Novell POLICIES IN IMANAGER 3.6.1 - 06-05-2009, POLICIES IN IMANAGER 3.6.1 User Manual

Download

Novell®

www.novell.com

Policies in iManager

novdocx (en) 13 May 2009

AUTHORIZED DOCUMENTATION

3.6.1

June 05, 2009

Policies in iManager for Identity Manager 3.6.1

Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the

Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on

exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

novdocx (en) 13 May 2009

Copyright © 2008-2009 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or more additional patents or pending patent applications in the U.S. and in other countries.

Novell, Inc. 404 Wyman Street, Suite 500 Waltham, MA 02451 U.S.A. www.novell.com

Online Documentation: To access the latest online documentation for this and other Novell products, see

the Novell Documentation Web page (http://www.novell.com/documentation).

Novell Trademarks

For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/

trademarks/tmlist.html).

Third-Party Materials

All third-party trademarks are the property of their respective owners.

novdocx (en) 13 May 2009

4 Policies in iManager for Identity Manager 3.6.1

Contents

About This Guide 11

1Overview 13

2 Managing Policies with Policy Builder 15

2.1 Accessing the Policy Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.2 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.2.1 Creating a Policy in a Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.2.2 Creating a Policy in a Library. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.3 Defining Individual Rules within a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2.4 Creating Arguments within a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2.5 Modifying a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

2.6 Removing a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.7 Renaming a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.8 Deleting a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.9 Exporting a Policy to an XML File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

2.10 Importing a Policy from an XML File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

2.11 Creating a Policy Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

novdocx (en) 22 June 2009

3 Using Additional Builders 25

3.1 Argument Actions Builder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

3.2 Argument Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

3.2.1 Argument Builder Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

3.3 Match Attribute Builder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

3.3.1 Match Attribute Builder Tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3.4 Action Argument Component Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3.5 Argument Value List Builder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3.5.1 Argument Value List Builder Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

