity information so you can securely deliver the
right resources to the right people.
This guide provides detailed information on creating and managing policies in iManager.
Chapter 1, “Overview,” on page 13
Chapter 2, “Managing Policies with Policy Builder,” on page 15
Chapter 3, “Using Additional Builders,” on page 25
novdocx (en) 22 June 2009
Chapter 4, “Defining Schema Mapping Policies,” on page 35
Chapter 5, “Controlling the Flow of Objects with the Filter,” on page 41
Chapter 6, “Using Predefined Rules,” on page 47
Chapter 7, “Storing Information in Resource Objects,” on page 73
Chapter 8, “Using ECMAScript in Policies,” on page 83
Chapter 9, “Conditions,” on page 91
Chapter 10, “Actions,” on page 135
Chapter 11, “Noun Tokens,” on page 207
Chapter 12, “Verb Tokens,” on page 245
Audience
This guide is intended for Identity Manager administrators.
Feedback
We want to hear your comments and suggestions about this manual and the other documentation
included with this product. Please use the User Comments feature at the bottom of each page of the
online documentation, or go to www.novell.com/documentation/feedback.html and enter your
comments there.
Documentation Updates
For the most recent version of Policies in iManager, visit the Identity Manager Documentation Web
site (http://www.novell.com/documentation/idm36).
Additional Documentation
For documentation on Identity Manager drivers, see the Identity Manager Documentation Web site
(http://www.novell.com/documentation/idm36drivers).
About This Guide 11
Page 12
For documentation on Novell iManager, see the Novell iManager Documentation Web site (http://
www.novell.com/documentation/imanager27).
For documentation on Designer see, the Designer 3.5 for Identity Manager 3.6 Administration
Guide (http://www.novell.com/documentation/designer35).
Documentation Conventions
In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and
items in a cross-reference path.
®
A trademark symbol (
, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party
trademark.
When a single pathname can be written with a backslash for some platforms or a forward slash for
other platforms, the pathname is presented with a backslash. Users of platforms that require a
forward slash, such as Linux* or UNIX*, should use forward slashes as required by your software.
novdocx (en) 22 June 2009
12 Policies in iManager for Identity Manager 3.6.1
Page 13
1
Overview
Policies manage the data that is synchronized between the Identity Vault and the remote data store.
The policies are stored in policy sets. Identity Manager installs iManager plug-ins that allow you to
create and manage policies.
In order to access the objects that are used in policies, see “iManager Navigation” on page 265.
As part of understanding how policies work, it is important to understand their components.
Policies are made up of rules.
A rule is a set of conditions (see Chapter 9, “Conditions,” on page 91) that must be met before
a defined action (see Chapter 10, “Actions,” on page 135) occurs.
Actions can have dynamic arguments that derive from tokens that are expanded at run time.
Tokens are divided into two classifications: nouns and verbs.
Noun tokens (see Chapter 11, “Noun Tokens,” on page 207) expand to values that are
derived from the current operation, the source or destination data stores, or some external
source.
Verb tokens (see Chapter 12, “Verb Tokens,” on page 245) modify the concatenated
results of other tokens that are subordinate to them.
Regular expressions (see “Regular Expressions” in Understanding Policies for Identity
Manager 3.6) and XPath 1.0 expressions (see “XPath 1.0 Expressions” in Understanding
Policies for Identity Manager 3.6) are commonly used in the rules to create the desired results
for the policies.
A policy operates on an XDS document and its primary purpose is to examine and modify that
document.
An operation is any element in the XDS document that is a child of the input element and the
output element. The elements are part of Novell’s
DTD” in the Identity Manager 3.6 DTD Reference.
An operation usually represents an event, a command, or a status.
The policy is applied separately to each operation. As the policy is applied to each operation in
turn, that operation becomes the current operation. Each rule is applied sequentially to the
current operation. All of the rules are applied to the current operation unless an action is
executed by a prior rule that causes subsequent rules to no longer be applied.
nds.dtd
; for more information, see “NDS
novdocx (en) 13 May 2009
1
A policy can also get additional context from outside of the document and cause side effects
that are not reflected in the result document.
For more information on policies and policy types, see Understanding Policies for Identity Manager
3.5.1 (http://www.novell.com/documentation/idm35/policy/data/policytypesoverview.html).
The following sections explain how to create and use policies.
Chapter 2, “Managing Policies with Policy Builder,” on page 15
Chapter 3, “Using Additional Builders,” on page 25
Chapter 4, “Defining Schema Mapping Policies,” on page 35
Chapter 5, “Controlling the Flow of Objects with the Filter,” on page 41
Overview
13
Page 14
Chapter 6, “Using Predefined Rules,” on page 47
Chapter 7, “Storing Information in Resource Objects,” on page 73
Chapter 8, “Using ECMAScript in Policies,” on page 83
This guide also contains a detailed reference section for all of the elements in DirXML® Script. For
more information on DirXML Script, see “DirXML Script DTD” in Identity Manager 3.6 DTD
Reference.
Chapter 9, “Conditions,” on page 91
Chapter 10, “Actions,” on page 135
Chapter 11, “Noun Tokens,” on page 207
Chapter 12, “Verb Tokens,” on page 245
novdocx (en) 13 May 2009
14 Policies in iManager for Identity Manager 3.6.1
Page 15
2
Managing Policies with Policy
novdocx (en) 13 May 2009
Builder
The Policy Builder is a complete graphical interface for creating and managing the policies that
define the exchange of data between connected systems.
Section 2.1, “Accessing the Policy Builder,” on page 15
Section 2.2, “Creating a Policy,” on page 15
Section 2.3, “Defining Individual Rules within a Policy,” on page 19
Section 2.4, “Creating Arguments within a Rule,” on page 21
Section 2.5, “Modifying a Policy,” on page 22
Section 2.6, “Removing a Policy,” on page 23
Section 2.7, “Renaming a Policy,” on page 23
Section 2.8, “Deleting a Policy,” on page 23
Section 2.9, “Exporting a Policy to an XML File,” on page 24
Section 2.10, “Importing a Policy from an XML File,” on page 24
Section 2.11, “Creating a Policy Reference,” on page 24
2.1 Accessing the Policy Builder
2
1 Access the Identity Manager Driver Overview by following the steps in “Accessing the Identity
Manager Driver Overview Page” on page 266.
Ensure that the driver that is displayed in the Identity Manager Overview is the driver for which
you want to manage policies.
2 Click the desired policy set, then click the policy you want to edit to open the Policy Builder.
2.2 Creating a Policy
A policy can be created in a driver or in a library object.
Section 2.2.1, “Creating a Policy in a Driver,” on page 16
Section 2.2.2, “Creating a Policy in a Library,” on page 17
Managing Policies with Policy Builder
15
Page 16
2.2.1 Creating a Policy in a Driver
“Creating a New Policy” on page 16
“Using an Existing Policy to Create a Policy” on page 17
Creating a New Policy
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click a policy set icon.
represents an undefined policy.
represents a defined policy.
3 Click Insert.
novdocx (en) 13 May 2009
4 Select Create a new policy.
5 Specify a name for the new policy.
6 Select how to implement the policy, then click OK.
16 Policies in iManager for Identity Manager 3.6.1
Page 17
novdocx (en) 13 May 2009
If you select Policy Builder, the Policy Builder is launched. To define one or more rules
for this policy, click Append New Rule, then follow the instructions in Section 2.3,
“Defining Individual Rules within a Policy,” on page 19.
If you select XSLT, the XML editor is launched. To define the policy with XSLT, see
“Defining Policies by Using XSLT Style Sheets” in Understanding Policies for Identity
Manager 3.6.
If you select Make a copy from an existing policy, browse to and select the policy to copy.
Using an Existing Policy to Create a Policy
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click a policy set icon.
represents an undefined policy.
represents a defined policy.
3 Click Insert.
4 Select Use an existing policy, then browse to and select the existing policy you want to use.
5 Click OK.
2.2.2 Creating a Policy in a Library
1 Access the Identity Manager Driver Set Overview by following the steps in “Accessing the
Identity Manager Driver Set Overview Page” on page 265.
2 Click the Libraries tab.
3 Click the library you want to add a policy to.
Managing Policies with Policy Builder 17
Page 18
4 Click the plus icon to add a policy to the library.
novdocx (en) 13 May 2009
5 Specify a name for the policy.
6 Select how to implement the policy, then click OK.
If you select Policy Builder, XSLT, or ECMAScript, the object is created and displayed in
the library. Each object must be edited to add the policy information into the object.
If you select Make a copy from an existing policy, browse to and select the policy to store
in the library.
18 Policies in iManager for Identity Manager 3.6.1
Page 19
2.3 Defining Individual Rules within a Policy
Rules are defined in the Rule Builder window of the Policy Builder. To access the Rule Builder
window:
1 Click the library that contains the policy of the rules you want to define.
2 Click on the policy.
3 Click Append New Rule.
Figure 2-1 Rule Builder Window of the Policy Builder
novdocx (en) 13 May 2009
The Rule Builder interface enables you to quickly create and modify rules using intelligent dropdown menus.
In the Rule Builder, you define a set of conditions that must be met before a defined action occurs.
For example, if you need to create a rule that disallows any new objects from being added to your
environment, you might define this rule to indicate that when an add operation occurs, veto the
operation.
To implement this logic in the Rule Builder, you could select the following condition:
Managing Policies with Policy Builder 19
Page 20
Figure 2-2 Move User Condition in the Rule Builder Interface
And the following action:
Figure 2-3 Veto Action in the Rule Builder Interface
novdocx (en) 13 May 2009
See Chapter 9, “Conditions,” on page 91 and Chapter 10, “Actions,” on page 135 for a detailed
reference on the conditions and actions available in the Rule Builder.
Tips
To create more complex conditions, you can join conditions and groups of conditions with and/or
statements. You can modify the way these are joined by selecting the condition structure:
Figure 2-4 Condition Structure Radio Buttons
Browse: Click the icon to see a list of values for a field. In the example above, this icon
opens a list of valid class names.
Argument Builder: Click the icon to use the Argument Builder interface to construct an
argument.
Enable/Disable Policy, Rule, Condition or Action: Click the icon to disable a policy,
rule, condition, or action. Click the icon to re-enable it.
Enable/Disable Policy Tracing: Click the icon to disable tracing on the policy. Click the
icon to re-enable tracing of the policy.
Comment: Click the icon to add a comment to a policy or rule. Comments are stored
directly on the policy or rule, and can be as long as necessary.
Cut/Copy/Paste: Use the Cut/Copy/Paste icons to use the Policy Builder clipboard.
The Paste icon is disabled if the current content on the clipboard is invalid at that location.
Conditions: Use the icons to add, remove, and position conditions.
Add Condition Groups: Use the button to add condition groups.
20 Policies in iManager for Identity Manager 3.6.1
Page 21
Remove and Position Condition Groups: Use the icons to remove and position
condition groups.
2.4 Creating Arguments within a Rule
The Argument Builder provides a dynamic graphical interface that enables you to construct complex
argument expressions for use within the Rule Builder. To access the Argument Builder, see
“Argument Builder” on page 26.
Arguments are dynamically used by actions and are derived from tokens that are expanded at run
time.
Tokens are divided into two classifications: nouns and verbs. Noun tokens expand to values that are
derived from the current operation, the source or destination data stores, or some external source.
Verb tokens modify the results of other tokens that are subordinate to them.
Figure 2-5 Default Argument Builder Interface
novdocx (en) 13 May 2009
To define an expression, select one or more noun tokens (values, objects, variables, etc.), and
combine then with verb tokens (substring, escape, uppercase, and lowercase) to construct
arguments. Multiple tokens are combined to construct complex arguments.
Managing Policies with Policy Builder 21
Page 22
For example, if you want the argument set to an attribute value:
1 In the Argument Builder, select Attribute from the list of noun tokens, then click Add.
2 Browse to and select the attribute name in the editor.
novdocx (en) 13 May 2009
If you want only a portion of this attribute, you can combine the attribute token with the
substring token. The expression displays a substring length of 1 for the Given Name attribute
combined with the entire Surname attribute.
After you add a noun or verb, you can provide values in the editor, then immediately add another
noun or verb. You do not need to refresh the Expression pane to apply your changes; they appear
when the next operation is performed.