3.6 String Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

3.7 Condition Argument Component Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

4 Defining Schema Mapping Policies 35

4.1 Accessing Schema Mapping Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

4.2 Editing the Schema Mapping Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

4.2.1 Placement of the Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

4.2.2 Schema Map Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

5 Controlling the Flow of Objects with the Filter 41

5.1 Accessing the Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

5.2 Editing the Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

5.2.1 Removing a Class or an Attribute from the Filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

5.2.2 Adding a Class. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

5.2.3 Adding an Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

5.2.4 Copying a Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Contents 5

5.2.5 Setting a Template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

5.2.6 Changing the Filter Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

6 Using Predefined Rules 47

6.1 Command Transformation - Create Departmental Container - Part 1 and Part 2 . . . . . . . . . . 48

6.1.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

6.1.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

6.1.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

6.2 Command Transformation - Publisher Delete to Disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

6.2.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

6.2.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

6.2.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

6.3 Creation - Require Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

6.3.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

6.3.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

6.3.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

6.4 Creation - Publisher - Use Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

6.4.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

6.4.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

6.4.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

6.5 Creation - Set Default Attribute Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

6.5.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

6.5.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

6.5.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

6.6 Creation - Set Default Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

6.6.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

6.6.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

6.6.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

6.7 Event Transformation - Scope Filtering - Include Subtrees . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

6.7.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

6.7.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

6.7.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

6.8 Event Transformation - Scope Filtering - Exclude Subtrees . . . . . . . . . . . . . . . . . . . . . . . . . . 56

6.8.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

6.8.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

6.8.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

6.9 Input or Output Transformation - Reformat Telephone Number from (nnn) nnn-nnnn to nnn-nnn-

nnnn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

6.9.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

6.9.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

6.9.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

6.10 Input or Output Transformation - Reformat Telephone Number from nnn-nnn-nnnn to (nnn) nnn-

nnnn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

6.10.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

6.10.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

6.10.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

6.11 Matching - Publisher Mirrored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

6.11.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

6.11.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

6.11.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

6.12 Matching - Subscriber Mirrored - LDAP Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

6.12.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

6.12.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

6.12.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

6.13 Matching - By Attribute Value. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

novdocx (en) 22 June 2009

6 Policies in iManager for Identity Manager 3.6.1

6.13.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

6.13.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

6.13.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

6.14 Placement - Publisher Mirrored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

6.14.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

6.14.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

6.14.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

6.15 Placement - Subscriber Mirrored - LDAP Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

6.15.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

6.15.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

6.15.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

6.16 Placement - Publisher Flat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

6.16.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

6.16.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

6.16.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

6.17 Placement - Subscriber Flat - LDAP Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

6.17.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

6.17.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

6.17.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

6.18 Placement - Publisher By Dept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

6.18.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

6.18.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

6.18.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

6.19 Placement - Subscriber By Dept - LDAP Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

6.19.1 Creating a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

6.19.2 Importing the Predefined Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

6.19.3 How the Rule Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

novdocx (en) 22 June 2009

7 Storing Information in Resource Objects 73

7.1 Library Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

7.1.1 Managing Libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

7.1.2 Adding Objects to the Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

7.1.3 Using a Policy Stored in the Library. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

7.2 Mapping Table Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

7.2.1 Creating a Mapping Table Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

7.2.2 Adding a Mapping Table Object to a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

7.3 ECMAScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

7.4 Application Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

7.5 Repository Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

7.6 Resource Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

8 Using ECMAScript in Policies 83

8.1 Creating an ECMAScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

8.1.1 Creating an ECMAScript in a Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

8.1.2 Creating an ECMAScript in a Library. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

8.2 Using an Existing ECMAScript . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

8.2.1 Using an Existing ECMAScript in a Driver. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

8.2.2 Using an Existing ECMAScript in a Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

8.3 Examples of ECMAScripts with Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

8.3.1 DirXML Script Policy Calling an ECMAScript Function . . . . . . . . . . . . . . . . . . . . . . . 88

8.3.2 XSLT Policy Calling an ECMAScript Function at the Driver Level . . . . . . . . . . . . . . . 88

8.3.3 XSLT Policy Calling an ECMAScript Function in the Style Sheet . . . . . . . . . . . . . . . 90

Contents 7

9 Conditions 91

If Association. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

If Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

If Class Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

If Destination Attribute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

If Destination DN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

If Entitlement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

If Global Configuration Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

If Local Variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

If Named Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

If Operation Attribute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

If Operation Property. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

If Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

If Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

If Source Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

If Source DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

If XML Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

If XPath Expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

novdocx (en) 22 June 2009

10 Actions 135

Add Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Add Destination Attribute Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Add Destination Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Add Source Attribute Value. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Add Source Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Append XML Element . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Append XML Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Break. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Clear Destination Attribute Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Clear Operation Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Clear SSO Credential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Clear Source Attribute Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Clone By XPath Expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Clone Operation Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Delete Destination Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Delete Source Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Find Matching Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

For Each . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Generate Event. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

If . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Implement Entitlement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Move Destination Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Move Source Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Reformat Operation Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Remove Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Remove Destination Attribute Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Remove Source Attribute Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Rename Destination Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Rename Operation Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Rename Source Object. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

8 Policies in iManager for Identity Manager 3.6.1

Send Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Send Email from Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Set Default Attribute Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Set Destination Attribute Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Set Destination Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Set Local Variable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Set Operation Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Set Operation Class Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Set Operation Destination DN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Set Operation Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Set Operation Source DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Set Operation Template DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Set Source Attribute Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Set Source Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Set SSO Credential. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Set SSO Passphrase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Set XML Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Start Workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Strip Operation Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Strip XPath . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Trace Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Veto. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Veto If Operation Attribute Not Available . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

While . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

novdocx (en) 22 June 2009

11 Noun Tokens 207

Added Entitlement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Attribute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Character . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Class Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Destination Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Destination DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Destination Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Entitlement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Generate Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Global Configuration Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Local Variable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Named Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Operation Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Operation Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Removed Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Removed Entitlements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Resolve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Source Attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

Source DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Contents 9

Source Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Unique Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Unmatched Source DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

XPath . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

12 Verb Tokens 245

Base64 Decode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Base64 Encode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Convert Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Escape Destination DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Escape Source DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Join . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Lowercase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Parse DN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Replace All . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

Replace First. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Split . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

Substring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

Uppercase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

XML Parse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

XML Serialize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

novdocx (en) 22 June 2009

A iManager Navigation 265

A.1 Accessing the Identity Manager Driver Set Overview Page. . . . . . . . . . . . . . . . . . . . . . . . . . 265

A.2 Accessing the Identity Manager Driver Overview Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

10 Policies in iManager for Identity Manager 3.6.1

About This Guide

Novell® Identity Manager is a data sharing and synchronization service that enables applications, directories, and databases to share information. It links scattered information and enables you to establish policies that govern automatic updates to designated systems when identity changes occur.

Identity Manager provides the foundation for account provisioning, security, single sign-on, user self-service, authentication, authorization, automated workflows, and Web services. It allows you to integrate, manage, and control your distributed identity information so you can securely deliver the right resources to the right people.

This guide provides detailed information on creating and managing policies in iManager.

 Chapter 1, “Overview,” on page 13

 Chapter 2, “Managing Policies with Policy Builder,” on page 15

 Chapter 3, “Using Additional Builders,” on page 25

novdocx (en) 22 June 2009

 Chapter 4, “Defining Schema Mapping Policies,” on page 35

 Chapter 5, “Controlling the Flow of Objects with the Filter,” on page 41

 Chapter 6, “Using Predefined Rules,” on page 47

 Chapter 7, “Storing Information in Resource Objects,” on page 73

 Chapter 8, “Using ECMAScript in Policies,” on page 83

 Chapter 9, “Conditions,” on page 91

 Chapter 10, “Actions,” on page 135

 Chapter 11, “Noun Tokens,” on page 207

 Chapter 12, “Verb Tokens,” on page 245

Audience

This guide is intended for Identity Manager administrators.

Feedback

We want to hear your comments and suggestions about this manual and the other documentation included with this product. Please use the User Comments feature at the bottom of each page of the online documentation, or go to www.novell.com/documentation/feedback.html and enter your comments there.

Documentation Updates

For the most recent version of Policies in iManager, visit the Identity Manager Documentation Web

site (http://www.novell.com/documentation/idm36).

Additional Documentation

For documentation on Identity Manager drivers, see the Identity Manager Documentation Web site

(http://www.novell.com/documentation/idm36drivers).

About This Guide 11

For documentation on Novell iManager, see the Novell iManager Documentation Web site (http://

www.novell.com/documentation/imanager27).

For documentation on Designer see, the Designer 3.5 for Identity Manager 3.6 Administration

Guide (http://www.novell.com/documentation/designer35).

Documentation Conventions

In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.

A trademark symbol (

, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party

trademark.

When a single pathname can be written with a backslash for some platforms or a forward slash for other platforms, the pathname is presented with a backslash. Users of platforms that require a forward slash, such as Linux* or UNIX*, should use forward slashes as required by your software.

novdocx (en) 22 June 2009

12 Policies in iManager for Identity Manager 3.6.1

Overview

Policies manage the data that is synchronized between the Identity Vault and the remote data store. The policies are stored in policy sets. Identity Manager installs iManager plug-ins that allow you to create and manage policies.

In order to access the objects that are used in policies, see “iManager Navigation” on page 265.

As part of understanding how policies work, it is important to understand their components.

 Policies are made up of rules.

 A rule is a set of conditions (see Chapter 9, “Conditions,” on page 91) that must be met before

a defined action (see Chapter 10, “Actions,” on page 135) occurs.

 Actions can have dynamic arguments that derive from tokens that are expanded at run time.

 Tokens are divided into two classifications: nouns and verbs.

 Noun tokens (see Chapter 11, “Noun Tokens,” on page 207) expand to values that are

derived from the current operation, the source or destination data stores, or some external source.

 Verb tokens (see Chapter 12, “Verb Tokens,” on page 245) modify the concatenated

results of other tokens that are subordinate to them.