See Chapter 11, “Noun Tokens,” on page 207 and Chapter 12, “Verb Tokens,” on page 245 for a
detailed reference on the noun and verb tokens. See Section 3.2, “Argument Builder,” on page 26 for
more information on the Argument Builder.
2.5 Modifying a Policy
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click a policy set icon.
3 Click the name of the policy you want to modify.
The Policy Builder is launched.
4 Make the desired modifications, then click OK.
22 Policies in iManager for Identity Manager 3.6.1
Page 23
2.6 Removing a Policy
The Remove option removes the policy from the selected Policy Set but doesn’t delete the policy.
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click a policy set icon, select the policy you want to remove, then click Remove.
To view a policy that is not associated with a policy set:
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click Advanced > Show All Policies.
To add the removed policy back to the policy set:
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
novdocx (en) 13 May 2009
2 Click a policy set icon.
3 Click Insert.
4 Select Use an existing policy, then click the browse button.
5 Browse to the policy you want to add.
Make sure you are in the proper container to see the policy.
6 Click OK.
7 Click Close.
2.7 Renaming a Policy
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click a policy set icon.
3 Select the policy you want to rename.
4 Click Rename and rename the policy.
5 Click OK.
6 Click Close.
2.8 Deleting a Policy
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
Managing Policies with Policy Builder 23
Page 24
2 Click a policy set icon.
3 Select the policy you want to delete, then click Delete.
2.9 Exporting a Policy to an XML File
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click a policy set icon.
3 Click the name of a policy.
4 Click the Save As button, then select a location to save the DirXML
5 Click Save.
®
Script XML file.
2.10 Importing a Policy from an XML File
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click a policy set icon.
3 Click the name of a policy.
novdocx (en) 13 May 2009
4 Click the Insert button, then select Import an XML file containing DirXML Script.
5 Browse to and select the policy file to import, then click OK.
2.11 Creating a Policy Reference
A policy reference enables you to create a single policy, and reference it in multiple locations. If you
have a policy that is used by more than one driver or policy, creating a reference simplifies
management of this policy.
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click a policy set icon.
3 Click the name of a policy.
4 Click the Insert button, and select Append a reference to a policy containing DirXML Script.
5 Browse to and select the policy object to reference, then click OK.
24 Policies in iManager for Identity Manager 3.6.1
Page 25
3
Using Additional Builders
Although you define most arguments by using the Argument Builder (see Section 2.4, “Creating
Arguments within a Rule,” on page 21), there are several more builders that are used by the
Condition Editor and Action Editor in the Policy Builder. Each builder can recursively call anyone
of the builders in the following list:
Section 3.1, “Argument Actions Builder,” on page 25
Section 3.2, “Argument Builder,” on page 26
Section 3.3, “Match Attribute Builder,” on page 30
Section 3.4, “Action Argument Component Builder,” on page 31
Section 3.5, “Argument Value List Builder,” on page 31
Section 3.6, “String Builder,” on page 32
Section 3.7, “Condition Argument Component Builder,” on page 33
novdocx (en) 13 May 2009
3
3.1 Argument Actions Builder
The Argument Actions Builder enables you to set the action that is required by the For Each action
and the Implement Entitlement action.
In the following example, the add destination attribute value action is performed for each Group
entitlement that is being added in the current operation.
Figure 3-1 Action For Each
To define the action of add destination attribute value, click the icon that launches the Argument
Actions Builder. In the Argument Actions Builder, you define the desired action. In the following
example, the member attribute is added to the destination object for each added Group entitlement.
Figure 3-2 Action Add Destination Attribute Value
Using Additional Builders
25
Page 26
3.2 Argument Builder
The Argument Builder provides a dynamic graphical interface that enables you to construct complex
argument expressions for use within Rule Builder.
The Argument Builder consists of five separate sections:
Nouns: Contains a list of all of the available noun tokens. Select a noun token, then click Add
to add the noun token to the Expression pane. For more information on noun tokens, see
Chapter 11, “Noun Tokens,” on page 207.
Ve rb s: Contains a list of all of the available verb tokens. Select a verb token, then click Add to
add the verb token to the Expression pane. For more information on verb tokens, see
Chapter 12, “Verb Tokens,” on page 245.
Description: Contains a brief description of the noun or verb token. Click the help icon to
launch additional help.
Expression: Contains the argument that is being built. Multiple noun and verb tokens can be
added to a single argument. Tokens can be arranged in different orders through the Expression
pane.
novdocx (en) 13 May 2009
Editor: Use the Editor pane to provide the values for the nouns and the verbs.
26 Policies in iManager for Identity Manager 3.6.1
Page 27
Figure 3-3 Argument Builder
novdocx (en) 13 May 2009
Launch the Argument Builder from the following actions by clicking the Edit Arguments icon.
Add Association
Add Destination Attribute Value
Add Destination Object
Add Source Attribute Value
Append XML Text
Clear Destination Attribute Value when the selected object is DN or Association.
Clear Source Attribute Value when the selected object is DN or Association.
Delete Destination Object when the selected object is DN or Association.
Delete Source Object when the selected object is DN or Association.
Using Additional Builders 27
Page 28
Find Matching Object
For Each
Move Destination Object
Move Source Object
Reformat Operation Attribute
Remove Association
Remove Destination Attribute Value
Remove Source Attribute Value
Rename Destination Object when the selected object is DN or Association and Enter String.
Rename Source Object when the selected object is DN or Association and Enter String.
Set Destination Attribute Value when the selected object is DN or Association, and the Enter
Value type is not structured.
Set Destination Password
Set Local Variable
Set Operation Association
novdocx (en) 13 May 2009
Set Operation Class Name
Set Operation Destination DN
Set Operation Property
Set Operation Source DN
Set Operation Template DN
Set Source Attribute Value
Set Source Password
Set XML Attribute
Status
Trace Message
To define an expression, select one or more nouns (values, objects, variables, etc.), and combine
them with verbs (substring, escape, uppercase and lowercase) to construct arguments.
The following example creates an argument for a username from the first letter of the first name and
the entire last name:
1 Select Attribute from the list of nouns, then click Add.
28 Policies in iManager for Identity Manager 3.6.1
Page 29
2 Specify or select the Given Name attribute.
3 Select Substring from the list of verbs, then click Add.
novdocx (en) 13 May 2009
4 Type 1 in the Length field.
5 Select the Given Name attribute, then click the Move Down icon.
6 Select Attribute from the list of nouns, then click Add.
7 Specify or browse to the Surname attribute.
8 Select the Surname attribute, then click the Move Down icon twice.
The argument takes the first character of the Given Name attribute and adds it to the Surname
attribute to build the desired value.
9 Click OK to save the argument.
Using Additional Builders 29
Page 30
3.2.1 Argument Builder Tips
Use the Cut/Copy/Paste icons to use the Policy Builder clipboard. The Paste icon is
disabled if the current content on the clipboard is invalid at that location.
Use the Move Up/Move Down/Remove icons to reposition or remove tokens in the
argument.
Use the link to refresh the Argument Builder interface. The interface is
refreshed automatically whenever you add or modify a token.
3.3 Match Attribute Builder
The Match Attribute Builder enables you to select attributes and values used by the Find Matching
Object action to determine if a matching object exists in a data store.
The following example matches users if the users are based in Provo and have a unique CN
attribute:
1 In the Rule Builder, select find matching object.
For information on accessing the Rule Builder, see “Defining Individual Rules within a Policy”
on page 19.
2 Select the Scope of the search as subtree.
3 Browse to and select the location to search. In this example, it is the Users container.
novdocx (en) 13 May 2009
4 Click the icon next to the Enter Match Attributes field to launch the Match Attribute Builder.
5 Click Append New Matching Attribute to add an attribute to match.
6 Specify the CN attribute in the Name field.
7 Select Value from current object to see if there are any other users with the same CN attribute.
8 Click Append New Matching Attribute to add another attribute to match.
9 Specify the L attribute in the Name field.
10 Select Other Value, then specify Provo as the value.
11 Click OK.
30 Policies in iManager for Identity Manager 3.6.1
Page 31
3.3.1 Match Attribute Builder Tips
Use the Cut/Copy/Paste icons to use the Policy Builder clipboard. The Paste icon is
disabled if the current content on the clipboard is invalid at that location.
3.4 Action Argument Component Builder
In the Rule Builder, launch the Action Argument Component Builder by selecting the following
actions when the Enter Value Type selection is set to Structured.
For information on accessing the Rule Builder, see “Defining Individual Rules within a Policy” on
page 19.
Add Destination Attribute Value (page 138)
Add Source Attribute Value (page 142)
Reformat Operation Attribute (page 169)
Remove Destination Attribute Value (page 171)
Remove Source Attribute Value (page 172)
Set Default Attribute Value (page 180)
novdocx (en) 13 May 2009
Set Source Attribute Value (page 191)
Figure 3-4 Action Value Type Field Set to Structured
After the value type is set to structured, click the Edit components icon.
Figure 3-5 Action Argument Component Builder
The Action Argument Component Builder is launched and the action can be constructed.
3.5 Argument Value List Builder
The Argument Value List Builder enables you to construct default argument values for the Set
Default Attribute Value action.
Using Additional Builders 31
Page 32
For example, if you want to set a default company name:
1 In the Rule Builder, select set default attribute value from the list of actions.
For information on accessing the Rule Builder, see “Defining Individual Rules within a Policy”
on page 19.
2 Browse to and select the company attribute.
3 Click the Edit the value list icon to create the company name.
4 Click Append New Value in the Argument Value List Builder.
5 Specify the name of the company.
novdocx (en) 13 May 2009
For this example, the company name is Digital Airlines.
6 Click OK twice.
3.5.1 Argument Value List Builder Tips
Use the Cut/Copy/Paste icons to use the Policy Builder clipboard. The Paste icon is
disabled if the current content on the clipboard is invalid at that location.
3.6 String Builder
The String Builder enables you to construct name/value pairs for use in certain actions such as
Generate Event, Send Email, and Send Email from Template.
You can access the String Builder by clicking the Edit the strings icon located in the Action List
section of the Rule Builder. For information on accessing the Rule Builder, see “Defining Individual
Rules within a Policy” on page 19.
For the Generate Event action, the string names correspond to the custom value fields you can
provide with an event:
target
target-type
subTarget
text1
text2
text3
32 Policies in iManager for Identity Manager 3.6.1
Page 33
value
value3
data
data-type
Figure 3-6 String Builder
For the Send Email action, the string names correspond to the elements of the e-mail:
to
cc
bcc
from
reply-to
novdocx (en) 13 May 2009
subject
message
encoding
custom-smpt-header
Figure 3-7 Send Mail Action
For the Send Email from Template action, the named strings correspond to the elements of the email in the template:
to
cc
bcc
reply-to
encoding
custom-smtp-header
3.7 Condition Argument Component Builder
Launch the Condition Argument Component Builder by clicking the Edit arguments icon in the Rule
Builder. For information on accessing the Rule Builder, see “Defining Individual Rules within a
Policy” on page 19.
Using Additional Builders 33
Page 34
In order to see the icon, you must select the Structured selection for Mode with the following
conditions:
If Attribute
If Destination Attribute
If Source Attribute
Figure 3-8 Structured Option
novdocx (en) 13 May 2009
Figure 3-9 Condition Argument Component Builder
34 Policies in iManager for Identity Manager 3.6.1
Page 35
4
Defining Schema Mapping
novdocx (en) 13 May 2009
Policies
Schema Mapping policies map class names and attribute names between the Identity Vault
namespace and the application namespace. The same schema mapping policy is applied in both
directions. All documents that are passed in either direction on either channel between the
Metadirectory engine and the application shim are passed through the Schema Mapping policy.
There is one Schema Mapping policy per driver.
Section 4.1, “Accessing Schema Mapping Policies,” on page 35
Section 4.2, “Editing the Schema Mapping Policy,” on page 35
4.1 Accessing Schema Mapping Policies
1 To access a Schema Mapping Policy, navigate to the Identity Manager Driver Overview page.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 In the Identity Manager Driver Overview page, click the Schema Mapping Policy set.
The Schema Mapping Policies are displayed.
4
4.2 Editing the Schema Mapping Policy
There are two different parts to editing a Schema Mapping policy. First, you edit the placement of
the policies in the policy set. Second, you edit the policy itself through the Schema Map editor.