 Regular expressions (see “Regular Expressions” in Understanding Policies for Identity

Manager 3.6) and XPath 1.0 expressions (see “XPath 1.0 Expressions” in Understanding Policies for Identity Manager 3.6) are commonly used in the rules to create the desired results

for the policies.

 A policy operates on an XDS document and its primary purpose is to examine and modify that

document.

 An operation is any element in the XDS document that is a child of the input element and the

output element. The elements are part of Novell’s

DTD” in the Identity Manager 3.6 DTD Reference.

 An operation usually represents an event, a command, or a status.

 The policy is applied separately to each operation. As the policy is applied to each operation in

turn, that operation becomes the current operation. Each rule is applied sequentially to the current operation. All of the rules are applied to the current operation unless an action is executed by a prior rule that causes subsequent rules to no longer be applied.

nds.dtd

; for more information, see “NDS

novdocx (en) 13 May 2009

 A policy can also get additional context from outside of the document and cause side effects

that are not reflected in the result document.

For more information on policies and policy types, see Understanding Policies for Identity Manager

3.5.1 (http://www.novell.com/documentation/idm35/policy/data/policytypesoverview.html).

The following sections explain how to create and use policies.

 Chapter 2, “Managing Policies with Policy Builder,” on page 15

 Chapter 3, “Using Additional Builders,” on page 25

 Chapter 4, “Defining Schema Mapping Policies,” on page 35

 Chapter 5, “Controlling the Flow of Objects with the Filter,” on page 41

Overview

 Chapter 6, “Using Predefined Rules,” on page 47

 Chapter 7, “Storing Information in Resource Objects,” on page 73

 Chapter 8, “Using ECMAScript in Policies,” on page 83

This guide also contains a detailed reference section for all of the elements in DirXML® Script. For more information on DirXML Script, see “DirXML Script DTD” in Identity Manager 3.6 DTD

Reference.

 Chapter 9, “Conditions,” on page 91

 Chapter 10, “Actions,” on page 135

 Chapter 11, “Noun Tokens,” on page 207

 Chapter 12, “Verb Tokens,” on page 245

novdocx (en) 13 May 2009

14 Policies in iManager for Identity Manager 3.6.1

Managing Policies with Policy

novdocx (en) 13 May 2009

Builder

The Policy Builder is a complete graphical interface for creating and managing the policies that define the exchange of data between connected systems.

 Section 2.1, “Accessing the Policy Builder,” on page 15

 Section 2.2, “Creating a Policy,” on page 15

 Section 2.3, “Defining Individual Rules within a Policy,” on page 19

 Section 2.4, “Creating Arguments within a Rule,” on page 21

 Section 2.5, “Modifying a Policy,” on page 22

 Section 2.6, “Removing a Policy,” on page 23

 Section 2.7, “Renaming a Policy,” on page 23

 Section 2.8, “Deleting a Policy,” on page 23

 Section 2.9, “Exporting a Policy to an XML File,” on page 24

 Section 2.10, “Importing a Policy from an XML File,” on page 24

 Section 2.11, “Creating a Policy Reference,” on page 24

2.1 Accessing the Policy Builder

1 Access the Identity Manager Driver Overview by following the steps in “Accessing the Identity

Manager Driver Overview Page” on page 266.

Ensure that the driver that is displayed in the Identity Manager Overview is the driver for which you want to manage policies.

2 Click the desired policy set, then click the policy you want to edit to open the Policy Builder.

2.2 Creating a Policy

A policy can be created in a driver or in a library object.

 Section 2.2.1, “Creating a Policy in a Driver,” on page 16

 Section 2.2.2, “Creating a Policy in a Library,” on page 17

Managing Policies with Policy Builder

2.2.1 Creating a Policy in a Driver

 “Creating a New Policy” on page 16

 “Using an Existing Policy to Create a Policy” on page 17

Creating a New Policy

1 Open the Identity Manager Driver Overview for the driver you want to manage.

For instructions on how to access the Identity Manager Driver Overview page, see “Accessing

the Identity Manager Driver Overview Page” on page 266.

2 Click a policy set icon.

represents an undefined policy.

represents a defined policy.

3 Click Insert.

novdocx (en) 13 May 2009

4 Select Create a new policy.

5 Specify a name for the new policy.

6 Select how to implement the policy, then click OK.

16 Policies in iManager for Identity Manager 3.6.1

novdocx (en) 13 May 2009

 If you select Policy Builder, the Policy Builder is launched. To define one or more rules

for this policy, click Append New Rule, then follow the instructions in Section 2.3,

“Defining Individual Rules within a Policy,” on page 19.

 If you select XSLT, the XML editor is launched. To define the policy with XSLT, see

“Defining Policies by Using XSLT Style Sheets” in Understanding Policies for Identity

Manager 3.6.

 If you select Make a copy from an existing policy, browse to and select the policy to copy.

Using an Existing Policy to Create a Policy

1 Open the Identity Manager Driver Overview for the driver you want to manage.

For instructions on how to access the Identity Manager Driver Overview page, see “Accessing

the Identity Manager Driver Overview Page” on page 266.

2 Click a policy set icon.

represents an undefined policy.

represents a defined policy.

3 Click Insert.

4 Select Use an existing policy, then browse to and select the existing policy you want to use.

5 Click OK.

2.2.2 Creating a Policy in a Library

1 Access the Identity Manager Driver Set Overview by following the steps in “Accessing the

Identity Manager Driver Set Overview Page” on page 265.

2 Click the Libraries tab.

3 Click the library you want to add a policy to.

Managing Policies with Policy Builder 17

4 Click the plus icon to add a policy to the library.

novdocx (en) 13 May 2009

5 Specify a name for the policy.

6 Select how to implement the policy, then click OK.

 If you select Policy Builder, XSLT, or ECMAScript, the object is created and displayed in

the library. Each object must be edited to add the policy information into the object.

 If you select Make a copy from an existing policy, browse to and select the policy to store

in the library.

18 Policies in iManager for Identity Manager 3.6.1

2.3 Defining Individual Rules within a Policy

Rules are defined in the Rule Builder window of the Policy Builder. To access the Rule Builder window:

1 Click the library that contains the policy of the rules you want to define.

2 Click on the policy.

3 Click Append New Rule.

Figure 2-1 Rule Builder Window of the Policy Builder

novdocx (en) 13 May 2009

The Rule Builder interface enables you to quickly create and modify rules using intelligent dropdown menus.

In the Rule Builder, you define a set of conditions that must be met before a defined action occurs.

For example, if you need to create a rule that disallows any new objects from being added to your environment, you might define this rule to indicate that when an add operation occurs, veto the operation.

To implement this logic in the Rule Builder, you could select the following condition:

Managing Policies with Policy Builder 19

Figure 2-2 Move User Condition in the Rule Builder Interface

And the following action:

Figure 2-3 Veto Action in the Rule Builder Interface

novdocx (en) 13 May 2009

See Chapter 9, “Conditions,” on page 91 and Chapter 10, “Actions,” on page 135 for a detailed reference on the conditions and actions available in the Rule Builder.

Tips

To create more complex conditions, you can join conditions and groups of conditions with and/or statements. You can modify the way these are joined by selecting the condition structure:

Figure 2-4 Condition Structure Radio Buttons

 Browse: Click the icon to see a list of values for a field. In the example above, this icon

opens a list of valid class names.

 Argument Builder: Click the icon to use the Argument Builder interface to construct an

argument.

 Enable/Disable Policy, Rule, Condition or Action: Click the icon to disable a policy,

rule, condition, or action. Click the icon to re-enable it.

 Enable/Disable Policy Tracing: Click the icon to disable tracing on the policy. Click the

icon to re-enable tracing of the policy.

 Comment: Click the icon to add a comment to a policy or rule. Comments are stored

directly on the policy or rule, and can be as long as necessary.