Section 4.2.1, “Placement of the Policies,” on page 35
Section 4.2.2, “Schema Map Editor,” on page 36
4.2.1 Placement of the Policies
1 In the Identity Manager Driver Overview page, click the Schema Mapping Policy to bring up
the Schema Mapping Policies window.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
Defining Schema Mapping Policies
35
Page 36
The options in this window allow you to position the policy you are currently working with.
The following table explains each of the options:
Option Description
novdocx (en) 13 May 2009
Insert Inserts a new or an existing policy into the
policies listed.
Rename Renames the selected policy.
Remove Removes the selected policy without deleting the
policy from the policy set.
Delete Deletes the selected policy.
®
DirXML Script Tracing Turns DirXML
tracing on or off.
Move Policy Up Moves the selected policy up if there is more
than one policy.
Move Policy Down Moves the selected policy down if there is more
than one policy.
Policy DN Simultaneously selects all policies.
Script tracing or DirXML Rule
4.2.2 Schema Map Editor
The Schema Map editor is a complete graphical interface for creating and managing the schema
mapping policies. The Schema Map editor creates a policy by using XML.
To access the Schema Map Editor:
1 On the Identity Manager Driver Overview page, click the Schema Mapping Policy set.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click the name of a policy.
36 Policies in iManager for Identity Manager 3.6.1
Page 37
novdocx (en) 13 May 2009
The Schema Map editor has three tabs:
“Identity Manager Policy” on page 37
“Edit XML” on page 38
“Usage” on page 39
Identity Manager Policy
Contains the most information and is where you edit the policy through the GUI interface.
Table 4-1 Schema Map Editor Tasks
Removing Classes and Attributes Select the class or attribute you would like to
remove, then click Remove.
Adding Classes Select the eDirectory
list, then select the Application class from the
drop-down list. With the items selected, click Add,
then click Apply to save the change.
TM
class from the drop-down
Defining Schema Mapping Policies 37
Page 38
Adding Attributes Select the class of the attribute you want to add,
then click Attribute. Select the eDirectory attribute
from the drop-down list, then select the Application
attribute from the drop-down list. With the items
selected, click Add, then click OK to save the
changes.
Listing Non Specific Class Attributes If there are attributes that are not associated with
a class, click the Non-specific Class Attributes
icon and all of these attributes are listed.
Refreshing Application Schema If the schema has changed for the application,
click the Refresh Application Schema icon. The
wizard contacts the Connected System server to
retrieve the new schema. After the schema has
been updated, the schema is listed in the dropdown lists.
eDirectory Schema Tools Add Attribute: Adds an existing attribute to
the selected class.
Create Attribute: Creates a new attribute.
Create Class: Creates a new class.
Delete Attribute: Deletes the selected
attribute.
Delete Class: Deletes the selected class.
Refresh eDirectory Schema: After making
changes to the eDirectory schema, click
Refresh eDirectory Schema to update the
drop-down lists with the new information.
novdocx (en) 13 May 2009
WARNING: Do not delete any classes or attributes that are being used in the Identity Vault. This
can cause objects to become unknown.
Edit XML
Select Enable XML editing to edit the DirXML Script policy. Make the changes you desire to the
DirXML Script, then click Apply to save the changes.
38 Policies in iManager for Identity Manager 3.6.1
Page 39
Figure 4-1 Edit XML
novdocx (en) 13 May 2009
Usage
Shows you a list of the drivers that are currently referencing this policy. The list refers only to
policies in this policy’s driver set. If this policy is referenced from a different driver set, those
references do not appear here.
Defining Schema Mapping Policies 39
Page 40
Figure 4-2 Usage
novdocx (en) 13 May 2009
40 Policies in iManager for Identity Manager 3.6.1
Page 41
5
Controlling the Flow of Objects
novdocx (en) 13 May 2009
with the Filter
The Filter editor allows you to manage the filter. In the Filter editor, you define how each class and
attribute should be handled by the Publisher and Subscriber channels.
Section 5.1, “Accessing the Filter,” on page 41
Section 5.2, “Editing the Filter,” on page 41
5.1 Accessing the Filter
1 To access the filter, navigate to the Identity Manager Driver Overview page.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click the Filter icon on the Publisher or Subscriber channel. It is the same object.
5.2 Editing the Filter
5
The Filter editor gives you the options of editing how information is synchronized between the
Identity Vault and the connected system.
Controlling the Flow of Objects with the Filter
41
Page 42
Figure 5-1 Filter Editor
novdocx (en) 13 May 2009
Here is a list of most common tasks when editing the filter:
Section 5.2.1, “Removing a Class or an Attribute from the Filter,” on page 42
Section 5.2.2, “Adding a Class,” on page 42
Section 5.2.3, “Adding an Attribute,” on page 43
Section 5.2.4, “Copying a Filter,” on page 43
Section 5.2.5, “Setting a Template,” on page 43
Section 5.2.6, “Changing the Filter Settings,” on page 43
5.2.1 Removing a Class or an Attribute from the Filter
1 Select the class or attribute, then click Delete.
5.2.2 Adding a Class
1 Click Add Class.
2 Click the type of class you want to add.
3 Change the options to synchronize the information.
4 Click Apply.
42 Policies in iManager for Identity Manager 3.6.1
Page 43
5.2.3 Adding an Attribute
1 Select the Class where you want the attribute to be added.
2 Click Add Attribute.
3 Select the attribute you want to add, then click OK.
4 Change the option to synchronize the information.
5 Click Apply.
5.2.4 Copying a Filter
You can copy the filter from an existing driver into the driver you are currently working on.
1 Click Copy Filter From.
2 Browse to and click the driver you want to copy the filter from.
3 Click Apply or OK.
5.2.5 Setting a Template
novdocx (en) 13 May 2009
You can set the default values for an attribute you add to the filter.
1 Click Set Template.
2 Select the options you want the new attributes to have, then click OK.
You can change the values of the attributes after they have been created.
5.2.6 Changing the Filter Settings
The Filter editor gives you the option of changing how information is synchronized between the
Identity Vault and the connected system. The filter has different settings for classes and attributes.
1 In the Filter editor, select a class.
2 Change the filter settings for the selected class.
Options Definitions
Publish Synchronize: Allows the class to synchronize from the
connected system into the Identity Vault.
Ignore: Does not synchronize the class from the connected
system into the Identity Vault.
Subscribe
Synchronize: Allows the class to synchronize from the Identity
Vault into the connected system.
Ignore: Does not synchronize the class from the Identity Vault
into the connected system.
Create Home Directory Yes: Automatically creates home directories.
No: Does not create home directories.
Controlling the Flow of Objects with the Filter 43
Page 44
Options Definitions
novdocx (en) 13 May 2009
Track Member of
Temp lat e
Yes: Determines whether or not the Publisher channel
maintains the Member of Template attribute when it creates
objects from a template.
No: Does not track the Member of Template attribute.
3 Select an attribute.
4 Change the filter settings for the selected attribute.
44 Policies in iManager for Identity Manager 3.6.1
Page 45
Options Definitions
Publish Synchronize: Changes to this object are reported and
automatically synchronized.
Ignore: Changes to this object are not reported or automatically
synchronized.
Notify: Changes to this object are reported, but not automatically
synchronized.
Reset: Resets the object value to the value specified by the
opposite channel. (You can set this value on either the Publisher
channel or Subscriber channel, not both.)
novdocx (en) 13 May 2009
Subscribe
Synchronize: Changes to this object are reported and
automatically synchronized.
Ignore: Changes to this object are not reported or automatically
synchronized.
Notify: Changes to this object are reported, but not automatically
synchronized.
Reset: Resets the object value to the value specified by the
opposite channel. (You can set this value on either the Publisher
channel or Subscriber channel, not both.)
Controlling the Flow of Objects with the Filter 45
Page 46
Options Definitions
Merge Authority Default: If an attribute is not being synchronized in either channel,
no merging occurs.
If an attribute is being synchronized in one channel and not the
other, then all existing values on the destination for that channel
are removed and replaced with the values from the source for that
channel. If the source has multiple values and the destination can
only accommodate a single value, then only one of the values is
used on the destination side.
If an attribute is being synchronized in both channels and both
sides can accommodate only a single value, the connected
application acquires the Identity Vault values unless there is no
value in the Identity Vault. If this is the case, the Identity Vault
acquires the values from the connected application (if any).
If an attribute is being synchronized in both channels and only one
side can accommodate multiple values, the single-valued side’s
value is added to the multi-valued side if it is not already there. If
there is no value on the single side, you can choose the value to
add to the single side.
This is always valid behavior.
Identity Vault: Behaves the same way as the default behavior if
the attribute is being synchronized on the Subscriber channel and
not on the Publisher channel.
This is valid behavior when synchronizing on the Subscriber
channel.
Application: Behaves the same as the default behavior if the
attribute is being synchronized on the Publisher channel and not
on the Subscriber channel.
This is valid behavior when synchronizing on the Publisher
channel.
None: No merging occurs regardless of synchronization.
novdocx (en) 13 May 2009
Optimize Modification to
Identity Vault
Yes: Changes to this attribute are examined on the Publisher
channel to determine the minimal change made in the Identity
Vault.
No: Changes are not examined.
5 Click OK to save the changes.
46 Policies in iManager for Identity Manager 3.6.1
Page 47
6
Using Predefined Rules
iManager includes 19 predefined rules. You can import and use these rules as well as create your
own rules. These rules include common tasks that administrators use. You need to provide
information specific to your environment to customize the rules.
Section 6.1, “Command Transformation - Create Departmental Container - Part 1 and Part 2,”
on page 48
Section 6.2, “Command Transformation - Publisher Delete to Disable,” on page 50
Section 6.3, “Creation - Require Attributes,” on page 51
Section 6.4, “Creation - Publisher - Use Template,” on page 52
Section 6.5, “Creation - Set Default Attribute Value,” on page 53
Section 6.6, “Creation - Set Default Password,” on page 54
Section 6.7, “Event Transformation - Scope Filtering - Include Subtrees,” on page 55
Section 6.8, “Event Transformation - Scope Filtering - Exclude Subtrees,” on page 56
novdocx (en) 13 May 2009
6
Section 6.9, “Input or Output Transformation - Reformat Telephone Number from (nnn) nnn-
nnnn to nnn-nnn-nnnn,” on page 58
Section 6.10, “Input or Output Transformation - Reformat Telephone Number from nnn-nnn-
nnnn to (nnn) nnn-nnnn,” on page 59
Section 6.11, “Matching - Publisher Mirrored,” on page 60
Section 6.12, “Matching - Subscriber Mirrored - LDAP Format,” on page 61
Section 6.13, “Matching - By Attribute Value,” on page 62
Section 6.14, “Placement - Publisher Mirrored,” on page 63
Section 6.15, “Placement - Subscriber Mirrored - LDAP Format,” on page 65
Section 6.16, “Placement - Publisher Flat,” on page 66
Section 6.17, “Placement - Subscriber Flat - LDAP Format,” on page 67
Section 6.18, “Placement - Publisher By Dept,” on page 68
Section 6.19, “Placement - Subscriber By Dept - LDAP Format,” on page 69
To access the predefined rules:
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click the icon representing the policy where you want to add the predefined rule.
3 Click the name of the policy.
Using Predefined Rules
47
Page 48
4 Click Insert and select the predefined rule you want to use.
6.1 Command Transformation - Create
novdocx (en) 13 May 2009
Departmental Container - Part 1 and Part 2
This rule creates a department container in the destination data store, if one does not exist.
Implement the rule on the Command Transformation policy in the driver.
There are two steps involved in using the predefined rules: creating a policy in the Command
Transformation policy set, and importing the predefined rule. If you already have a Command
Transformation policy that you want to add this rule to, skip to “Importing the Predefined Rule” on
page 48.
6.1.1 Creating a Policy
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click the Command Transformation Policy set object on the Publisher or Subscriber channel.
3 Click Insert.
4 Name the policy, make sure to implement the policy with the Policy Builder, then click OK.
The Policy Builder is launched.