 Cut/Copy/Paste: Use the Cut/Copy/Paste icons to use the Policy Builder clipboard.

The Paste icon is disabled if the current content on the clipboard is invalid at that location.

 Conditions: Use the icons to add, remove, and position conditions.

 Add Condition Groups: Use the button to add condition groups.

20 Policies in iManager for Identity Manager 3.6.1

 Remove and Position Condition Groups: Use the icons to remove and position

condition groups.

2.4 Creating Arguments within a Rule

The Argument Builder provides a dynamic graphical interface that enables you to construct complex argument expressions for use within the Rule Builder. To access the Argument Builder, see

“Argument Builder” on page 26.

Arguments are dynamically used by actions and are derived from tokens that are expanded at run time.

Tokens are divided into two classifications: nouns and verbs. Noun tokens expand to values that are derived from the current operation, the source or destination data stores, or some external source. Verb tokens modify the results of other tokens that are subordinate to them.

Figure 2-5 Default Argument Builder Interface

novdocx (en) 13 May 2009

To define an expression, select one or more noun tokens (values, objects, variables, etc.), and combine then with verb tokens (substring, escape, uppercase, and lowercase) to construct arguments. Multiple tokens are combined to construct complex arguments.

Managing Policies with Policy Builder 21

For example, if you want the argument set to an attribute value:

1 In the Argument Builder, select Attribute from the list of noun tokens, then click Add.

2 Browse to and select the attribute name in the editor.

novdocx (en) 13 May 2009

If you want only a portion of this attribute, you can combine the attribute token with the substring token. The expression displays a substring length of 1 for the Given Name attribute combined with the entire Surname attribute.

After you add a noun or verb, you can provide values in the editor, then immediately add another noun or verb. You do not need to refresh the Expression pane to apply your changes; they appear when the next operation is performed.

See Chapter 11, “Noun Tokens,” on page 207 and Chapter 12, “Verb Tokens,” on page 245 for a detailed reference on the noun and verb tokens. See Section 3.2, “Argument Builder,” on page 26 for more information on the Argument Builder.

2.5 Modifying a Policy

1 Open the Identity Manager Driver Overview for the driver you want to manage.

For instructions on how to access the Identity Manager Driver Overview page, see “Accessing

the Identity Manager Driver Overview Page” on page 266.

2 Click a policy set icon.

3 Click the name of the policy you want to modify.

The Policy Builder is launched.

4 Make the desired modifications, then click OK.

22 Policies in iManager for Identity Manager 3.6.1

2.6 Removing a Policy

The Remove option removes the policy from the selected Policy Set but doesn’t delete the policy.

1 Open the Identity Manager Driver Overview for the driver you want to manage.

For instructions on how to access the Identity Manager Driver Overview page, see “Accessing

the Identity Manager Driver Overview Page” on page 266.

2 Click a policy set icon, select the policy you want to remove, then click Remove.

To view a policy that is not associated with a policy set:

1 Open the Identity Manager Driver Overview for the driver you want to manage.

For instructions on how to access the Identity Manager Driver Overview page, see “Accessing

the Identity Manager Driver Overview Page” on page 266.

2 Click Advanced > Show All Policies.

To add the removed policy back to the policy set:

1 Open the Identity Manager Driver Overview for the driver you want to manage.

For instructions on how to access the Identity Manager Driver Overview page, see “Accessing

the Identity Manager Driver Overview Page” on page 266.

novdocx (en) 13 May 2009

2 Click a policy set icon.

3 Click Insert.

4 Select Use an existing policy, then click the browse button.

5 Browse to the policy you want to add.

Make sure you are in the proper container to see the policy.

6 Click OK.

7 Click Close.

2.7 Renaming a Policy

1 Open the Identity Manager Driver Overview for the driver you want to manage.

For instructions on how to access the Identity Manager Driver Overview page, see “Accessing

the Identity Manager Driver Overview Page” on page 266.

2 Click a policy set icon.

3 Select the policy you want to rename.

4 Click Rename and rename the policy.

5 Click OK.

6 Click Close.

2.8 Deleting a Policy

1 Open the Identity Manager Driver Overview for the driver you want to manage.

For instructions on how to access the Identity Manager Driver Overview page, see “Accessing

the Identity Manager Driver Overview Page” on page 266.

Managing Policies with Policy Builder 23

2 Click a policy set icon.

3 Select the policy you want to delete, then click Delete.

2.9 Exporting a Policy to an XML File

1 Open the Identity Manager Driver Overview for the driver you want to manage.

For instructions on how to access the Identity Manager Driver Overview page, see “Accessing

the Identity Manager Driver Overview Page” on page 266.

2 Click a policy set icon.

3 Click the name of a policy.

4 Click the Save As button, then select a location to save the DirXML

5 Click Save.

Script XML file.

2.10 Importing a Policy from an XML File

1 Open the Identity Manager Driver Overview for the driver you want to manage.

For instructions on how to access the Identity Manager Driver Overview page, see “Accessing

the Identity Manager Driver Overview Page” on page 266.

2 Click a policy set icon.

3 Click the name of a policy.

novdocx (en) 13 May 2009

4 Click the Insert button, then select Import an XML file containing DirXML Script.

5 Browse to and select the policy file to import, then click OK.

2.11 Creating a Policy Reference

A policy reference enables you to create a single policy, and reference it in multiple locations. If you have a policy that is used by more than one driver or policy, creating a reference simplifies management of this policy.

1 Open the Identity Manager Driver Overview for the driver you want to manage.

For instructions on how to access the Identity Manager Driver Overview page, see “Accessing

the Identity Manager Driver Overview Page” on page 266.

2 Click a policy set icon.

3 Click the name of a policy.

4 Click the Insert button, and select Append a reference to a policy containing DirXML Script.

5 Browse to and select the policy object to reference, then click OK.

24 Policies in iManager for Identity Manager 3.6.1

Using Additional Builders

Although you define most arguments by using the Argument Builder (see Section 2.4, “Creating

Arguments within a Rule,” on page 21), there are several more builders that are used by the

Condition Editor and Action Editor in the Policy Builder. Each builder can recursively call anyone of the builders in the following list:

 Section 3.1, “Argument Actions Builder,” on page 25

 Section 3.2, “Argument Builder,” on page 26

 Section 3.3, “Match Attribute Builder,” on page 30

 Section 3.4, “Action Argument Component Builder,” on page 31

 Section 3.5, “Argument Value List Builder,” on page 31

 Section 3.6, “String Builder,” on page 32

 Section 3.7, “Condition Argument Component Builder,” on page 33

novdocx (en) 13 May 2009

3.1 Argument Actions Builder

The Argument Actions Builder enables you to set the action that is required by the For Each action and the Implement Entitlement action.

In the following example, the add destination attribute value action is performed for each Group entitlement that is being added in the current operation.

Figure 3-1 Action For Each

To define the action of add destination attribute value, click the icon that launches the Argument Actions Builder. In the Argument Actions Builder, you define the desired action. In the following example, the member attribute is added to the destination object for each added Group entitlement.

Figure 3-2 Action Add Destination Attribute Value

Using Additional Builders

3.2 Argument Builder

The Argument Builder provides a dynamic graphical interface that enables you to construct complex argument expressions for use within Rule Builder.

The Argument Builder consists of five separate sections:

 Nouns: Contains a list of all of the available noun tokens. Select a noun token, then click Add

to add the noun token to the Expression pane. For more information on noun tokens, see

Chapter 11, “Noun Tokens,” on page 207.

 Ve rb s: Contains a list of all of the available verb tokens. Select a verb token, then click Add to

add the verb token to the Expression pane. For more information on verb tokens, see

Chapter 12, “Verb Tokens,” on page 245.

 Description: Contains a brief description of the noun or verb token. Click the help icon to

launch additional help.