5 Continue with Section 6.1.2, “Importing the Predefined Rule,” on page 48.
6.1.2 Importing the Predefined Rule
1 In the Policy Builder, click Insert.
2 Select Command Transformation - Create Departmental Container - Part 1.
3 Expand the predefined rule.
48 Policies in iManager for Identity Manager 3.6.1
Page 49
4 Click Insert.
5 Select Command Transformation - Create Departmental Container - Part 2.
6 Expand the predefined rule.
novdocx (en) 13 May 2009
7 Click OK.
There is no information to change in the rules that is specific to your environment.
IMPORTANT: Make sure that the rules are listed in order. Part 1 must be executed before Part 2.
6.1.3 How the Rule Works
This rule is used when the destination location for an object does not exist. Instead of getting a veto
because the object cannot be placed, this rule creates the container and places the object in the
container.
Part 1 looks for any Add operation. When the Add operation occurs, two local variables are set. The
first local variable is named target-container. The value of target-container is set to the destination
DN. The second local variable is named does-target-exist. The value of does-target-exist is set to the
destination attribute value of objectclass. The class is set to OrganizationalUnit. The DN of the
OrganizationalUnit is set to the local variable of target-container.
Figure 6-1 Create Container
Using Predefined Rules 49
Page 50
Part 2 checks to see if the local variable does-target-exist is available. It also checks to see if the
value of the local variable does-target-exist is set to a blank value. If the value is blank, then an
Organizational Unit object is created. The DN of the organizational unit is set to the value of the
local variable target-container. It also adds the value for the OU attribute. The value of the OU
attribute is set to the name of the new organizational unit, which is obtained by parsing the value of
the local variable target-container.
For more information on the Editor and how to access it, see “Argument Builder” on page 26.
6.2 Command Transformation - Publisher Delete
to Disable
novdocx (en) 13 May 2009
This rule transforms a Delete operation for a User object into a Modify operation that disables the
target User object in eDirectory
policy in the driver.
There are two steps involved in using the predefined rules: creating a policy in the Command
Transformation policy set, and importing the predefined rule. If you already have a Command
Transformation policy that you want to add this rule to, skip to Importing the Predefined Rule
(page 50).
TM
. Implement the rule on the Publisher Command Transformation
6.2.1 Creating a Policy
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click the Command Transformation Policy set object on the Publisher channel.
3 Click Insert.
4 Name the policy, make sure to implement the policy with the Policy Builder, then click OK.
The Policy Builder is launched.
5 Continue with Section 6.2.2, “Importing the Predefined Rule,” on page 50.
6.2.2 Importing the Predefined Rule
1 In the Policy Builder, click Insert.
2 Select Command Transformation - Publisher Delete to Disable.
3 Expand the predefined rule.
50 Policies in iManager for Identity Manager 3.6.1
Page 51
4 Click OK.
There is no information to change in the rule that is specific to your environment.
6.2.3 How the Rule Works
This rule is used when a Delete command is going to be sent to the Identity Vault, usually in
response to a Delete event that occurred in the connected system. Instead of the User object being
deleted in the Identity Vault, the User object is disabled. When a Delete command is processed for a
User object, the destination attribute value of Login Disabled is set to true, the association is
removed from the User object, and the Delete command is vetoed. The User object can no longer log
in into the eDirectory tree, but the User object was not deleted.
6.3 Creation - Require Attributes
This rule prevents User objects from being created unless the required attributes are populated.
Implement the rule on the Subscriber Creation policy or the Publisher Creation policy in the driver.
There are two steps involved in using the predefined rules: creating a policy in the Creation policy
set, and importing the predefined rule. If you already have a Creation policy that you want to add
this rule to, skip to “Importing the Predefined Rule” on page 51.
novdocx (en) 13 May 2009
6.3.1 Creating a Policy
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click the Creation Policy set object on the Publisher or Subscriber channel.
3 Click Insert.
4 Name the policy, make sure to implement the policy with the Policy Builder, then click OK.
The Policy Builder is launched.
5 Continue with Section 6.3.2, “Importing the Predefined Rule,” on page 51.
6.3.2 Importing the Predefined Rule
1 In the Policy Builder, click Insert.
2 Select Creation - Required Attributes.
3 Expand the predefined rule.
4 To edit the rule, click Creation - Required Attributes in the Policy Builder.
The Rule Builder is launched.
Using Predefined Rules 51
Page 52
5 In the Conditions section, click the Browse icon next to the Va lu e field.
6 Browse to and select the attribute you require for a User object to be created.
7 (Optional) If you want more than one required attribute, click the plus icon to add a new action.
8 Select Veto if operation attribute not available, then browse to and select the additional
required attribute.
9 Click OK twice.
6.3.3 How the Rule Works
This rule is used when your business processes require that a user has specific attributes populated in
the source User object before the destination User object can be created. When a User object is
created in the source data store, the rule vetoes the creation of the object in the destination data store
unless the required attributes are provided when the User object is created. You can have one or
more required attributes.
6.4 Creation - Publisher - Use Template
novdocx (en) 13 May 2009
This rule allows for the use of a Novell® eDirectory template object during the creation of a User
object. Implement the rule on the Publisher Creation policy in the driver.
There are two steps involved in using the predefined rules: creating a policy in the Creation policy
set, and importing the predefined rule. If you already have a Creation policy that you want to add
this rule to, skip to “Importing the Predefined Rule” on page 52.
6.4.1 Creating a Policy
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click the Creation Policy set object on the Publisher or Subscriber channel.
3 Click Insert.
4 Name the policy, make sure to implement the policy with the Policy Builder, then click OK.
The Policy Builder is launched.
5 Continue with Section 6.4.2, “Importing the Predefined Rule,” on page 52.
6.4.2 Importing the Predefined Rule
1 In the Policy Builder, click Insert.
2 Select Creation - Publisher - Use Template.
3 Expand the predefined rule.
52 Policies in iManager for Identity Manager 3.6.1
Page 53
4 To edit the rule, click Creation - Publisher - Use Template in the Policy Builder.
The Rule Builder is launched.
5 In the Actions section, click the Edit the arguments icon.
The Argument Builder is launched.
6 In the Editor, click the Browse icon next to the Text field, browse to and select the template
object, then click OK.
7 Click OK.
6.4.3 How the Rule Works
novdocx (en) 13 May 2009
This rule is used when you want to create a user in the Identity Vault based on a template object. If
you have attributes that are the same for users, using the template saves time. You fill in the
information in the template object. When the User object is created, Identity Manager uses the
attribute values from the template to create the User object.
During the creation of User objects, the rule does the action of the set operation template DN, which
instructs the Identity Manager to use the referenced template when creating the object.
6.5 Creation - Set Default Attribute Value
This rule allows you to set default values for attributes that are assigned during the creation of User
objects. Implement the rule on the Subscriber Creation policy or Publisher Creation policy in the
driver.
There are two steps involved in using the predefined rules: creating a policy in the Creation policy
set, and importing the predefined rule. If you already have a Creation policy that you want to add
this rule to, skip to “Importing the Predefined Rule” on page 54.
6.5.1 Creating a Policy
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click the Creation Policy object on the Publisher or Subscriber channel.
3 Click Insert.
4 Name the policy, make sure to implement the policy with the Policy Builder, then click OK.
The Policy Builder is launched.
5 Continue with Section 6.5.2, “Importing the Predefined Rule,” on page 54.
Using Predefined Rules 53
Page 54
6.5.2 Importing the Predefined Rule
1 In the Policy Builder, click Insert.
2 Select Creation - Set Default Attribute Value.
3 Expand the predefined rule.
4 To edit the rule, click Creation - Set Default Attribute Value in the Policy Builder.
The Rule Builder is launched.
5 In the Action section, click the Browse icon next to the Enter attribute name field, then browse
to and select the attribute you want to have created.
6 Click the Edit the value list icon next to the Enter argument values field.
The Argument Value List Builder is launched.
7 Browse to and select the type of data you want the value to be.
novdocx (en) 13 May 2009
8 Click the Edit the arguments icon.
The Argument Builder is launched.
9 Delete [Edit default attribute value] from the Argument Builder by selecting it and clicking the
Remove the selected token icon.
10 In the Editor, click the browse button next to the Te xt field, then browse to and select the
container in the desination hierarchy where you want the source
11 Click OK.
6.5.3 How the Rule Works
This rule is used when you want to populate default attribute values when creating a User object.
When a User object is created, the rule adds the specified attribute values if and only if the attribute
has no values supplied by the source object.
If you want more than one attribute value defined, right-click the action and click New > Action.
Select the action, set the default attribute value, and follow the steps above to assign the value to the
attribute.
6.6 Creation - Set Default Password
During the creation of User objects, this rule sets a default password for User objects. Implement the
rule on the Subscriber Creation policy or Publisher Creation policy in the driver.
There are two steps involved in using the predefined rules: creating a policy in the Creation policy
set, and importing the predefined rule. If you already have a Creation policy that you want to add
this rule to, skip to “Importing the Predefined Rule” on page 55.
54 Policies in iManager for Identity Manager 3.6.1
Page 55
6.6.1 Creating a Policy
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click the Creation Policy object on the Publisher or Subscriber channel.
3 Click Insert.
4 Name the policy, make sure to implement the policy with the Policy Builder, then click OK.
The Policy Builder is launched.
5 Continue with Section 6.6.2, “Importing the Predefined Rule,” on page 55.
6.6.2 Importing the Predefined Rule
1 In the Policy Builder, click Insert.
2 Select Creation - Set Default Password.
3 Expand the predefined rule.
novdocx (en) 13 May 2009
4 Click OK.
There is no information to change in the rule that is specific to your environment.
6.6.3 How the Rule Works
This rule is used when you want User objects to be created with a default password. During the
creation of a User object, the password that is set for the User object is the Given Name attribute
plus the Surname attribute of the User object.
You can change the value of the default password by editing the argument. You can set the password
to any other value you want through the Argument Builder.
6.7 Event Transformation - Scope Filtering Include Subtrees
This rule excludes all events that occur outside of the specific subtrees. Implement the rule on the
Subscriber Event Transformation policy or the Publisher Event Transformation policy in the driver.
There are two steps involved in using the predefined rules: creating a policy in the Event
Transformation policy set, and importing the predefined rule. If you already have an Event
Transformation policy that you want to add this rule to, skip to “Importing the Predefined Rule” on
page 56.
Using Predefined Rules 55
Page 56
6.7.1 Creating a Policy
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click the Event Transformation Policy set object on the Publisher or Subscriber channel.
3 Click Insert.
4 Name the policy, make sure to implement the policy with the Policy Builder, then click OK.
The Policy Builder is launched.
5 Continue with Section 6.7.2, “Importing the Predefined Rule,” on page 56.
6.7.2 Importing the Predefined Rule
1 In the Policy Builder, click Insert.
2 Select Event Transformation - Scope Filtering - Include subtrees.
3 Expand the predefined rule.
novdocx (en) 13 May 2009
4 To edit the rule, click Event Transformation - Scope Filtering - Include subtrees in the Policy
Builder.
The Rule Builder is launched.
5 Click the browse button next to the Va lu e field to browse the Identity Vault for the part of the
tree where you want events to synchronize, select it, then click OK.
6 Click OK.
6.7.3 How the Rule Works
This rule is used when you only want to synchronize specific subtrees between the Identity vault and
the connected system.When an event occurs anywhere but in that specific part of the Identity Vault,
it is vetoed. You can add additional subtrees to be synchronized by copying and pasting the If
Source DN condition.
6.8 Event Transformation - Scope Filtering Exclude Subtrees
This rule excludes all events that occur in a specific subtree. Implement the rule on the Subscriber
Event Transformation or the Publisher Event Transformation policy in the driver.
56 Policies in iManager for Identity Manager 3.6.1
Page 57
There are two steps involved in using the predefined rules: creating a policy in the Event
Transformation policy set, and importing the predefined rule. If you already have an Event
Transformation policy that you want to add this rule to, skip to “Importing the Predefined Rule” on
page 57.
6.8.1 Creating a Policy
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click the Event Transformation Policies set object on the Publisher or Subscriber channel.
3 Click Insert.
4 Name the policy, make sure to implement the policy with the Policy Builder, then click OK.
The Policy Builder is launched.
5 Continue with Section 6.8.2, “Importing the Predefined Rule,” on page 57.
novdocx (en) 13 May 2009
6.8.2 Importing the Predefined Rule
1 In the Policy Builder, click Insert.
2 Select Event Transformation - Scope Filtering - Exclude subtrees.
3 Expand the predefined rule.
4 To edit the rule, click Event Transformation - Scope Filtering - Exclude subtrees in the Policy
Builder.
The Rule Builder is launched.
5 Click the browse button next to the Va lu e field to browse the Identity Vault for the part of the
tree you want to exclude events from synchronizing, select it, then click OK.
6 Click OK.
6.8.3 How the Rule Works
This rule is used when you want to exclude part of the Identity Vault or connected system from
synchronizing. When an event occurs in that specific part of the Identity Vault, it is vetoed. You can
add additional subtrees to be excluded by copying and pasting the If Source DN condition.
Using Predefined Rules 57
Page 58
6.9 Input or Output Transformation - Reformat
Telephone Number from (nnn) nnn-nnnn to nnnnnn-nnnn
This rule converts the format of the telephone number. Implement the rule on the Input or Output
Transformation policy in the driver. Typically, if this rule is used on an Input Transformation, you
would then use the rule Reformat Telephone Number from nnn-nnn-nnnn to (nnn) nnn-nnnn on the
Output Transformation and vice versa to convert the format back and forth.
There are two steps involved in using the predefined rules: creating a policy in the Input or Output
Transformation policy set, and importing the predefined rule. If you already have an Input or Output
Transformation policy that you want to add this rule to, skip to “Importing the Predefined Rule” on
page 58.
6.9.1 Creating a Policy
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
novdocx (en) 13 May 2009
2 Click the Input or Output Transformation Policy set object on the Publisher or Subscriber
channel.
3 Click Insert.
4 Name the policy, make sure to implement the policy with the Policy Builder, then click OK.
The Policy Builder is launched.
5 Continue with Section 6.9.2, “Importing the Predefined Rule,” on page 58.
6.9.2 Importing the Predefined Rule
1 In the Policy Builder, click Insert.
2 Select Input or Output Transformation - Reformat Telephone Number from (nnn) nnn-nnnn to
nnn-nnn-nnnn.
3 Expand the predefined rule.
4 To edit the rule, click Input or Output Transformation - Reformat Telephone Number from
(nnn) nnn-nnnn to nnn-nnn-nnnn in the Policy Builder.
The Rule Builder is launched.
5 Define the condition you want to have occur when the telephone number is reformatted.
6 Click OK.
58 Policies in iManager for Identity Manager 3.6.1
Page 59
6.9.3 How the Rule Works
This rule is used when you want to reformat the telephone number. It finds all the values for the
phone attribute in the current operation that match the pattern (nnn) nnn-nnnn and replaces each
with nnn-nnn-nnnn.
6.10 Input or Output Transformation - Reformat
Telephone Number from nnn-nnn-nnnn to (nnn)
nnn-nnnn
This rule transforms the format of the telephone number. Implement the rule on the Input or Output
Transformation policy. Typically, if you use this rule on an Output Transformation, you would use
the rule Reformat Telephone Number from (nnn) nnn-nnnn to nnn-nnn-nnnn on the Input
Transformation and vice versa to convert the format back and forth.
There are two steps involved in using the predefined rules: creating a policy in the Input or Output
Transformation policy set, and importing the predefined rule. If you already have an Input or Output
Transformation policy that you want to add this rule to, skip to “Importing the Predefined Rule” on
page 59.
novdocx (en) 13 May 2009
6.10.1 Creating a Policy
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click the Input or Output Transformation Policy set object on the Publisher or Subscriber
channel.
3 Click Insert.
4 Name the policy, make sure to implement the policy with the Policy Builder, then click OK.
The Policy Builder is launched.
5 Continue with Section 6.10.2, “Importing the Predefined Rule,” on page 59.
6.10.2 Importing the Predefined Rule
1 In the Policy Builder, click Insert.
2 Select Input or Output Transformation - Reformat Telephone Number from nnn-nnn-nnnn to
(nnn) nnn-nnnn.
3 Expand the predefined rule.
Using Predefined Rules 59
Page 60
4 To edit the rule, click Input or Output Transformation - Reformat Telephone Number from nnn-
nnn-nnnn to (nnn) nnn-nnnn in the Policy Builder.
The Rule Builder is launched.
5 Define the condition you want to have occur when the telephone number is reformatted.
6 Click OK.
6.10.3 How the Rule Works
This rule is used when you want to reformat the telephone number. It finds all the values for the
phone attribute in the current operation that match the pattern (nnn) nnn-nnnn and replaces each
with nnn-nnn-nnnn.
6.11 Matching - Publisher Mirrored
This rule finds matches in the Identity Vault for objects in the connected system based on their name
and location. Implement the rule on the Publisher Matching policy in the driver.
There are two steps involved in using the predefined rules: creating a policy in the Matching policy
set, and importing the predefined rule. If you already have a Matching policy that you want to add
this rule to, skip to “Importing the Predefined Rule” on page 60.
novdocx (en) 13 May 2009
6.11.1 Creating a Policy
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click the Matching Policy set object on the Publisher channel.
3 Click Insert.
4 Name the policy, make sure to implement the policy with the Policy Builder, then click OK.
The Policy Builder is launched.
5 Continue with Section 6.11.2, “Importing the Predefined Rule,” on page 60.
6.11.2 Importing the Predefined Rule
1 In the Policy Builder, click Insert.
For information on how to access the policy builder, see “Accessing the Policy Builder” on
page 15.
2 Select Matching - Publisher Mirrored.
3 Expand the predefined rule.
60 Policies in iManager for Identity Manager 3.6.1
Page 61
4 To edit the rule, click Matching - Publisher Mirrored in the Policy Builder.
The Rule Builder is launched.
5 In the Conditions section, click the Browse icon next to the Va lu e field.
6 Click the container in the source hierarchy where you want the matching to start.
7 In the Actions section, click the Edit the arguments icon next to the Enter string field.
8 In the Editor, click the browse button next to the Tex t field, browse to and select the container
in the destination hierarchy where you want the source structure to be matched, then click OK.
9 Click OK.
novdocx (en) 13 May 2009
6.11.3 How the Rule Works
When an Add event occurs on an object in the connected system that is located within the specified
source subtree, the rule constructs a DN that represents the same object name and location within the
Identity Vault relative to the specified destination subtree. If the destination objects exists and is of
the desired object class, then it is considered a match. You must supply the DNs of the source
(connected system) and destination (Identity Vault) subtrees.
6.12 Matching - Subscriber Mirrored - LDAP
Format
This rule finds matches in a connected system that uses LDAP format DNs for objects in the Identity
Vault based on their names and locations. Implement the rule on the Subscriber Matching policy in
the driver.
There are two steps involved in using the predefined rules: creating a policy in the Matching policy
set, and importing the predefined rule. If you already have a Matching policy that you want to add
this rule to, skip to “Importing the Predefined Rule” on page 62.
6.12.1 Creating a Policy
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click the Matching Policy set object on the Subscriber channel.
3 Click Insert.
4 Name the policy, make sure to implement the policy with the Policy Builder, then click OK.
Using Predefined Rules 61
Page 62
The Policy Builder is launched.
5 Continue with Section 6.12.2, “Importing the Predefined Rule,” on page 62.
6.12.2 Importing the Predefined Rule
1 In the Policy Builder, click Insert.
For information on how to access the policy builder, see “Accessing the Policy Builder” on
page 15.
2 Select Matching - Subscriber Mirrored - LDAP format.
3 Expand the predefined rule.
novdocx (en) 13 May 2009
4 To edit the rule, click Matching - Subscriber Mirrored - LDAP format in the Policy Builder.
The Rule Builder is launched.
5 In the Condition section, click the Browse icon next to the Val u e field.
6 Click the container in the source hierarchy where you want the matching to start.
7 In the Actions section, click the Edit the arguments icon next to the Enter string field.
8 In the Editor, click the browse button next to the Tex t field, browse to and select the container
in the destination hierarchy where you want the source structure to be matched, then click OK.
9 Click OK.
6.12.3 How the Rule Works
When an Add event occurs on an object in the Identity Vault that is located within the specified
source subtree, the rule constructs a DN that represents the same object name and location within the
connected system relative to the specified destination subtree. If the destination objects exists and is
of the desired object class, then it is considered a match. You must supply the DNs of the source
(Identity Vault) and destination (connected system) subtrees. The connected system must use an
LDAP-formatted DN.
6.13 Matching - By Attribute Value
This rule finds matches for objects by specific attribute values. Implement the rule on the Subscriber
Matching policy or the Publisher Matching policy in the driver.
There are two steps involved in using the predefined rules: creating a policy in the Matching policy
set, and importing the predefined rule. If you already have a Matching policy that you want to add
this rule to, skip to “Importing the Predefined Rule” on page 63.
62 Policies in iManager for Identity Manager 3.6.1
Page 63
6.13.1 Creating a Policy
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click the Matching Policies set object on the Publisher or Subscriber channel.
3 Click Insert.
4 Name the policy, make sure to implement the policy with the Policy Builder, then click OK.
The Policy Builder is launched.
5 Continue with Section 6.13.2, “Importing the Predefined Rule,” on page 63.
6.13.2 Importing the Predefined Rule
1 In the Policy Builder, click Insert.
2 Select Matching - By Attribute Value.
3 Expand the predefined rule.
novdocx (en) 13 May 2009
4 To edit the rule, click Matching - By Attribute Value in the Policy Builder.
The Rule Builder is launched.
5 Click the Edit the arguments icon by the Enter DN field to launch the Argument Builder.
6 In the Editor, click the browse button, browse to and select the container where you want the
search to start, then click OK.
7 In the Action section, click the Edit the match attributes icon to launch the Match Attribute
Builder.
8 Click the browse button next to the Name field and select the attributes you want to match. You
can select one or more attributes to match against. Click OK.
9 Click OK.
6.13.3 How the Rule Works
When an Add event occurs on an object in the source data store, the rule searches for an object in the
destination data store that has the same values for the specified attribute. You must supply the DN of
the base of the subtree to search in the connected system and the name of the attribute to match on.
6.14 Placement - Publisher Mirrored
This rule places objects in the Identity Vault based on the name and location from the connected
system. Implement the rule on the Publisher Placement policy in the driver.
Using Predefined Rules 63
Page 64
There are two steps involved in using the predefined rules: creating a policy in the Placement policy
set, and importing the predefined rule. If you already have a Placement policy that you want to add
this rule to, skip to “Importing the Predefined Rule” on page 64.
6.14.1 Creating a Policy
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click the Placement Policies set object on the Publisher channel.
3 Click Insert.
4 Name the policy, make sure to implement the policy with the Policy Builder, then click OK.
The Policy Builder is launched.
5 Continue with Section 6.14.2, “Importing the Predefined Rule,” on page 64.
6.14.2 Importing the Predefined Rule
novdocx (en) 13 May 2009
1 In the Policy Builder, click Insert.
2 Select Placement - Publisher Mirrored.
3 Expand the predefined rule.
4 To edit the rule, click Placement - Publisher Mirrored in the Policy Builder.
The Rule Builder is launched.
5 In the Va l u e field, browse to and select the container in the source hierarchy where you want
the object to be acted upon, then click OK.
6 Click the Edit the arguments icon next to the Enter string field.
The Argument Builder is launched.
7 In the Editor, click the browse button, browse to and select the container in the destination
hierarchy where you want the object to be placed, then click OK.
8 Click OK.
6.14.3 How the Rule Works
If the User object resides in the specified source subtree in the connected system, then the object is
placed at the same relative name and location within the Identity Vault. You must supply the DNs of
the source (connected system) and destination (Identity Vault) subtrees.
64 Policies in iManager for Identity Manager 3.6.1
Page 65
6.15 Placement - Subscriber Mirrored - LDAP
Format
This rule places objects in the data store by using the mirrored structure in the Identity Vault from a
specified point. Implement the rule on the Placement policy in the driver. You can implement the
rule only on the Subscriber channel.
There are two steps involved in using the predefined rules: creating a policy in the Placement policy
set, and importing the predefined rule. If you already have a Placement policy that you want to add
this rule to, skip to “Importing the Predefined Rule” on page 65.
6.15.1 Creating a Policy
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click the Placement Policies set object on the Subscriber channel.
3 Click Insert.
novdocx (en) 13 May 2009
4 Name the policy, make sure to implement the policy with the Policy Builder, then click OK.
The Policy Builder is launched.
5 Continue with Section 6.15.2, “Importing the Predefined Rule,” on page 65.
6.15.2 Importing the Predefined Rule
1 In the Policy Builder, click Insert.
2 Select Placement - Subscriber Mirrored - LDAP Format.
3 Expand the predefined rule.
4 To edit the rule, click Placement - Subscriber Mirrored - LDAP Format in the Policy Builder.
The Rule Builder is launched.
5 In the Va lu e field, browse to and click the container in the source hierarchy where you want the
object to be acted upon.
6 Click the Edit the arguments icon next to the Enter string field.
The Argument Builder is launched.
7 In the Editor, click the browse button, browse to and select the container in the destination
hierarchy where you want the object to be placed, then click OK.
8 Click OK.
Using Predefined Rules 65
Page 66
6.15.3 How the Rule Works
If the User object resides in the specified source subtree, the object is placed at the same relative
name and location within the Identity Vault. You must supply the DNs of the source (Identity Vault)
and destination (connected system) subtrees. The connected system must use an LDAP-formatted
DN.
6.16 Placement - Publisher Flat
This rule places objects from the data store into one container in the Identity Vault. Implement the
rule on the Publisher Placement policy in the driver.
There are two steps involved in using the predefined rules: creating a policy in the Placement policy
set, and importing the predefined rule. If you already have a Placement policy that you want to add
this rule to, skip to “Importing the Predefined Rule” on page 66.
6.16.1 Creating a Policy
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
novdocx (en) 13 May 2009
2 Click the Placement Policies set object on the Publisher channel.
3 Click Insert.
4 Name the policy, make sure to implement the policy with the Policy Builder, then click OK.
The Policy Builder is launched.
5 Continue with Section 6.16.2, “Importing the Predefined Rule,” on page 66.
6.16.2 Importing the Predefined Rule
1 In the Policy Builder, click Insert.
2 Select Placement - Publisher Flat.
3 Expand the predefined rule.
4 To edit the rule, click Placement - Publisher Flat in the Policy Builder.
The Rule Builder is launched.
5 In the Enter string field, click the Edit the arguments icon.
66 Policies in iManager for Identity Manager 3.6.1
Page 67
The Argument Builder is launched.
6 In the Editor, click the browse button, browse to and select the destination container were you
want all of the user objects to be placed, then click OK.
7 Click OK.
6.16.3 How the Rule Works
The rule places all User objects in the destination DN. The rule sets the DN of the destination
container as the local variable dest-base. The rule then sets the destination DN to the dest-base\CN
attribute. The CN attribute of the User object is the first two letters of the Given Name attribute plus
the Surname attribute as lowercase. The rule uses slash format.
6.17 Placement - Subscriber Flat - LDAP Format
This rule places objects from the Identity Vault into one container in the data store. Implement the
rule on the Subscriber Placement policy in the driver.
There are two steps involved in using the predefined rules: creating a policy in the Placement policy
set, and importing the predefined rule. If you already have a Placement policy that you want to add
this rule to, skip to “Importing the Predefined Rule” on page 67.
novdocx (en) 13 May 2009
6.17.1 Creating a Policy
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click the Placement Policies set object on the Subscriber channel.
3 Click Insert.
4 Name the policy, make sure to implement the policy with the Policy Builder, then click OK.
The Rule Builder is launched.
5 Continue with Section 6.17.2, “Importing the Predefined Rule,” on page 67.
6.17.2 Importing the Predefined Rule
1 In the Rule Builder, click Insert.
2 Select Placement - Subscriber Flat - LDAP Format.
3 Expand the predefined rule.
Using Predefined Rules 67
Page 68
4 To edit the rule, click Placement - Subscriber Flat - LDAP Format in the Policy Builder.
The Rule Builder is launched.
5 In the Enter string field, click the Edit the arguments icon.
The Argument Builder is launched.
6 In the Editor, add the destination container where you want all of the User objects to be placed.
Make sure the container is specified in LDAP format, then click OK.
7 Click OK.
6.17.3 How the Rule Works
This rule places all User objects in the destination DN. The rule sets the DN of the destination
container as the local variable dest-base. The rule then sets the destination DN to be uid=unique
name, dest-base. The uid attribute of the User object is the first two letters of the Given Name
attribute plus the Surname attribute as lowercase. The rule uses LDAP format.
6.18 Placement - Publisher By Dept
novdocx (en) 13 May 2009
This rule places objects from one container in the data store into multiple containers in the Identity
Vault based on the value of the OU attribute. Implement the rule on the Publisher Placement policy
in the driver.
There are two steps involved in using the predefined rules: creating a policy in the Placement policy
set, and importing the predefined rule. If you already have a Placement policy that you want to add
this rule to, skip to “Importing the Predefined Rule” on page 68.
6.18.1 Creating a Policy
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click the Placement Policies set object on the Publisher channel.
3 Click Insert.
4 Name the policy, make sure to implement the policy with the Policy Builder, then click OK.
The Policy Builder is launched.
5 Continue with Section 6.18.2, “Importing the Predefined Rule,” on page 68.
6.18.2 Importing the Predefined Rule
1 In the Policy Builder, click Insert.
2 Select Placement - Publisher By Dept.
3 Expand the predefined rule.
68 Policies in iManager for Identity Manager 3.6.1
Page 69
4 To edit the rule, click Placement - Publisher By Dept in the Policy Builder.
The Rule Builder is launched.
5 In the Enter string field, click the Edit the arguments icon.
The Argument Builder is launched.
6 In the Editor, click the browse button, then browse to and select the parent container in the
Identity Vault. Make sure all of the department containers are child containers of this DN, then
click OK.
7 Click OK.
novdocx (en) 13 May 2009
6.18.3 How the Rule Works
This rule places User objects in the correct department containers depending upon what value is
stored in the OU attribute. If a User object needs to be placed and has the OU attribute available,
then the User object is placed in the dest-base\value of OU attribute\CN attribute.
The dest-base is a local variable. The DN must be the relative root path of the department containers.
It can be an organization or an organizational unit. The value stored in the OU attribute must be the
name of a child container of the dest-base local variable.
The value of the OU attribute must be the name of the child container. If the OU attribute is not
present, this rule is not executed.
The CN attribute of the User object is the first two letters of the Given Name attribute plus the
Surname attribute as lowercase. The rule uses slash format.
6.19 Placement - Subscriber By Dept - LDAP
Format
This rule places objects from one container in the Identity Vault into multiple containers in the data
store on the OU attribute. Implement the rule on the Placement policy in the driver. You can
implement the rule only on the Subscriber channel.
There are two steps involved in using the predefined rules: creating a policy in the Placement policy
set, and importing the predefined rule. If you already have a Placement policy that you want to add
this rule to, skip to “Importing the Predefined Rule” on page 70.
Using Predefined Rules 69
Page 70
6.19.1 Creating a Policy
1 Open the Identity Manager Driver Overview for the driver you want to manage.
For instructions on how to access the Identity Manager Driver Overview page, see “Accessing
the Identity Manager Driver Overview Page” on page 266.
2 Click the Placement Policies set object on the Subscriber channel.
3 Click Insert.
4 Name the policy, make sure to implement the policy with the Policy Builder, then click OK.
The Policy Builder is launched.
5 Continue with Section 6.19.2, “Importing the Predefined Rule,” on page 70.
6.19.2 Importing the Predefined Rule
1 In the Policy Builder, click Insert.
2 Select Placement - Subscriber By Dept - LDAP format.
3 Expand the predefined rule.
novdocx (en) 13 May 2009
4 To edit the rule, click Placement - Subscriber By Dept - LDAP format in the Policy Builder.
The Rule Builder is launched.
5 In the Enter string field, click the Edit the arguments icon.
The Argument Builder is launched.
6 In the Editor, add the parent container in the data store. The parent container must be specified
in LDAP format. Make sure all of the department containers are child containers of this DN,
then click OK.
7 Click OK.
6.19.3 How the Rule Works
This rule places User objects in the correct department containers depending upon what value is
stored in the OU attribute. If a User object needs to be placed and has the OU attribute available,
then the User object is place in the uid=unique name,ou=value of OU attribute,dest-base.
The dest-base is a local variable. The DN must be the relative root path of the department containers.
It can be an organization or an organizational unit. The value stored in the OU attribute must be the
name of a child container of the dest-base local variable.
70 Policies in iManager for Identity Manager 3.6.1
Page 71
The value of the OU attribute must be the name of the child container. If the OU attribute is not
present, then this rule is not executed.
The uid attribute of the User object is the first two letters of the Given Name attribute plus the
Surname attribute as lowercase. The rule uses LDAP format.
novdocx (en) 13 May 2009
Using Predefined Rules 71
Page 72
novdocx (en) 13 May 2009
72 Policies in iManager for Identity Manager 3.6.1
Page 73
7
Storing Information in Resource
novdocx (en) 13 May 2009
Objects
Resource objects store information that drivers use. The resource objects can hold arbitrary data in
any format. Novell
Section 7.1, “Library Objects,” on page 73
Section 7.2, “Mapping Table Objects,” on page 78
Section 7.3, “ECMAScript,” on page 80
Section 7.4, “Application Objects,” on page 80
Section 7.5, “Repository Objects,” on page 81
Section 7.6, “Resource Objects,” on page 81
7.1 Library Objects
Library objects store multiple policies and other resources that are shared by one or more drivers. A
library object can be created in a driver set object or any eDirectory
can exist in an eDirectory tree. Drivers can reference any library in the tree as long as the server that
is running the driver holds a Read/Write or Master replica of the library object.
Style sheets, policies, rules, and other resource objects can be stored in a library and be referenced
by one or more drivers.
®
Identity Manager contains different types of resource objects.
TM
container. Multiple libraries
7
Section 7.1.1, “Managing Libraries,” on page 73
Section 7.1.2, “Adding Objects to the Library,” on page 75
Section 7.1.3, “Using a Policy Stored in the Library,” on page 77
7.1.1 Managing Libraries
You can create, delete, and search for existing libraries in iManager.
“Creating a Library” on page 73
“Deleting a Library” on page 74
Creating a Library
1 Access the Identity Manager Driver Set Overview page by following the steps in “Accessing
the Identity Manager Driver Set Overview Page” on page 265.
2 Click the Libraries tab.
Storing Information in Resource Objects
73
Page 74
3 Click New.
novdocx (en) 13 May 2009
4 Specify a name for the library.
5 The library is created in the container that was previously selected.
6 Click OK.
Deleting a Library
1 Access the Identity Manager Driver Set Overview page by following the steps in “Accessing
the Identity Manager Driver Set Overview Page” on page 265.
2 Click the Libraries tab.
3 Select the library you want to delete, then click Delete.
4 Click OK to confirm the deletion.
74 Policies in iManager for Identity Manager 3.6.1
Page 75
7.1.2 Adding Objects to the Library
You can add policies, mapping tables, and Credential Provisioning policy resource objects to a
library.
“Adding Policies to the Library” on page 75
“Adding a Mapping Table to a Library” on page 75
“Adding Credential Provisioning Policy Resource Objects to a Library” on page 76
Adding Policies to the Library
1 Access the Identity Manager Driver Set Overview page by following the steps in “Accessing
the Identity Manager Driver Set Overview Page” on page 265.
2 Click the Libraries tab.
3 Click the library you want to add a policy to.
novdocx (en) 13 May 2009
4 Click the Policies tab, then click the plus icon to add a policy to the library.
5 Specify the name for the policy.
6 Select how to implement the policy, then click OK.
If you select Policy Builder, Schema Mapping Policy, XSLT, or ECMAScript, the object is
created and displayed in the library. Each object must be edited to add the policy
information into the object.
If you select Make a copy from an existing policy, browse to and select the policy to store
in the library.
Adding a Mapping Table to a Library
1 Access the Identity Manager Driver Set Overview page by following the steps in “Accessing
the Identity Manager Driver Set Overview Page” on page 265.
Storing Information in Resource Objects 75
Page 76
2 Click the Libraries tab.
3 Click the library you want to add a mapping table to.
4 Click the Mapping Tables tab, then click Insert to add a mapping table to the library.
novdocx (en) 13 May 2009
5 Specify the name for the mapping table.
6 Browse to and select the library where the mapping table will be created.
7 Click OK.
The Mapping Table Editor is launched.
8 Click the Add a column to the mapping table icon.
9 Specify a value for the column, then select whether the value is case sensitive, case insensitive,
or numeric.
10 Click the Add Row icon.
11 Specify a value for the row.
12 Click Apply to save the mapping table and continue working in the editor
or
Click OK to save the mapping table and close the editor.
For more information about mapping tables, see Section 7.2, “Mapping Table Objects,” on page 78.
Adding Credential Provisioning Policy Resource Objects to a Library
1 Access the Identity Manager Driver Set Overview page by following the steps in “Accessing
the Identity Manager Driver Set Overview Page” on page 265.
2 Click the Libraries tab.
76 Policies in iManager for Identity Manager 3.6.1
Page 77
3 Click the library you want to add a Credential Provisioning policy resource object to.
4 Click the Credential Provisioning tab.
5 Click Repositories, then click New to add a new repository object to the library.
or
Click Applications, then click New to add a new application object to the library.
novdocx (en) 13 May 2009
6 Click OK.
7.1.3 Using a Policy Stored in the Library
The library object stores information that is used multiple times. It can be used by multiple drivers
or by the same driver multiple times. To use the policy stored in the library:
1 Access the Identity Manager Driver Overview page by following the steps in “Accessing the
Identity Manager Driver Overview Page” on page 266.
2 Click a policy set, click Insert, then proceed to Step 3.
or
Click an existing policy, then skip to Step 6.
3 Select Use an existing policy.
4 Browse to and select the policy that is stored in the library, then click OK.
5 Click Close.
6 Click Insert > Append a reference to a policy containing DirXML Script.
Storing Information in Resource Objects 77
Page 78
7 Browse to and select the policy that is stored in the library, then click OK twice.
8 Click Close.
7.2 Mapping Table Objects
A mapping table object is used by a policy to map a set of values to another set of corresponding
values. After a mapping table object is created, the Map (page 253) token maps the results of the
specified tokens from the values specified in the mapping table.
To use a mapping table object, the following steps must be completed:
1. Section 7.2.1, “Creating a Mapping Table Object,” on page 78
2. Section 7.2.2, “Adding a Mapping Table Object to a Policy,” on page 79
7.2.1 Creating a Mapping Table Object
1 Access the Identity Manager Driver Overview page, by following the steps in “Accessing the
Identity Manager Driver Overview Page” on page 266.
novdocx (en) 13 May 2009
Choose the driver where you want to create the mapping table.
2 Select Advanced > Mapping Tables, then click Insert.
3 Specify the name of the mapping table object.
4 Browse to and select the container where the mapping table will be created, then click OK.
5 Click the Add Column icon.
78 Policies in iManager for Identity Manager 3.6.1
Page 79
6 Specify the name of the column, then select whether the value is Case insensitive, Case
sensitive, or Numeric.
If you want to add more columns, repeat Step 5 and Step 6.
7 Click the Add Row icon.
novdocx (en) 13 May 2009
8 Specify the value for the row.
If you want more rows, repeat Step 7 and Step 8.
9 Click OK to save the mapping table and exit the Mapping Table editor.
7.2.2 Adding a Mapping Table Object to a Policy
1 Access the Identity Manager Driver Overview page by following the steps in “Accessing the
Identity Manager Driver Overview Page” on page 266.
2 Click a policy set where you want to add a mapping table object.
Storing Information in Resource Objects 79
Page 80
3 Create a policy to use the mapping table in. For instructions on how to do this, see “Creating a
Policy in a Driver” on page 16.
or
Click an existing policy to edit.
The Policy Builder is displayed.
4 If you created your own policy, or if there are no rules for your policy, create a rule for the
policy. For information on how to do this, see “Defining Individual Rules within a Policy” on
page 19.
5 Click a rule.
The Rule Builder is launched.
6 Create a rule that contains an action that would call the mapping table.
7 Launch the Argument Builder in the Rule Builder by clicking the Edit the arguments icon in the
Action List section.
8 Select Map from the list of Ve rb s, then click Add.
9 In the Editor field, browse to and select the mapping table object created in Section 7.2.1,
“Creating a Mapping Table Object,” on page 78.
10 Specify the source column name.
11 Specify the destination column name.
novdocx (en) 13 May 2009
12 (Optional) Define the default value for the destination column.
13 Select a Noun to achieve the desired results, then click OK to save the argument.
The mapping table can be used in any manner at this point. In this example, the OU attribute is
populated with the value derived from the mapping table.
The Map token is a Verb token. It requires a Noun token to act upon in order to function.
7.3 ECMAScript
ECMAScript objects are resource objects that store ECMAScripts, which are used by policies and
style sheets. For more information on ECMAScript, see Chapter 8, “Using ECMAScript in
Policies,” on page 83.
7.4 Application Objects
Application objects are part of Novell® Credential Provisioning policies. The application objects
store application authentication parameter values for SecureLogin. For information about
application objects, see Novell Credential Provisioning for Identity Manager 3.6.
80 Policies in iManager for Identity Manager 3.6.1
Page 81
7.5 Repository Objects
Repository objects are part of Novell Credential Provisioning policies. The repository objects store
static configuration information for SecureLogin. For information about repository objects, see
Novell Credential Provisioning for Identity Manager 3.6.
7.6 Resource Objects
Resource objects allow you store information that a policy consumes. It can be any information
stored in text or XML format. A resource object is stored in a library or driver object. An example of
using a resource object is when multiple drivers need the same set of constant parameters. The
resource object stores the parameters and the drivers use these parameters at any time.
At this time, the supported way to create resource objects is through Designer. For more
information, see “Storing Information in Resource Objects” in Policies in Designer 3.5.
novdocx (en) 13 May 2009
Storing Information in Resource Objects 81
Page 82
novdocx (en) 13 May 2009
82 Policies in iManager for Identity Manager 3.6.1
Page 83
8
Using ECMAScript in Policies
ECMAScript is a scripting programming language, standardized by Ecma International. It is often
referred to as JavaScript* or JScript*, but these are subsets of ECMAScript. Identity Manager 3.5.1
and later supports a new object type called ECMAScript objects. ECMAScript objects are resource
objects that store ECMAScripts. The ECMAScript is called through a policy to provide advanced
functionality that DirXML Script or XSLT style sheets cannot provide.
This section explains how to use the ECMAScript editor, how to use ECMAScript with policies, and
how to use ECMAScript with custom forms. It does not explain the ECMAScript language. See the
ECMAScript Language Specification (http://www.ecma-international.org/publications/standards/
Ecma-262.htm) for information on how to use the ECMAScript language.
Section 8.1, “Creating an ECMAScript,” on page 83
Section 8.2, “Using an Existing ECMAScript,” on page 86
Section 8.3, “Examples of ECMAScripts with Policies,” on page 87
novdocx (en) 13 May 2009
8
8.1 Creating an ECMAScript
An ECMAScript is stored on a driver or in a library.
Section 8.1.1, “Creating an ECMAScript in a Driver,” on page 83
Section 8.1.2, “Creating an ECMAScript in a Library,” on page 84
8.1.1 Creating an ECMAScript in a Driver
1 Access the Identity Manager Driver Overview by following the steps in “Accessing the Identity
Manager Driver Overview Page” on page 266.
Ensure that the driver where you want to create the ECMAScript is the driver displayed in the
Identity Manager Driver Overview.
2 Select Advanced > ECMAScript, then click Insert.
3 Select Create a new ECMAScript.
Using ECMAScript in Policies
83
Page 84
novdocx (en) 13 May 2009
4 Specify the name of the ECMAScript.
5 Browse to and select the driver where you want to store the ECMAScript, then click OK.
6 Click Enable ECMAScript editing, then type the ECMAScript.
If you have an existing ECMAScript in a file, you want to use, open the file in a text editor and
copy the information into the ECMAScript editor.
7 Click Apply to save the information in the ECMAScript editor
or
Click OK to save the changes and close the ECMAScript editor.
8.1.2 Creating an ECMAScript in a Library
1 Access the Identity Manager Driver Set Overview page by following the steps in “Accessing
the Identity Manager Driver Set Overview Page” on page 265.
2 Click the Libraries tab.
3 Click the library you want to add an ECMAScript to.
4 Click the Policies tab, then click the plus icon.
84 Policies in iManager for Identity Manager 3.6.1
Page 85
5 Click the Create a policy in this container icon.
novdocx (en) 13 May 2009
6 Specify the name for the ECMAScript.
7 Select ECMAScript, then click OK.
8 Click the ECMAScript in the list of policies stored in the library.
Using ECMAScript in Policies 85
Page 86
9 On Identity Manager, click Edit Resource > select Enable ECMAScript editing, then type the
ECMAScript.
If you have an existing ECMAScript in a file that you want to use, open the file in a text editor
and copy the information into the ECMAScript editor.
10 Click Apply to save the information in the ECMAScript editor
or
Click OK to save the changes and close the ECMAScript editor.
8.2 Using an Existing ECMAScript
If you have an existing ECMAScript in Identity Manager, you can copy the object to a new location.
The existing ECMAScript can be copied to a driver or a library.
Section 8.2.1, “Using an Existing ECMAScript in a Driver,” on page 86
Section 8.2.2, “Using an Existing ECMAScript in a Library,” on page 86
8.2.1 Using an Existing ECMAScript in a Driver
novdocx (en) 13 May 2009
1 Access the Identity Manager Driver Overview page by following the steps in “Accessing the
Identity Manager Driver Overview Page” on page 266.
Ensure that the driver where you want to copy the existing ECMAScript to is the driver
displayed in the Identity Manager Driver Overview.
2 Select Advanced > ECMAScript, then click Insert.
3 Select Use an existing ECMAScript.
4 Browse to and select the existing ECMAScript.
5 Click OK.
8.2.2 Using an Existing ECMAScript in a Library
1 Access the Identity Manager Driver Set Overview page by following the steps in “Accessing
the Identity Manager Driver Set Overview Page” on page 265.
2 Click the Libraries tab.
3 Click the library you want to add the existing ECMAScript to.
86 Policies in iManager for Identity Manager 3.6.1
Page 87
4 Click the Policies tab, then click the plus icon.
novdocx (en) 13 May 2009
5 Select Make a copy from an existing policy.
6 Browse to and select the existing ECMAScript, then click OK.
8.3 Examples of ECMAScripts with Policies
The following examples use the ECMAScript file
policies. The
demo.js
file contains three ECMAScript function definitions.
demo.js
(../samples/demo.js) with different
Using ECMAScript in Policies 87
Page 88
8.3.1 DirXML Script Policy Calling an ECMAScript Function
The DirXML® Script policy converts an attribute that is a URL reference to a photo to the Base64
encoded photo data by calling the ECMAScript function
getB64ImageFromURL()
be used as an Input Transformation or Output Transformation policy.
The function reads an image from a URL and returns the content as Base64 encoded string.
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-builderdtd" "C:\Program
Files\Novell\Designer\eclipse\plugins\com.novell.designer.idm.policybuilder_1
.2.0.200612180606\DTD\dirxmlscript.dtd"><policy>
<rule>
<description>Reformat photo from URL to octet</description>
<conditions/>
<actions>
<do-reformat-op-attr name="photo">
<arg-value type="octet">
<token-xpath expression="es:getB64ImageFromURL(string($currentvalue))"/>
</arg-value>
</do-reformat-op-attr>
</actions>
</rule>
</policy>
.The policy can
novdocx (en) 13 May 2009
Function:
Parameters:
<static> String getB64ImageFromURL(<String> urlString)
urlString
(URL of the image file)
Returns: Base64 encoded content of the image (or empty string if error)
The file
getB64ImageFromURL
ReformatPhoto.xml
from a DirXML Script policy. The file
(../samples/ReformatPhoto.xml) calls the ECMAScript function
phototest.xml
(../samples/
phototest.xml) is a sample input document that shows the policy in action.
Figure 8-1 Reformat Photo Example
The ECMAScript calls the getB64ImageFromURL function which then returns the current value as
a string.
8.3.2 XSLT Policy Calling an ECMAScript Function at the Driver
Level
The XSLT policy either splits a single comma-delimited value into multiple values, or joins multiple
values into a single comma-delimited value. The XSLT policy is defined at the driver level and is
used as an Input Transformation or Output Transformation policy.
88 Policies in iManager for Identity Manager 3.6.1
Page 89
NOTE: DirXML Script has the split and join functionality built in, but XSLT does not. This type of
function allows XSLT to have the split and join functionality.
There are two functions:
“Join” on page 89
“Split” on page 89
Join
The Join function joins the text values of Nodes in a NodeSet into a single string.
<!-- template that joins the joinme attribute values into a single value -->
<xsl:template match="*[@attr-name='joinme']//*[value] | *[@attrname='joinme'][value]">
<xsl:copy>
<xsl:apply-templates select="@*|node()[not(self::value)]"/>
<value>
<xsl:value-of select="es:join(value)"/>
</value>
</xsl:copy>
</xsl:template>
novdocx (en) 13 May 2009
Function:
Parameters:
<static> String join(<NodeSet> nodeSet, <string> delimiter)
nodeSet
(the input NodeSet) and
delimiter
(the delimiter to split on (optional:
default = none))
Returns: The concatenation of the string values of the Nodes in the nodeSet, separated by the
delimiter.
Split
The Split function splits a string into a NodeSet.
<!-- template that splits the splitme attribute values into multiple values -
->
<xsl:template match="*[@attr-name='splitme']//value">
<xsl:for-each select="es:split(string(.))">
<value>
<xsl:value-of select="."/>
</value>
</xsl:for-each>
</xsl:template>
Function:
Parameters:
<static> NodeSet split(<String> inputString, <String> delimiter
inputString
(the script to split) and
delimiter
(the delimiter to split on (optional:
)
default = “,”))
Returns: A NodeSet containing text nodes.
The file
SplitJoin.xsl
sheet. The file
splitjointest.xml
(../samples/SplitJoin.xsl) calls the join or split functions in an XSLT style
the style sheet in action.
(../samples/splitjointest.xml) is an input document that shows
Using ECMAScript in Policies 89
Page 90
8.3.3 XSLT Policy Calling an ECMAScript Function in the Style
Sheet
The XSLT policy demonstrates embedding an ECMAScript function definition with the XSLT style
sheet. The function converts a string to uppercase.
<!-- define ecmascript functions -->
<es:script>
function uppercase(input)
{
return String(input).toUpperCase();
}
</es:script>
novdocx (en) 13 May 2009
The file
XSLT style sheet. The file
uppercase.xsl
(../samples/uppercase.xsl) defines the ECMAScript function with the
uppercasetest.xml
document that shows the style sheet in action.
(../samples/uppercasetest.xml) is an input
90 Policies in iManager for Identity Manager 3.6.1
Page 91
9
Conditions
Conditions define when actions are performed. Conditions are always specified in either
Conjunctive Normal Form (CNF) (http://mathworld.wolfram.com/ConjunctiveNormalForm.html)
or Disjunctive Normal Form (DNF) (http://mathworld.wolfram.com/DisjunctiveNormalForm.html).
These are logical expression forms. The actions of the enclosing rule are only performed when the
logical expression represented in CNF or DNF evaluates to True or when no conditions are
specified.
This section contains detailed information about all conditions that are available through the Policy
Builder interface.
“If Association” on page 92
“If Attribute” on page 94
“If Class Name” on page 97
“If Destination Attribute” on page 100
“If Destination DN” on page 103
novdocx (en) 13 May 2009
9
“If Entitlement” on page 105
“If Global Configuration Value” on page 108
“If Local Variable” on page 110
“If Named Password” on page 113
“If Operation Attribute” on page 114
“If Operation Property” on page 118
“If Operation” on page 120
“If Password” on page 123
“If Source Attribute” on page 126
“If Source DN” on page 128
“If XML Attribute” on page 130
“If XPath Expression” on page 132
Conditions
91
Page 92
If Association
Performs a test on the association value of the current operation or the current object. The type of
test performed depends on the operator specified by the operation attribute.
Fields
Operator
Select the condition test type.
Operator Returns True when...
Associated There is an established association for the current object.
Not Association There is not an established association for the current object.
Available There is a non-empty association value specified by the current
operation.
Not available The association is not available for the current object.
novdocx (en) 13 May 2009
Equal The association value specified by the current operation is exactly equal
to the content of the if association.
Not Equal The association value specified by the current operation is not equal to
the content of the if association.
Greater Than The association value specified by the current operation is greater than
the content of the condition when compared using the specified
comparison mode.
Not Greater Than Greater Than or Equal would return False.
Less Than The association value specified by the current operation is less than the
content of the condition when compared using the specified comparison
mode.
Not Less Than Less Than or Equal would return False.
Va lu e
Contains the value defined for the selected operator. The operators that contain the value field
are:
Equal
Not Equal
Not Greater Than
Less Than
Not Less Than
Comparison Mode
Some condition tests have a mode parameter that indicates how the comparison is done.
92 Policies in iManager for Identity Manager 3.6.1
Page 93
Mode Description
Case Sensitive Character-by-character case sensitive comparison.
Case Insensitive Character-by-character case insensitive comparison.
Regular Expression The regular expression matches the entire string. It defaults to case
insensitive, but can be changed by an escape in the expression.
See Sun’s Web site (http://java.sun.com/j2se/1.4/docs/api/java/util/regex/
Pattern.html).
The pattern options CASE_INSENSITIVE, DOTALL, and UNICODE_CASE
are used but can be reversed using the appropriate embedded escapes.
Source DN Compares using semantics appropriate to the DN format for the source data
store.
Destination DN Compares using semantics appropriate to the DN format for the destination
data store.
Numeric Compares numerically.
novdocx (en) 13 May 2009
Binary Compares the binary information.
The operators that have a comparison mode parameter are:
Equal
Not Equal
Not Greater Than
Less Than
Not Less Than
Example
This example tests to see if the association is available. When this condition is met, the actions that
are defined are executed.
Conditions 93
Page 94
If Attribute
Performs a test on attribute values of the current object in either the current operation or the source
data store. It can be logically thought of as If Operation Attribute or If Source Attribute, because the
test is satisfied if the condition is met in the source data store or in the operation. The test performed
depends on the specified operator.
Fields
Name
Specify the name of the attribute to test.
Operator
Select the condition test type.
Operator Returns True when...
Available There is a value available in either the current operation or the source
data store for the specified attribute.
novdocx (en) 13 May 2009
Not Available Available would return False.
Equal There is a value available in either the current operation or the source
data store for the specified attribute, which equals the specified value
when compared using the specified comparison mode.
Not Equal Equal would return False.
Greater Than There is a value available in either the current operation or the source
data store for the specified attribute that is greater than the content of the
condition when compared using the specified comparison mode.
Not Greater Than Greater Than or Equal would return False.
Less Than There is a value available in either the current operation or the source
data store for the specified attribute that is less than the content of the
condition when compared using the specified comparison mode.
Not Less Than Less Than or Equal would return False.
Va lu e
Contains the value defined for the selected operator. The value is used by the condition. The
operators that contain the value field are:
Equal
Not Equal
Not Greater Than
Less Than
Not Less Than
Comparison Mode
Some condition tests have a mode parameter that indicates how the comparison is done.
94 Policies in iManager for Identity Manager 3.6.1
Page 95
Mode Description
Case Sensitive Character-by-character case sensitive comparison.
Case Insensitive Character-by-character case insensitive comparison.
Regular Expression The regular expression matches the entire string. It defaults to case
insensitive, but can be changed by an escape in the expression.
See Sun’s Web site (http://java.sun.com/j2se/1.4/docs/api/java/util/regex/
Pattern.html).
The pattern options CASE_INSENSITIVE, DOTALL, and UNICODE_CASE
are used but can be reversed using the appropriate embedded escapes.
Source DN Compares using semantics appropriate to the DN format for the source data
store.
Destination DN Compares using semantics appropriate to the DN format for the destination
data store.
Numeric Compares numerically.
novdocx (en) 13 May 2009
Binary Compares the binary information.
The operators that contain the comparison mode parameter are:
Equal
Not Equal
Not Greater Than
Less Than
Not Less Than
Example
The example uses the condition If Attribute when filtering for User objects that are disabled or have
a certain title. The policy is Policy to Filter Events, and it is available for download from the
®
Novell
Understanding Policies for Identity Manager 3.6. To view the policy in XML, see 001-Event-
FilterByContainerDisabledOrTitle.xml (../samples/001-EventFilterByContainerDisabledOrTitle.xml).
Support Web site. For more information, see “Downloading Identity Manager Policies” in
The condition is looking for any User object that has an attribute of Title with a value of consultant
or sales.
Conditions 95
Page 96
novdocx (en) 13 May 2009
96 Policies in iManager for Identity Manager 3.6.1
Page 97
If Class Name
Performs a test on the object class name in the current operation.
Fields
Operator
Select the condition test type.
Operator Returns True when...
Available There is an object class name available in the current operation.
Not Available Available would return False.
Equal There is an object class name available in the current operation, and it
equals the specified value when compared using the specified
comparison mode.
Not Equal Equal would return False.
novdocx (en) 13 May 2009
Greater Than There is an object class name available in the current operation, and it is
greater than the content of the condition when compared using the
specified comparison mode.
Not Greater Than Greater Than or Equal would return False.
Less Than There is an object class name available in the current operation, and it is
less than the content of the condition when compared using the specified
comparison mode.
Not Less Than Less Than or Equal would return False.
Va lu e
Contains the value defined for the selected operator. The value is used by the condition. The
operators that contain the value field are:
Equal
Not Equal
Not Greater Than
Less Than
Not Less Than
Comparison Mode
Some condition tests have a mode parameter that indicates how the comparison is done.
Mode Description
Case Sensitive Character-by-character case sensitive comparison.
Case Insensitive Character-by-character case insensitive comparison.
Conditions 97
Page 98
Mode Description
Regular Expression The regular expression matches the entire string. It defaults to case
insensitive, but can be changed by an escape in the expression.
See Sun’s Web site (http://java.sun.com/j2se/1.4/docs/api/java/util/regex/
Pattern.html).
The pattern options CASE_INSENSITIVE, DOTALL, and UNICODE_CASE
are used but can be reversed using the appropriate embedded escapes.
Source DN Compares using semantics appropriate to the DN format for the source data
store.
Destination DN Compares using semantics appropriate to the DN format for the destination
data store.
Numeric Compares numerically.
Binary Compares the binary information.
The operators that contain the comparison mode parameter are:
Equal
Not Equal
novdocx (en) 13 May 2009
Not Greater Than
Less Than
Not Less Than
Example
The example uses the condition If Class Name to govern group membership for a User object based
on the title. The policy is Govern Groups for User Based on Title Attribute, and it is available for
download from the Novell Support Web site. For more information, see “Downloading Identity
Manager Policies” in Understanding Policies for Identity Manager 3.6. To view the policy in XML,
see 004-Command-GroupChangeOnTitleChange.xml (../samples/004-Command-
GroupChangeOnTitleChange.xml).
Checks to see if the class name of the current object is User.
98 Policies in iManager for Identity Manager 3.6.1
Page 99
novdocx (en) 13 May 2009
Conditions 99
Page 100
If Destination Attribute
Performs a test on attribute values of the current object in the destination data store. The test
performed depends on the specified operator.
Fields
Name
Specify the name of the attribute to test.
Operator
Select the condition test type.
Operator Returns True when...
Available There is a value available in the destination data store for the specified
attribute.
Not Available Available would return False.
novdocx (en) 13 May 2009
Equal There is a value available for the specified attribute in the destination data
store that equals the specified value when compared using the specified
comparison mode.
Not Equal Equal would return False.
Greater Than There is a value available for the specified attribute in the destination data
store that is greater than the content of the condition when compared
using the specified comparison mode. If
content must be a set of
text.
Not Greater Than Greater Than or Equal would return False.
Less Than There is a value available for the specified attribute in the destination data
store that is greater than the content of the condition when compared
using the specified comparison mode. If
content must be a set of
text.
Not Less Than Less Than or Equal would return False.
<component>
<component>
mode=“structured”
elements; otherwise, it must be
mode=“structured”
elements; otherwise, it must be
Va lu e
Contains the value defined for the selected operator. The value is used by the condition. The
operators that contain the value field are:
Equal
Not Equal
Not Greater Than
, the
, the
Less Than
Not Less Than
Comparison Mode
Some condition tests have a mode parameter that indicates how the comparison is done.
100 Policies in iManager for Identity Manager 3.6.1
Loading...