 Expression: Contains the argument that is being built. Multiple noun and verb tokens can be

added to a single argument. Tokens can be arranged in different orders through the Expression pane.

novdocx (en) 13 May 2009

 Editor: Use the Editor pane to provide the values for the nouns and the verbs.

26 Policies in iManager for Identity Manager 3.6.1

Figure 3-3 Argument Builder

novdocx (en) 13 May 2009

Launch the Argument Builder from the following actions by clicking the Edit Arguments icon.

 Add Association

 Add Destination Attribute Value

 Add Destination Object

 Add Source Attribute Value

 Append XML Text

 Clear Destination Attribute Value when the selected object is DN or Association.

 Clear Source Attribute Value when the selected object is DN or Association.

 Delete Destination Object when the selected object is DN or Association.

 Delete Source Object when the selected object is DN or Association.

Using Additional Builders 27

 Find Matching Object

 For Each

 Move Destination Object

 Move Source Object

 Reformat Operation Attribute

 Remove Association

 Remove Destination Attribute Value

 Remove Source Attribute Value

 Rename Destination Object when the selected object is DN or Association and Enter String.

 Rename Source Object when the selected object is DN or Association and Enter String.

 Set Destination Attribute Value when the selected object is DN or Association, and the Enter

Value type is not structured.

 Set Destination Password

 Set Local Variable

 Set Operation Association

novdocx (en) 13 May 2009

 Set Operation Class Name

 Set Operation Destination DN

 Set Operation Property

 Set Operation Source DN

 Set Operation Template DN

 Set Source Attribute Value

 Set Source Password

 Set XML Attribute

 Status

 Trace Message

To define an expression, select one or more nouns (values, objects, variables, etc.), and combine them with verbs (substring, escape, uppercase and lowercase) to construct arguments.

The following example creates an argument for a username from the first letter of the first name and the entire last name:

1 Select Attribute from the list of nouns, then click Add.

28 Policies in iManager for Identity Manager 3.6.1

2 Specify or select the Given Name attribute.

3 Select Substring from the list of verbs, then click Add.

novdocx (en) 13 May 2009

4 Type 1 in the Length field.

5 Select the Given Name attribute, then click the Move Down icon.

6 Select Attribute from the list of nouns, then click Add.

7 Specify or browse to the Surname attribute.

8 Select the Surname attribute, then click the Move Down icon twice.

The argument takes the first character of the Given Name attribute and adds it to the Surname attribute to build the desired value.

9 Click OK to save the argument.

Using Additional Builders 29

3.2.1 Argument Builder Tips

 Use the Cut/Copy/Paste icons to use the Policy Builder clipboard. The Paste icon is

disabled if the current content on the clipboard is invalid at that location.

 Use the Move Up/Move Down/Remove icons to reposition or remove tokens in the

argument.

 Use the link to refresh the Argument Builder interface. The interface is

refreshed automatically whenever you add or modify a token.

3.3 Match Attribute Builder

The Match Attribute Builder enables you to select attributes and values used by the Find Matching

Object action to determine if a matching object exists in a data store.

The following example matches users if the users are based in Provo and have a unique CN attribute:

1 In the Rule Builder, select find matching object.

For information on accessing the Rule Builder, see “Defining Individual Rules within a Policy”

on page 19.

2 Select the Scope of the search as subtree.

3 Browse to and select the location to search. In this example, it is the Users container.

novdocx (en) 13 May 2009

4 Click the icon next to the Enter Match Attributes field to launch the Match Attribute Builder.

5 Click Append New Matching Attribute to add an attribute to match.

6 Specify the CN attribute in the Name field.

7 Select Value from current object to see if there are any other users with the same CN attribute.

8 Click Append New Matching Attribute to add another attribute to match.

9 Specify the L attribute in the Name field.

10 Select Other Value, then specify Provo as the value.

11 Click OK.

30 Policies in iManager for Identity Manager 3.6.1

+ 236 hidden pages

Novell POLICIES IN IMANAGER 3.6.1 - 06-05-2009, POLICIES IN IMANAGER 3.6.1 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual