Related Manuals for Novell POLICIES IN IMANAGER 3.6.1 - 06-05-2009
Summary of Contents for Novell POLICIES IN IMANAGER 3.6.1 - 06-05-2009
- Page 1 AUTHORIZED DOCUMENTATION Policies in iManager Novell ® Policies in iManager 3.6.1 June 05, 2009 www.novell.com Policies in iManager for Identity Manager 3.6.1...
- Page 2 Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
- Page 3 Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
- Page 4 Policies in iManager for Identity Manager 3.6.1...
-
Page 5: Table Of Contents
Contents About This Guide 1 Overview 2 Managing Policies with Policy Builder Accessing the Policy Builder ..........15 Creating a Policy . - Page 6 5.2.5 Setting a Template........... 43 5.2.6 Changing the Filter Settings .
- Page 7 6.13.1 Creating a Policy ........... . 63 6.13.2 Importing the Predefined Rule .
- Page 8 9 Conditions If Association..............92 If Attribute .
- Page 9 Send Email ..............176 Send Email from Template .
- Page 10 Source Name ..............236 Time .
-
Page 11: About This Guide
We want to hear your comments and suggestions about this manual and the other documentation included with this product. Please use the User Comments feature at the bottom of each page of the online documentation, or go to www.novell.com/documentation/feedback.html and enter your comments there. - Page 12 Designer 3.5 for Identity Manager 3.6 Administration Guide (http://www.novell.com/documentation/designer35). Documentation Conventions In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path. ® A trademark symbol ( , etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark.
-
Page 13: Overview
A policy operates on an XDS document and its primary purpose is to examine and modify that document. An operation is any element in the XDS document that is a child of the input element and the output element. The elements are part of Novell’s ; for more information, see “NDS nds.dtd... - Page 14 Chapter 6, “Using Predefined Rules,” on page 47 Chapter 7, “Storing Information in Resource Objects,” on page 73 Chapter 8, “Using ECMAScript in Policies,” on page 83 ® This guide also contains a detailed reference section for all of the elements in DirXML Script.
-
Page 15: Managing Policies With Policy Builder
Managing Policies with Policy Builder The Policy Builder is a complete graphical interface for creating and managing the policies that define the exchange of data between connected systems. Section 2.1, “Accessing the Policy Builder,” on page 15 Section 2.2, “Creating a Policy,” on page 15 Section 2.3, “Defining Individual Rules within a Policy,”... -
Page 16: Creating A Policy In A Driver
2.2.1 Creating a Policy in a Driver “Creating a New Policy” on page 16 “Using an Existing Policy to Create a Policy” on page 17 Creating a New Policy 1 Open the Identity Manager Driver Overview for the driver you want to manage. For instructions on how to access the Identity Manager Driver Overview page, see “Accessing the Identity Manager Driver Overview Page”... -
Page 17: Creating A Policy In A Library
If you select Policy Builder, the Policy Builder is launched. To define one or more rules for this policy, click Append New Rule, then follow the instructions in Section 2.3, “Defining Individual Rules within a Policy,” on page If you select XSLT, the XML editor is launched. To define the policy with XSLT, see “Defining Policies by Using XSLT Style Sheets”... - Page 18 4 Click the plus icon to add a policy to the library. 5 Specify a name for the policy. 6 Select how to implement the policy, then click OK. If you select Policy Builder, XSLT, or ECMAScript, the object is created and displayed in the library.
-
Page 19: Defining Individual Rules Within A Policy
2.3 Defining Individual Rules within a Policy Rules are defined in the Rule Builder window of the Policy Builder. To access the Rule Builder window: 1 Click the library that contains the policy of the rules you want to define. 2 Click on the policy. - Page 20 Move User Condition in the Rule Builder Interface Figure 2-2 And the following action: Veto Action in the Rule Builder Interface Figure 2-3 Chapter 9, “Conditions,” on page 91 Chapter 10, “Actions,” on page 135 for a detailed reference on the conditions and actions available in the Rule Builder. Tips To create more complex conditions, you can join conditions and groups of conditions with and/or statements.
-
Page 21: Creating Arguments Within A Rule
Remove and Position Condition Groups: Use the icons to remove and position condition groups. 2.4 Creating Arguments within a Rule The Argument Builder provides a dynamic graphical interface that enables you to construct complex argument expressions for use within the Rule Builder. To access the Argument Builder, see “Argument Builder”... -
Page 22: Modifying A Policy
For example, if you want the argument set to an attribute value: 1 In the Argument Builder, select Attribute from the list of noun tokens, then click Add. 2 Browse to and select the attribute name in the editor. If you want only a portion of this attribute, you can combine the attribute token with the substring token. -
Page 23: Removing A Policy
2.6 Removing a Policy The Remove option removes the policy from the selected Policy Set but doesn’t delete the policy. 1 Open the Identity Manager Driver Overview for the driver you want to manage. For instructions on how to access the Identity Manager Driver Overview page, see “Accessing the Identity Manager Driver Overview Page”... -
Page 24: Exporting A Policy To An Xml File
2 Click a policy set icon. 3 Select the policy you want to delete, then click Delete. 2.9 Exporting a Policy to an XML File 1 Open the Identity Manager Driver Overview for the driver you want to manage. For instructions on how to access the Identity Manager Driver Overview page, see “Accessing the Identity Manager Driver Overview Page”... -
Page 25: Using Additional Builders
Using Additional Builders Although you define most arguments by using the Argument Builder (see Section 2.4, “Creating Arguments within a Rule,” on page 21), there are several more builders that are used by the Condition Editor and Action Editor in the Policy Builder. Each builder can recursively call anyone of the builders in the following list: Section 3.1, “Argument Actions Builder,”... -
Page 26: Argument Builder
3.2 Argument Builder The Argument Builder provides a dynamic graphical interface that enables you to construct complex argument expressions for use within Rule Builder. The Argument Builder consists of five separate sections: Nouns: Contains a list of all of the available noun tokens. Select a noun token, then click Add to add the noun token to the Expression pane. - Page 27 Argument Builder Figure 3-3 Launch the Argument Builder from the following actions by clicking the Edit Arguments icon. Add Association Add Destination Attribute Value Add Destination Object Add Source Attribute Value Append XML Text Clear Destination Attribute Value when the selected object is DN or Association. Clear Source Attribute Value when the selected object is DN or Association.
- Page 28 Find Matching Object For Each Move Destination Object Move Source Object Reformat Operation Attribute Remove Association Remove Destination Attribute Value Remove Source Attribute Value Rename Destination Object when the selected object is DN or Association and Enter String. Rename Source Object when the selected object is DN or Association and Enter String.
- Page 29 2 Specify or select the Given Name attribute. 3 Select Substring from the list of verbs, then click Add. 4 Type 1 in the Length field. 5 Select the Given Name attribute, then click the Move Down icon. 6 Select Attribute from the list of nouns, then click Add. 7 Specify or browse to the Surname attribute.
-
Page 30: Argument Builder Tips
3.2.1 Argument Builder Tips Use the Cut/Copy/Paste icons to use the Policy Builder clipboard. The Paste icon is disabled if the current content on the clipboard is invalid at that location. Use the Move Up/Move Down/Remove icons to reposition or remove tokens in the argument. -
Page 31: Match Attribute Builder Tips
3.3.1 Match Attribute Builder Tips Use the Cut/Copy/Paste icons to use the Policy Builder clipboard. The Paste icon is disabled if the current content on the clipboard is invalid at that location. 3.4 Action Argument Component Builder In the Rule Builder, launch the Action Argument Component Builder by selecting the following actions when the Enter Value Type selection is set to Structured. -
Page 32: Argument Value List Builder Tips
For example, if you want to set a default company name: 1 In the Rule Builder, select set default attribute value from the list of actions. For information on accessing the Rule Builder, see “Defining Individual Rules within a Policy” on page 2 Browse to and select the company attribute. -
Page 33: Condition Argument Component Builder
value value3 data data-type String Builder Figure 3-6 For the Send Email action, the string names correspond to the elements of the e-mail: from reply-to subject message encoding custom-smpt-header Send Mail Action Figure 3-7 For the Send Email from Template action, the named strings correspond to the elements of the e- mail in the template: reply-to encoding... - Page 34 In order to see the icon, you must select the Structured selection for Mode with the following conditions: If Attribute If Destination Attribute If Source Attribute Structured Option Figure 3-8 Condition Argument Component Builder Figure 3-9 Policies in iManager for Identity Manager 3.6.1...
-
Page 35: Defining Schema Mapping Policies
Defining Schema Mapping Policies Schema Mapping policies map class names and attribute names between the Identity Vault namespace and the application namespace. The same schema mapping policy is applied in both directions. All documents that are passed in either direction on either channel between the Metadirectory engine and the application shim are passed through the Schema Mapping policy. -
Page 36: Schema Map Editor
The options in this window allow you to position the policy you are currently working with. The following table explains each of the options: Option Description Insert Inserts a new or an existing policy into the policies listed. Rename Renames the selected policy. Remove Removes the selected policy without deleting the policy from the policy set. - Page 37 The Schema Map editor has three tabs: “Identity Manager Policy” on page 37 “Edit XML” on page 38 “Usage” on page 39 Identity Manager Policy Contains the most information and is where you edit the policy through the GUI interface. Schema Map Editor Tasks Table 4-1 Removing Classes and Attributes...
- Page 38 Adding Attributes Select the class of the attribute you want to add, then click Attribute. Select the eDirectory attribute from the drop-down list, then select the Application attribute from the drop-down list. With the items selected, click Add, then click OK to save the changes.
- Page 39 Edit XML Figure 4-1 Usage Shows you a list of the drivers that are currently referencing this policy. The list refers only to policies in this policy’s driver set. If this policy is referenced from a different driver set, those references do not appear here.
- Page 40 Usage Figure 4-2 Policies in iManager for Identity Manager 3.6.1...
-
Page 41: Controlling The Flow Of Objects With The Filter
Controlling the Flow of Objects with the Filter The Filter editor allows you to manage the filter. In the Filter editor, you define how each class and attribute should be handled by the Publisher and Subscriber channels. Section 5.1, “Accessing the Filter,” on page 41 Section 5.2, “Editing the Filter,”... -
Page 42: Removing A Class Or An Attribute From The Filter
Filter Editor Figure 5-1 Here is a list of most common tasks when editing the filter: Section 5.2.1, “Removing a Class or an Attribute from the Filter,” on page 42 Section 5.2.2, “Adding a Class,” on page 42 Section 5.2.3, “Adding an Attribute,” on page 43 Section 5.2.4, “Copying a Filter,”... -
Page 43: Adding An Attribute
5.2.3 Adding an Attribute 1 Select the Class where you want the attribute to be added. 2 Click Add Attribute. 3 Select the attribute you want to add, then click OK. 4 Change the option to synchronize the information. 5 Click Apply. 5.2.4 Copying a Filter You can copy the filter from an existing driver into the driver you are currently working on. - Page 44 Options Definitions Track Member of Yes: Determines whether or not the Publisher channel Template maintains the Member of Template attribute when it creates objects from a template. No: Does not track the Member of Template attribute. 3 Select an attribute. 4 Change the filter settings for the selected attribute.
- Page 45 Options Definitions Publish Synchronize: Changes to this object are reported and automatically synchronized. Ignore: Changes to this object are not reported or automatically synchronized. Notify: Changes to this object are reported, but not automatically synchronized. Reset: Resets the object value to the value specified by the opposite channel.
- Page 46 Options Definitions Merge Authority Default: If an attribute is not being synchronized in either channel, no merging occurs. If an attribute is being synchronized in one channel and not the other, then all existing values on the destination for that channel are removed and replaced with the values from the source for that channel.
-
Page 47: Using Predefined Rules
Using Predefined Rules iManager includes 19 predefined rules. You can import and use these rules as well as create your own rules. These rules include common tasks that administrators use. You need to provide information specific to your environment to customize the rules. Section 6.1, “Command Transformation - Create Departmental Container - Part 1 and Part 2,”... -
Page 48: Command Transformation - Create Departmental Container - Part 1 And Part 2
4 Click Insert and select the predefined rule you want to use. 6.1 Command Transformation - Create Departmental Container - Part 1 and Part 2 This rule creates a department container in the destination data store, if one does not exist. Implement the rule on the Command Transformation policy in the driver. -
Page 49: How The Rule Works
4 Click Insert. 5 Select Command Transformation - Create Departmental Container - Part 2. 6 Expand the predefined rule. 7 Click OK. There is no information to change in the rules that is specific to your environment. IMPORTANT: Make sure that the rules are listed in order. Part 1 must be executed before Part 2. 6.1.3 How the Rule Works This rule is used when the destination location for an object does not exist. -
Page 50: Command Transformation - Publisher Delete To Disable
Part 2 checks to see if the local variable does-target-exist is available. It also checks to see if the value of the local variable does-target-exist is set to a blank value. If the value is blank, then an Organizational Unit object is created. The DN of the organizational unit is set to the value of the local variable target-container. -
Page 51: How The Rule Works
4 Click OK. There is no information to change in the rule that is specific to your environment. 6.2.3 How the Rule Works This rule is used when a Delete command is going to be sent to the Identity Vault, usually in response to a Delete event that occurred in the connected system. -
Page 52: How The Rule Works
6.4 Creation - Publisher - Use Template ® This rule allows for the use of a Novell eDirectory template object during the creation of a User object. Implement the rule on the Publisher Creation policy in the driver. -
Page 53: How The Rule Works
4 To edit the rule, click Creation - Publisher - Use Template in the Policy Builder. The Rule Builder is launched. 5 In the Actions section, click the Edit the arguments icon. The Argument Builder is launched. 6 In the Editor, click the Browse icon next to the Text field, browse to and select the template object, then click OK. -
Page 54: Importing The Predefined Rule
6.5.2 Importing the Predefined Rule 1 In the Policy Builder, click Insert. 2 Select Creation - Set Default Attribute Value. 3 Expand the predefined rule. 4 To edit the rule, click Creation - Set Default Attribute Value in the Policy Builder. The Rule Builder is launched. -
Page 55: Creating A Policy
6.6.1 Creating a Policy 1 Open the Identity Manager Driver Overview for the driver you want to manage. For instructions on how to access the Identity Manager Driver Overview page, see “Accessing the Identity Manager Driver Overview Page” on page 266. -
Page 56: Creating A Policy
6.7.1 Creating a Policy 1 Open the Identity Manager Driver Overview for the driver you want to manage. For instructions on how to access the Identity Manager Driver Overview page, see “Accessing the Identity Manager Driver Overview Page” on page 266. -
Page 57: Creating A Policy
There are two steps involved in using the predefined rules: creating a policy in the Event Transformation policy set, and importing the predefined rule. If you already have an Event Transformation policy that you want to add this rule to, skip to “Importing the Predefined Rule”... -
Page 58: Nnnn
6.9 Input or Output Transformation - Reformat Telephone Number from (nnn) nnn-nnnn to nnn- nnn-nnnn This rule converts the format of the telephone number. Implement the rule on the Input or Output Transformation policy in the driver. Typically, if this rule is used on an Input Transformation, you would then use the rule Reformat Telephone Number from nnn-nnn-nnnn to (nnn) nnn-nnnn on the Output Transformation and vice versa to convert the format back and forth. -
Page 59: How The Rule Works
6.9.3 How the Rule Works This rule is used when you want to reformat the telephone number. It finds all the values for the phone attribute in the current operation that match the pattern (nnn) nnn-nnnn and replaces each with nnn-nnn-nnnn. 6.10 Input or Output Transformation - Reformat Telephone Number from nnn-nnn-nnnn to (nnn) nnn-nnnn... -
Page 60: How The Rule Works
4 To edit the rule, click Input or Output Transformation - Reformat Telephone Number from nnn- nnn-nnnn to (nnn) nnn-nnnn in the Policy Builder. The Rule Builder is launched. 5 Define the condition you want to have occur when the telephone number is reformatted. 6 Click OK. -
Page 61: How The Rule Works
4 To edit the rule, click Matching - Publisher Mirrored in the Policy Builder. The Rule Builder is launched. 5 In the Conditions section, click the Browse icon next to the Value field. 6 Click the container in the source hierarchy where you want the matching to start. 7 In the Actions section, click the Edit the arguments icon next to the Enter string field. -
Page 62: Importing The Predefined Rule
The Policy Builder is launched. 5 Continue with Section 6.12.2, “Importing the Predefined Rule,” on page 6.12.2 Importing the Predefined Rule 1 In the Policy Builder, click Insert. For information on how to access the policy builder, see “Accessing the Policy Builder” on page 2 Select Matching - Subscriber Mirrored - LDAP format. -
Page 63: Creating A Policy
6.13.1 Creating a Policy 1 Open the Identity Manager Driver Overview for the driver you want to manage. For instructions on how to access the Identity Manager Driver Overview page, see “Accessing the Identity Manager Driver Overview Page” on page 266. -
Page 64: Creating A Policy
There are two steps involved in using the predefined rules: creating a policy in the Placement policy set, and importing the predefined rule. If you already have a Placement policy that you want to add this rule to, skip to “Importing the Predefined Rule”... -
Page 65: Placement - Subscriber Mirrored - Ldap Format
6.15 Placement - Subscriber Mirrored - LDAP Format This rule places objects in the data store by using the mirrored structure in the Identity Vault from a specified point. Implement the rule on the Placement policy in the driver. You can implement the rule only on the Subscriber channel. -
Page 66: How The Rule Works
6.15.3 How the Rule Works If the User object resides in the specified source subtree, the object is placed at the same relative name and location within the Identity Vault. You must supply the DNs of the source (Identity Vault) and destination (connected system) subtrees. -
Page 67: How The Rule Works
The Argument Builder is launched. 6 In the Editor, click the browse button, browse to and select the destination container were you want all of the user objects to be placed, then click OK. 7 Click OK. 6.16.3 How the Rule Works The rule places all User objects in the destination DN. -
Page 68: How The Rule Works
4 To edit the rule, click Placement - Subscriber Flat - LDAP Format in the Policy Builder. The Rule Builder is launched. 5 In the Enter string field, click the Edit the arguments icon. The Argument Builder is launched. 6 In the Editor, add the destination container where you want all of the User objects to be placed. Make sure the container is specified in LDAP format, then click OK. -
Page 69: How The Rule Works
4 To edit the rule, click Placement - Publisher By Dept in the Policy Builder. The Rule Builder is launched. 5 In the Enter string field, click the Edit the arguments icon. The Argument Builder is launched. 6 In the Editor, click the browse button, then browse to and select the parent container in the Identity Vault. -
Page 70: Creating A Policy
6.19.1 Creating a Policy 1 Open the Identity Manager Driver Overview for the driver you want to manage. For instructions on how to access the Identity Manager Driver Overview page, see “Accessing the Identity Manager Driver Overview Page” on page 266. - Page 71 The value of the OU attribute must be the name of the child container. If the OU attribute is not present, then this rule is not executed. The uid attribute of the User object is the first two letters of the Given Name attribute plus the Surname attribute as lowercase.
- Page 72 Policies in iManager for Identity Manager 3.6.1...
-
Page 73: Storing Information In Resource Objects
Objects Resource objects store information that drivers use. The resource objects can hold arbitrary data in ® any format. Novell Identity Manager contains different types of resource objects. Section 7.1, “Library Objects,” on page 73 Section 7.2, “Mapping Table Objects,” on page 78 Section 7.3, “ECMAScript,”... -
Page 74: Deleting A Library
3 Click New. 4 Specify a name for the library. 5 The library is created in the container that was previously selected. 6 Click OK. Deleting a Library 1 Access the Identity Manager Driver Set Overview page by following the steps in “Accessing the Identity Manager Driver Set Overview Page”... -
Page 75: Adding Objects To The Library
7.1.2 Adding Objects to the Library You can add policies, mapping tables, and Credential Provisioning policy resource objects to a library. “Adding Policies to the Library” on page 75 “Adding a Mapping Table to a Library” on page 75 “Adding Credential Provisioning Policy Resource Objects to a Library” on page 76 Adding Policies to the Library 1 Access the Identity Manager Driver Set Overview page by following the steps in “Accessing... - Page 76 2 Click the Libraries tab. 3 Click the library you want to add a mapping table to. 4 Click the Mapping Tables tab, then click Insert to add a mapping table to the library. 5 Specify the name for the mapping table. 6 Browse to and select the library where the mapping table will be created.
-
Page 77: Using A Policy Stored In The Library
3 Click the library you want to add a Credential Provisioning policy resource object to. 4 Click the Credential Provisioning tab. 5 Click Repositories, then click New to add a new repository object to the library. Click Applications, then click New to add a new application object to the library. 6 Click OK. -
Page 78: Mapping Table Objects
7 Browse to and select the policy that is stored in the library, then click OK twice. 8 Click Close. 7.2 Mapping Table Objects A mapping table object is used by a policy to map a set of values to another set of corresponding values. -
Page 79: Adding A Mapping Table Object To A Policy
6 Specify the name of the column, then select whether the value is Case insensitive, Case sensitive, or Numeric. If you want to add more columns, repeat Step 5 Step 7 Click the Add Row icon. 8 Specify the value for the row. If you want more rows, repeat Step 7 Step... -
Page 80: Ecmascript
Chapter 8, “Using ECMAScript in Policies,” on page 7.4 Application Objects ® Application objects are part of Novell Credential Provisioning policies. The application objects store application authentication parameter values for SecureLogin. For information about application objects, see Novell Credential Provisioning for Identity Manager 3.6. -
Page 81: Repository Objects
7.5 Repository Objects Repository objects are part of Novell Credential Provisioning policies. The repository objects store static configuration information for SecureLogin. For information about repository objects, see Novell Credential Provisioning for Identity Manager 3.6. 7.6 Resource Objects Resource objects allow you store information that a policy consumes. It can be any information stored in text or XML format. - Page 82 Policies in iManager for Identity Manager 3.6.1...
-
Page 83: Using Ecmascript In Policies
Using ECMAScript in Policies ECMAScript is a scripting programming language, standardized by Ecma International. It is often referred to as JavaScript* or JScript*, but these are subsets of ECMAScript. Identity Manager 3.5.1 and later supports a new object type called ECMAScript objects. ECMAScript objects are resource objects that store ECMAScripts. -
Page 84: Creating An Ecmascript In A Library
4 Specify the name of the ECMAScript. 5 Browse to and select the driver where you want to store the ECMAScript, then click OK. 6 Click Enable ECMAScript editing, then type the ECMAScript. If you have an existing ECMAScript in a file, you want to use, open the file in a text editor and copy the information into the ECMAScript editor. - Page 85 5 Click the Create a policy in this container icon. 6 Specify the name for the ECMAScript. 7 Select ECMAScript, then click OK. 8 Click the ECMAScript in the list of policies stored in the library. Using ECMAScript in Policies...
-
Page 86: Using An Existing Ecmascript
9 On Identity Manager, click Edit Resource > select Enable ECMAScript editing, then type the ECMAScript. If you have an existing ECMAScript in a file that you want to use, open the file in a text editor and copy the information into the ECMAScript editor. 10 Click Apply to save the information in the ECMAScript editor Click OK to save the changes and close the ECMAScript editor. -
Page 87: Examples Of Ecmascripts With Policies
4 Click the Policies tab, then click the plus icon. 5 Select Make a copy from an existing policy. 6 Browse to and select the existing ECMAScript, then click OK. 8.3 Examples of ECMAScripts with Policies The following examples use the ECMAScript file (../samples/demo.js) with different demo.js... -
Page 88: Dirxml Script Policy Calling An Ecmascript Function
Input Transformation or Output Transformation policy. The function reads an image from a URL and returns the content as Base64 encoded string. <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-builder- dtd" "C:\Program Files\Novell\Designer\eclipse\plugins\com.novell.designer.idm.policybuilder_1 .2.0.200612180606\DTD\dirxmlscript.dtd"><policy> <rule> <description>Reformat photo from URL to octet</description>... - Page 89 NOTE: DirXML Script has the split and join functionality built in, but XSLT does not. This type of function allows XSLT to have the split and join functionality. There are two functions: “Join” on page 89 “Split” on page 89 Join The Join function joins the text values of Nodes in a NodeSet into a single string.
-
Page 90: Xslt Policy Calling An Ecmascript Function In The Style Sheet
8.3.3 XSLT Policy Calling an ECMAScript Function in the Style Sheet The XSLT policy demonstrates embedding an ECMAScript function definition with the XSLT style sheet. The function converts a string to uppercase. <!-- define ecmascript functions --> <es:script> function uppercase(input) return String(input).toUpperCase();... -
Page 91: Conditions
Conditions Conditions define when actions are performed. Conditions are always specified in either Conjunctive Normal Form (CNF) (http://mathworld.wolfram.com/ConjunctiveNormalForm.html) Disjunctive Normal Form (DNF) (http://mathworld.wolfram.com/DisjunctiveNormalForm.html). These are logical expression forms. The actions of the enclosing rule are only performed when the logical expression represented in CNF or DNF evaluates to True or when no conditions are specified. -
Page 92: If Association
If Association Performs a test on the association value of the current operation or the current object. The type of test performed depends on the operator specified by the operation attribute. Fields Operator Select the condition test type. Operator Returns True when... Associated There is an established association for the current object. - Page 93 Mode Description Case Sensitive Character-by-character case sensitive comparison. Case Insensitive Character-by-character case insensitive comparison. Regular Expression The regular expression matches the entire string. It defaults to case insensitive, but can be changed by an escape in the expression. Sun’s Web site (http://java.sun.com/j2se/1.4/docs/api/java/util/regex/ Pattern.html).
-
Page 94: If Attribute
If Attribute Performs a test on attribute values of the current object in either the current operation or the source data store. It can be logically thought of as If Operation Attribute or If Source Attribute, because the test is satisfied if the condition is met in the source data store or in the operation. The test performed depends on the specified operator. - Page 95 The example uses the condition If Attribute when filtering for User objects that are disabled or have a certain title. The policy is Policy to Filter Events, and it is available for download from the ® Novell Support Web site. For more information, see “Downloading Identity Manager Policies”...
- Page 96 Policies in iManager for Identity Manager 3.6.1...
-
Page 97: If Class Name
If Class Name Performs a test on the object class name in the current operation. Fields Operator Select the condition test type. Operator Returns True when... Available There is an object class name available in the current operation. Not Available Available would return False. - Page 98 The example uses the condition If Class Name to govern group membership for a User object based on the title. The policy is Govern Groups for User Based on Title Attribute, and it is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager Policies”...
- Page 99 Conditions...
-
Page 100: If Destination Attribute
If Destination Attribute Performs a test on attribute values of the current object in the destination data store. The test performed depends on the specified operator. Fields Name Specify the name of the attribute to test. Operator Select the condition test type. Operator Returns True when... - Page 101 The example uses the condition If Attribute to govern group membership for a User object based on the title. The policy is Govern Groups for User Based on Title Attribute, and it is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager Policies”...
- Page 102 The policy checks to see if the value of the title attribute contains manager. 102 Policies in iManager for Identity Manager 3.6.1...
-
Page 103: If Destination Dn
If Destination DN Performs a test on the destination DN in the current operation. The test performed depends on the specified operator. Fields Operator Select the condition test type. Operator Returns True when... Available There is a destination DN available. Not Available Available would return False. - Page 104 Example 104 Policies in iManager for Identity Manager 3.6.1...
-
Page 105: If Entitlement
If Entitlement Performs a test on entitlements of the current object, in either the current operation or the Identity Vault. The test performed depends on the specified operator. Fields Name Specify the name of the entitlement to test for the selected condition. Operator Select the condition test type. - Page 106 Value Contains the value defined for the selected operator. The value is used by the condition. The operators that contain the value field are: Equal Not Equal Changing To Changing From Not Changing To Not Changing From Greater Than Not Greater Than Less Than Not Less Than Comparison Mode...
- Page 107 Greater Than Not Greater Than Less Than Not Less Than Example Conditions 107...
-
Page 108: If Global Configuration Value
Performs a test on a global configuration value. The test performed depends on the specified operator. Remark For more information on using variables with policies, see Understanding Policies Components (http://www.novell.com/documentation/idm35/index.html?page=/documentation/idm35/policy/ data/b6yi6f6.html). Fields Name Specify the name of the global value to test for the selected condition. - Page 109 Less Than Not Less Than Comparison Mode Some condition tests have a mode parameter that indicates how the comparison is done. Mode Description Case Sensitive Character-by-character case sensitive comparison. Case Insensitive Character-by-character case insensitive comparison. Regular Expression The regular expression matches the entire string. It defaults to case insensitive, but can be changed by an escape in the expression.
-
Page 110: If Local Variable
If Local Variable Performs a test on a local variable. The test performed depends on the specified operator. Fields Name Specify the name of the local variable to test for the selected condition. Operator Select the condition test type. Operator Returns True when... - Page 111 The policy is Govern Groups for User Based on Title Attribute, and it is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager...
- Page 112 The policy contains five rules that are dependent on each other. For the If Locate Variable condition to work, the first rule sets four different local variables to test for groups and where to place the groups. The condition the rule is looking for is to see if the local variable of manager-group-info is available and if manager-group-info is not equal to group.
-
Page 113: If Named Password
If Named Password Performs a test on a named password from the driver in the current operation with the specified name. The test performed depends on the selected operator. Fields Name Specify the name of the named password to test for the selected condition. Operator Select the condition test type. -
Page 114: If Operation Attribute
If Operation Attribute Performs a test on attribute values in the current operation. The test performed depends on the specified operator. Fields Name Specify the name of the attribute to test. Operator Select the condition test type. Operator Returns True when... Available There is a value available in the current operation ( <add-attr>... - Page 115 Operator Returns True when... Changing To The current operation contains a change that adds a value ( <add- value> <add-attr> ) to the specified attribute that equals the content of the condition when compared by using the specified comparison mode. then the content must be a set of mode=structured, <component>'s.
- Page 116 The policy name is Govern Groups for User Based on Title Attribute, and it is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager...
- Page 117 The condition is checking to see if the attribute of Title is equal to .*manager*, which is a regular expression. This means that it is looking for a title that has zero or more characters before manager and a single character after manager. It would find a match if the User object’s title was sales managers.
-
Page 118: If Operation Property
If Operation Property Performs a test on an operation property on the current operation. An operation property is a named value that is stored as an attribute on an element within an operation and is <operation-data> typically used to supply additional context that might be needed by the policy that handles the results of an operation. - Page 119 Mode Description Case Sensitive Character-by-character case sensitive comparison. Case Insensitive Character-by-character case insensitive comparison. Regular Expression The regular expression matches the entire string. It defaults to case insensitive, but can be changed by an escape in the expression. Sun’s Web site (http://java.sun.com/j2se/1.4/docs/api/java/util/regex/ Pattern.html).
-
Page 120: If Operation
If Operation Performs a test on the name of the current operation. The type of test performed depends on the specified operator. Fields Operator Select the condition test type. Operator Returns True when... Equal The name of the current operation is equal to the content of the condition when compared using the specified comparison mode. - Page 121 The policy name is Govern Groups for User Based on Title Attribute, and it is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager...
- Page 122 The condition is checking to see if an Add or Modify operation has occurred. When one of these occurs, it sets the local variables. 122 Policies in iManager for Identity Manager 3.6.1...
-
Page 123: If Password
If Password Performs a test on a password in the current operation. The test performed depends on the specified operator. Fields Operator Select the condition test type. Operator Returns True when... Available There is a password available in the current operation. Not Available Available would return False. - Page 124 The Subscriber Command Transformation policy checks if a password is available when an object is ® added. If the password is available, then the Novell SecureLogin and Novell SecretStore credentials are provisioned. 124 Policies in iManager for Identity Manager 3.6.1...
- Page 125 Conditions 125...
-
Page 126: If Source Attribute
If Source Attribute Performs a test on attribute values of the current object in the source data store. The test performed depends on the specified operator. Fields Name Specify the name of the source attribute to test for the selected condition. Operator Select the condition test type. - Page 127 Mode Description Case Sensitive Character-by-character case sensitive comparison. Case Insensitive Character-by-character case insensitive comparison. Regular Expression The regular expression matches the entire string. It defaults to case insensitive, but can be changed by an escape in the expression. Sun’s Web site (http://java.sun.com/j2se/1.4/docs/api/java/util/regex/ Pattern.html).
-
Page 128: If Source Dn
If Source DN Performs a test on the source DN in the current operation. The test performed depends on the specified operator. Fields Operator Select the condition test type. Operator Returns True when... Available There is a source DN available. Not Available Available would return False. - Page 129 The condition is checking to see if the source DN is in the Users container. If the object is coming from that container, it is vetoed. Conditions 129...
-
Page 130: If Xml Attribute
If XML Attribute Performs a test on an XML attribute of the current operation. The type of test performed depends on the operator specified by the operation attribute. Fields Name Specify the name of the XML attribute. An XML attribute is a name/value pair associated with an element in an XDS document. - Page 131 Mode Description Case Sensitive Character-by-character case sensitive comparison. Case Insensitive Character-by-character case insensitive comparison. Regular Expression The regular expression matches the entire string. It defaults to case insensitive, but can be changed by an escape in the expression. Sun’s Web site (http://java.sun.com/j2se/1.4/docs/api/java/util/regex/ Pattern.html).
-
Page 132: If Xpath Expression
(../samples/SampleSubCommandTransform.xml). The sample Credential Provisioning policy is checking each Add operation to see if there is operation data associated with the Add. If there is no operation data, the Novell SecureLogin and Novell SecretStore credentials are provisioned. 132 Policies in iManager for Identity Manager 3.6.1... - Page 133 Conditions 133...
- Page 134 134 Policies in iManager for Identity Manager 3.6.1...
-
Page 135: Actions
Actions Actions are performed when conditions of the enclosing rule are met. Some actions have a Mode field. The mode is not honored at run time if the context in which the policy is running is incompatible with the selected mode. This section contains detailed information about all actions that are available through using the Policy Builder interface. - Page 136 “Send Email” on page 176 “Send Email from Template” on page 178 “Set Default Attribute Value” on page 180 “Set Destination Attribute Value” on page 181 “Set Destination Password” on page 183 “Set Local Variable” on page 184 “Set Operation Association” on page 185 “Set Operation Class Name”...
-
Page 137: Add Association
Add Association Sends an add association command with the specified association to the Identity Vault. Fields Mode Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store. Specify the DN of the target object or leave the field blank to use the current object. Association Specify the value of the association to be added. -
Page 138: Add Destination Attribute Value
Add Destination Attribute Value Adds a value to an attribute on an object in the destination data store. Fields Attribute Name Specify the name of the attribute. Class Name (Optional) Specify the class name of the target object. Leave the field blank to use the class name from the current object. - Page 139 Actions 139...
-
Page 140: Add Destination Object
Add Destination Object Creates an object of the specified type in the destination data store, with the name and location specified in the Enter DN field. Any attribute values to be added as part of the object creation must be done in subsequent Add Destination Attribute Value actions using the same DN. Fields Class Name Specify the class name of the object to be created. - Page 141 The OU object is created. The value for the OU attribute is created from the destination attribute value action that occurs after this action. Actions 141...
-
Page 142: Add Source Attribute Value
Add Source Attribute Value Adds the specified attribute on an object in the source data store. Fields Attribute Name Specify the name of the attribute. Class Name (Optional) Specify the class name of the target object. Leave the field blank to use the class name from the current object. -
Page 143: Add Source Object
Add Source Object Creates an object of the specified type in the source data store, with the name and location provided in the DN field. Any attribute values to be added as part of the object creation must be done in subsequent Add Source Attribute Value (page 142) actions using the same DN. -
Page 144: Append Xml Element
Novell Credential Provisioning for Identity Manager 3.6. To view the policy in XML, see SampleSubCommandTransform.xml (../samples/SampleSubCommandTransform.xml). ® The sample file uses the append XML element action to add the Novell SecureLogin or Novell ® SecretStore credentials to the user object when it is provisioned. - Page 145 Actions 145...
-
Page 146: Append Xml Text
3.6. To view the policy in XML, see SampleSubCommandTransform.xml (../samples/SampleSubCommandTransform.xml). The example is using the append XML text action to find the Novell SecureLogin or Novell SecretStore application username. By obtaining the application name, the credentials can be set for the user object when it is provisioned. - Page 147 Actions 147...
-
Page 148: Break
Break Ends processing of the current operation by the current policy. Example 148 Policies in iManager for Identity Manager 3.6.1... -
Page 149: Clear Destination Attribute Value
Clear Destination Attribute Value Removes all values for the named attribute from an object in the destination data store. Fields Attribute Name Specify the name of the attribute. Class Name (Optional) Specify the class name of the target object. Leave the field blank to use the class name from the current object. -
Page 150: Clear Operation Property
Clear Operation Property Clears any operation property with the provided name from the current operation. The operation property is the XML attribute attached to an element by a policy. An XML <operation-data> attribute is a name/value pair associated with an element in the XDS document. Fields Property Name Specify the name of the operation property to clear. -
Page 151: Clear Sso Credential
Enter login parameter strings field. The number of the strings and the names used are dependent on the credential repository and application for which the credential is targeted. For more information, see Novell Credential Provisioning for Identity Manager 3.6. -
Page 152: Clear Source Attribute Value
Clear Source Attribute Value Removes all values of an attribute from an object in the source data store. Fields Attribute Name Specify the name of the attribute. Class Name (Optional) Specify the class name of the target object. Leave the field blank to use the class name from the current object. -
Page 153: Clone By Xpath Expression
Clone By XPath Expression Appends deep copies of the nodes specified by the source field to the set of elements specified by the destination field. If Before XPath Expression is not specified, the non-attribute cloned nodes are appended after any existing children of the selected elements. If Before XPath Expression is specified, it is evaluated relative to each of the elements selected by expression to determine which of the children to insert before. -
Page 154: Clone Operation Attribute
The policy is Govern Groups for User Based on Title Attribute, and it is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager... -
Page 155: Delete Destination Object
Delete Destination Object Deletes an object in the destination data store. Fields Class Name (Optional) Specify the class name of the object to delete in the destination data store. Mode Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store. -
Page 156: Delete Source Object
Delete Source Object Deletes an object in the source data store. Fields Class Name (Optional) Specify the class name of the object to delete in the source data store. Object Select the target object type to delete in the source data store. This object can be the current object, or can be specified by a DN or an association. -
Page 157: Find Matching Object
Find Matching Object Finds a match for the current object in the destination data store. Fields Scope Select the scope of the search. The scope might be an entry, a subordinate, or a subtree. Specify the DN that is the base of the search. Match Attributes Specify the attribute values to search for. - Page 158 When you click the Argument Builder icon, the Match Attribute Builder comes up. You specify the attribute you want to match on in the builder. This example uses the CN and L attributes. The left fields store the attributes to match. The right fields allow you to specify to use the value from the current object to match or to use another value.
-
Page 159: For Each
For Each Repeats a set of actions for each node in a node set. Fields Node Set Specify the node set. Action Specify the actions to perform on each node in the node set. Remarks The current node is a different value for each iteration of the actions, if a local variable is used. If the current node in the node set is an entitlement element, then the actions are marked as if they are also enclosed in an Implement Entitlement... -
Page 160: Generate Event
Generate Event Sends a user-defined event to Novell Audit or Sentinel. Fields ID of the event. The provided value must result in an integer in the range of 1000-1999 when parsed using the parseInt method of java.lang.Integer. Level Level of the event. - Page 161 The example has four rules that implement a placement policy for User objects based on the first character of the Surname attribute. It generates both a trace message and a custom Novell Audit or Sentinel event. The Generate Event action is used to send Novell Audit or Sentinel an event. The policy name is Policy to Place by Surname and is available for download from the Novell Support Web site.
- Page 162 Generate Event is creating an event with the ID 1000 and displaying the text that is generated by the local variable of LVUser1. The local variable LVUser1 is the string of User:Operation Attribute “cn” +” added to the “+”Training\Users\Active\Users1”+” container”. The event reads User:jsmith added to the Training\Users\Active\Users1 container.
- Page 163 Conditionally performs a set of actions Fields Conditions Specify the desired condition. If Actions Specify the desired actions, if the conditions are True. Else Actions (Optional) Specify the desired actions, if the conditions are False. Example During an add or modify operation, if the attribute of Title equals manager, the user object is added to the ManagerGroup group.
- Page 164 The action is to add the user object to the ManagerGroup group. If the title does not equal manager, the user object is placed in the UsersGroup group. 164 Policies in iManager for Identity Manager 3.6.1...
-
Page 165: Implement Entitlement
Implement Entitlement Designates actions that implement an entitlement so that the status of those entitlements can be reported to the agent that granted or revoked the entitlement. Fields Node Set Node set containing the entitlement being implemented by the specified actions. Action Actions that implement the specified entitlements. -
Page 166: Move Destination Object
The example contains a single rule that disables a user’s account and moves it to a disabled container when the Description attribute indicates it is terminated. The policy is named Disable User Account and Move When Terminated, and it is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager... - Page 167 The policy checks to see if it is a modify event on a User object and if the attribute Description contains the value of terminated. If that is the case, then it sets the attribute of Login Disabled to true and moves the object into the User\Disabled container.
-
Page 168: Move Source Object
Move Source Object Moves an object into the source data store. Fields Class Name (Optional) Specify the class name of the object to move into the source data store. Object to Move Select the object to be moved. This object can be the current object, or it can be specified by a DN or an association. -
Page 169: Reformat Operation Attribute
Reformat Operation Attribute Reformats all values of an attribute within the current operation by using a pattern. Fields Name Specify the name of the attribute. Value Type Specify the syntax of the new attribute value. Value Specify a value to use as a pattern for the new format of the attribute values. If the original value is needed to constructed the new value, it must be obtained by referencing the local variable current-value. -
Page 170: Remove Association
Remove Association Sends a remove association command to the Identity Vault. Fields Mode Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store. Association Specify the value of the association to be removed. Example The example takes a delete operation and disables the User object instead. -
Page 171: Remove Destination Attribute Value
Remove Destination Attribute Value Removes an attribute value from an object in the destination data store. Fields Attribute Name Specify the name of the attribute. Class Name (Optional) Specify the class name of the target object. Leave the field blank to use the class name from the current object. -
Page 172: Remove Source Attribute Value
Remove Source Attribute Value Removes the specified value from the named attribute on an object in the source data store. Fields Attribute Name Specify the name of the attribute. Class Name (Optional) Specify the class name of the target object. Leave the field blank to use the class name from the current object. -
Page 173: Rename Destination Object
Rename Destination Object Renames an object in the destination data store. Fields Class Name (Optional) Specify the class name of the object to rename in the destination data store. Mode Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store. -
Page 174: Rename Operation Attribute
Rename Operation Attribute Renames all occurrences of an attribute within the current operation. Fields Source Name Specify the original attribute name. Destination Name Specify the new attribute name. Example 174 Policies in iManager for Identity Manager 3.6.1... -
Page 175: Rename Source Object
Rename Source Object Renames an object in the source data store. Fields Class Name (Optional) Specify the class name of the object to rename in the source data store. Select Object Select the target object. This object can be the current object, or it can be specified by a DN or an association. -
Page 176: Send Email
Send Email Sends an e-mail notification. Fields (Optional) Specify the User ID in the SMTP system sending the message. Server Specify the SMTP server name. Message Type Select the e-mail message type. Password (Optional) Specify the SMTP server account password. IMPORTANT: You can store the SMTP server account password as a Named Password on the driver object. - Page 177 Example The following is an example of the Named String Builder being used to provide the strings argument: Actions 177...
-
Page 178: Send Email From Template
Send Email from Template Generates an e-mail notification using a template. Fields Notification DN Specify the slash form DN of the SMTP notification configuration object. Template DN Specify the slash form DN of the e-mail template object. Password (Optional) Specify the SMTP server account password. IMPORTANT: You can store the SMTP server account password as a Named Password on the driver object. - Page 179 Example The following is an example of the Named String Builder, used to provide the strings argument: Actions 179...
-
Page 180: Set Default Attribute Value
Set Default Attribute Value Adds default values to the current operation (and optionally to the current object in the source data store) if no values for that attribute already exist. It is only valid when the current operation is Add. Fields Attribute Name Specify the name of the default attribute. -
Page 181: Set Destination Attribute Value
Set Destination Attribute Value Adds a value to an attribute on an object in the destination data store, and removes all other values for that attribute. Fields Attribute Name Specify the name of the attribute. Class Name (Optional) Specify the class name of the target object in the destination data store. Leave the field blank to use the class name from the current object. - Page 182 The rule sets the value for the attribute of Login Disabled to true. The rule uses the Argument Builder to add the text of true as the value of the attribute. See “Argument Builder” on page 26 more information about the builder. 182 Policies in iManager for Identity Manager 3.6.1...
-
Page 183: Set Destination Password
Set Destination Password Sets the password for an object in the destination data store. Fields Class Name (Optional) Specify the class name for the object to set the password on in the destination data store. Mode Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store. -
Page 184: Set Local Variable
The policy name is Govern Groups for User Based on Title, and it is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager... -
Page 185: Set Operation Association
Set Operation Association Sets the association value for the current operation. Fields Association Provide the new association value. Example Actions 185... -
Page 186: Set Operation Class Name
Set Operation Class Name Sets the object class name for the current operation. Fields String Specify the new class name. Example 186 Policies in iManager for Identity Manager 3.6.1... -
Page 187: Set Operation Destination Dn
Set Operation Destination DN Sets the destination DN for the current operation. Fields Specify the new destination DN. Example The example places the objects in the Identity Vault using the structure that is mirrored from the connected system. You need to define at what point the mirroring begins in the source and destination data stores. -
Page 188: Set Operation Property
Set Operation Property Sets an operation property. An operation property is a named value that is stored within an operation. It is typically used to supply additional context that might be needed by the policy that handles the results of an operation. Fields Property Name Specify the name of the operation property. -
Page 189: Set Operation Source Dn
Set Operation Source DN Sets the source DN for the current operation. Fields Specify the new source DN. Example Actions 189... -
Page 190: Set Operation Template Dn
The example applies the Manager template if the Title attribute contains the word Manager. The name of the policy is Policy: Assign Template to User Based on Tile, and it is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager Policies”... -
Page 191: Set Source Attribute Value
The example detects when an e-mail address is changed and sets it back to what it was. The policy name is Policy: Reset Value of the E-mail Attribute, and it is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager Policies”... - Page 192 The action takes the value of the destination attribute Internet EMail Address and sets the source attribute of Email to this same value. 192 Policies in iManager for Identity Manager 3.6.1...
-
Page 193: Set Source Password
Set Source Password Sets the password for an object in the source data store. Fields Class Name (Optional) Specify the class name of the object to set the password on in the source data store. Object Select the target object. This object can be the current object, or can be specified by an DN or an association. -
Page 194: Set Sso Credential
Set SSO Credential Sets the SSO credential when a user object is created or when a password is modified. This action is part of the Credential Provisioning policies. For more information, see Novell Credential Provisioning for Identity Manager 3.6. Fields Credential Store Object DN Specify the DN of the repository object. -
Page 195: Set Sso Passphrase
Set SSO Passphrase Sets the Novell SecureLogin passphrase and answer when a User object is provisioned. This action is part of the Credential Provisioning policies. For more information, see Novell Credential Provisioning for Identity Manager 3.6. Fields Credential Store Object DN Specify the DN of the repository object. -
Page 196: Set Xml Attribute
Set XML Attribute Sets an XML attribute on a set of elements selected by an XPath expression. Fields Name Specify the name of the XML attribute. This name can contain a namespace prefix if the prefix has been previously defined in this policy. XPath Expression XPath 1.0 expression that returns a node set containing the elements on which the XML attribute should be set. -
Page 197: Status
Status Generates a status notification. Fields Level Specify the status level of the notification. The levels are error, fatal, retry, success, and warning. Message Provide the status message using the Argument Builder. Remarks If level is retry then the policy immediately stops processing the input document and schedules a retry of the event currently being processed. -
Page 198: Start Workflow
Start Workflow Starts the workflow specified by workflow-id for the recipient DN on the User Application server specified by a URL and using credentials specified by the ID and password. The recipient must be an LDAP format DN of an object in the directory served by the User Application server. The additional arguments to the workflow can be specified by named strings. - Page 199 Actions 199...
-
Page 200: Strip Operation Attribute
The example detects when an e-mail address is changed and sets it back to what it was. The policy name is Policy: Reset Value of the E-mail Attribute, and it is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager Policies”... -
Page 201: Strip Xpath
Strip XPath Strips nodes selected by an XPath 1.0 expression. Fields XPath Expression Specify the XPath 1.0 expression that returns a node set containing the nodes to be stripped. Remarks For more information on using XPath expressions with policies, see “XPath 1.0 Expressions”... -
Page 202: Trace Message
Surname attribute. It generates both a trace message and a custom Novell Audit or Sentinel event. The Trace Message action is used to send a trace message into DSTRACE. The policy name is Policy to Place by Surname and it is available for download from the Novell Support Web site. For more information “Downloading Identity Manager... -
Page 203: Veto
Veto Vetoes the current operation. Example The example excludes all events that come from the specified subtree. The rule is from the predefined rules that come with Identity Manager. For more information, see “Event Transformation - Scope Filtering - Exclude Subtrees” on page 56 from the predefined rules. -
Page 204: Veto If Operation Attribute Not Available
The example does not allow User objects to be created unless the attributes Given Name, Surname, Title, Description, and Internet EMail Address are available. The policy name is Policy to Enforce the Presences of Attributes, and it is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager... -
Page 205: While
While Causes the specified actions to be repeated while the specified conditions evaluate to True. Fields Conditions Specify the condition to be evaluated. Actions Specify the actions to be repeated if the conditions evaluate to True. Example Actions 205... - Page 206 206 Policies in iManager for Identity Manager 3.6.1...
-
Page 207: Noun Tokens
Noun Tokens Noun tokens expand to values that are derived from the current operation, the source or destination data stores, or some external source. This section contains detailed information about all noun tokens that are available through using the Policy Builder interface. “Added Entitlement”... -
Page 208: Added Entitlement
Added Entitlement Expands to the values of an entitlement granted in the current operation. Fields Name Name of the entitlement. Remarks If the token is used in a context where a node set is expected, the token expands to a node set containing all of the values for that entitlement. -
Page 209: Association
Association Expands to the association value from the current operation. Example The example is from the predefined rules that come with Identity Manager. For more information on the predefined rule, see “Command Transformation - Publisher Delete to Disable” on page The action of Remove Association uses the Association token to retrieve the value from the current operation. -
Page 210: Attribute
Attribute Expands to the value of an attribute from the current object in the current operation and in the source data store. It can be logically thought of as the union of the operation attribute token and the source attribute token. It does not include the removed values from a modify operation. Fields Name Specify the name of the attribute. -
Page 211: Character
Character Expands to a character specified by a Unicode* code point. Remarks For a listing of Unicode values and characters, see Unicode Code Charts (http://www.unicode.org/ charts/). Fields Character Value The Unicode code point of the character. A hexadecimal number can be specified if it is prefixed with , as in C-based programming languages. -
Page 212: Class Name
Class Name Expands to the object class name from the current operation. Example 212 Policies in iManager for Identity Manager 3.6.1... -
Page 213: Destination Attribute
Example The example is from the Govern Groups for User Based on Title policy, which is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager Policies” in Understanding Policies for Identity Manager 3.6. - Page 214 You build the Destination Attribute through the Editor. In this example, the attribute of Object Class is set. DN is used to select the object. The value of DN is the Local Variable of manager-group-dn. 214 Policies in iManager for Identity Manager 3.6.1...
-
Page 215: Destination Dn
Destination DN Expands to the destination DN specified in the current operation. Fields Convert Select whether or not to convert the DN to the format used by the source data store. Start Specify the RDN index to start with: Index 0 is the root-most RDN Positive indexes are an offset from the root-most RDN Index -1 is the leaf-most segment Negative indexes are an offset from the leaf-most RDN towards the root-most RDN... - Page 216 216 Policies in iManager for Identity Manager 3.6.1...
-
Page 217: Destination Name
Destination Name Expands to the unqualified Relative Distinguished Name (RDN) of the destination DN specified in the current operation. Example Noun Tokens 217... -
Page 218: Document
Document Reads the XML document pointed to by the URI and returns the document node in a node set. The URI can be relative to the URI of the including policy. With any error, the result is an empty node set. -
Page 219: Entitlement
Entitlement Expands to the values of a granted entitlement from the current object. Fields Name Name of the entitlement. Remarks If the token is used in a context where a node set is expected, the token expands to a node set containing all of the values for that entitlement. -
Page 220: Generate Password
Generate Password Generates a random password that conforms to the specified password policy. Fields Password Policy The DN of the password policy that receives the randomly generated password. Render browsed DN relative to policy Select whether the DN of the password policy is relative to the policy being created. Example 220 Policies in iManager for Identity Manager 3.6.1... -
Page 221: Global Configuration Value
Global Configuration Value Expands to the value of a global configuration variable. Fields Name Name of the global configuration value. Example Noun Tokens 221... -
Page 222: Local Variable
Specify the name of the local variable. Example The example is from the Govern Groups for User Based on Title policy, which is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager Policies” in Understanding Policies for Identity Manager 3.6. - Page 223 The value of the local variable is group-manager-dn. In the example, the Set Local Variable action defined group-manager-dn as DN of the manager’s group Users\ManagersGroup. Noun Tokens 223...
-
Page 224: Named Password
Named Password Expands to the named password from the driver. Fields Name Name of the password. Example The Named Password noun token can only be used if a Named Password has been set on the driver object. The Named Password is used to save a password in an encrypted form. Sometimes it is required to provide a password to allow an action to function. - Page 225 Noun Tokens 225...
-
Page 226: Operation
Operation Expands to the name of the current operation. Example 226 Policies in iManager for Identity Manager 3.6.1... -
Page 227: Operation Attribute
The example has four rules that implement a Placement policy for User objects based on the first character of the Surname attribute. It generates both a trace message and a custom Novell Audit or Sentinel event. The policy name is Policy to Place by Surname, and it is available for download from the Novell Support Web site. -
Page 228: Operation Property
Operation Property Expands to the value of the specified operation property on the current operation. Fields Name Specify the name of the operation property. Example 228 Policies in iManager for Identity Manager 3.6.1... -
Page 229: Password
Password Expands to the password specified in the current operation. Example Noun Tokens 229... -
Page 230: Query
Query Causes a query to be performed in the source or destination data store and returns the resulting instances. Fields Datastore Specify the data store to query. Scope Select the scope of the query. The options are entry, subordinates, or subtree. Max Result Count Specify the maximum number of results returned from the query. -
Page 231: Removed Attribute
Removed Attribute Expands to the specified attribute value being removed in the current operation. It applies only to a modify operation. Fields Name Specify the name of the attribute. Remarks If the token is used in a context where a node set is expected, the token expands to a node set containing all of the values for that attribute. -
Page 232: Removed Entitlements
Removed Entitlements Expands to the values of the an entitlement revoked in the current operation. Fields Name Specify the name of the entitlement. Remarks If the token is used in a context where a node set is expected, the token expands to a node set containing all of the values for that entitlement. -
Page 233: Resolve
Resolve Resolves the DN to an association key, or the association key to a DN in the specified data store. Fields Datastore Select the destination or source data store to be queried. Selected Resolve Type Select to resolve the association key to a DN or to resolve the DN to an association key. Example Noun Tokens 233... -
Page 234: Source Attribute
Source Attribute Expands to the values of an attribute from an object in the source data store. Fields Class Name (Optional) Specify the class name of the target object. Leave the field blank to use the class name from the current object. Name Name of the attribute. -
Page 235: Source Dn
Source DN Expands to the source DN from the current operation. Fields Convert Select whether or not to convert the DN to the format used by the destination data store. Start Specify the RDN index to start with: Index 0 is the root-most RDN Positive indexes are an offset from the root-most RDN Index -1 is the leaf-most segment Negative indexes are an offset from the leaf-most RDN towards the root-most RDN... -
Page 236: Source Name
Source Name Expands to the unqualified relative distinguished name (RDN) of the source DN specified in the current operation. Example 236 Policies in iManager for Identity Manager 3.6.1... -
Page 237: Time
Time Expands to the current date/time into the format, language, and time zone specified. Fields Format Specify the date/time format. Select a named time format or specify a custom format pattern. Language Specify the language. (It defaults to the current system language.) Time zone Specify the time zone. -
Page 238: Text
Text Specify the text. Example The example is from the Govern Groups for User Based on Title policy, which is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager Policies” in Understanding Policies for Identity Manager 3.6.To view the policy in XML,... -
Page 239: Unique Name
Unique Name Expands to a pattern-based name that is unique in the destination data store according to the criteria specified. Fields Attribute Name Specify the name of attribute to check for uniqueness. Scope Specify the scope in which to check uniqueness. The options are subtree or subordinates. Start Search Select a starting point for the search. - Page 240 Remarks Each element provides a pattern to be used to create a proposed name. <arg-string> A proposed name is tested by performing a query for that value in the name attribute against the destination data store using the element or the element as the base <arg-dn>...
- Page 241 If this pattern does not generate a unique name, a digit is appended, incrementing up to the specified number of digits. In this example, nine additional unique names would be generated by the appended digit before an error occurs (pattern1 - pattern99). Noun Tokens 241...
-
Page 242: Unmatched Source Dn
Unmatched Source DN Expands to the part of the source DN in the current operation that corresponds to the part of the DN that was not matched by the most recent match of an If Source DN condition. Fields Convert Select whether or not to convert the DN format used by the destination data store. -
Page 243: Xpath
XPath Expands to results of evaluating an XPath 1.0 expression. Fields Expression XPath 1.0 expression to evaluate. Remarks For more information on using XPath expressions with policies, see “XPath 1.0 Expressions” in the Understanding Policies for Identity Manager 3.6. Example Noun Tokens 243... - Page 244 244 Policies in iManager for Identity Manager 3.6.1...
-
Page 245: Verb Tokens
Verb Tokens Verb tokens modify the concatenated results of other tokens that are subordinate to them. This section contains detailed information about all verbs that are available through the Policy Builder interface. “Base64 Decode” on page 246 “Base64 Encode” on page 247 “Convert Time”... -
Page 246: Base64 Decode
Base64 Decode Decodes the result of the enclosed tokens from Base64-encoded data to bytes and then converts the bytes into a string using the specified character set. Fields Character Set Specify the character set that converts the decoded bytes to a string. It can be any Java supported character set. -
Page 247: Base64 Encode
Base64 Encode Converts the result of the enclosed tokens to bytes using the specified character set, and then Base64-encodes the bytes. Fields Character Set Specify the character set that converts the string to bytes. It can be any Java supported character set. -
Page 248: Convert Time
Convert Time Converts the date and time represented by the result of the enclosed tokens from the source format, language, and time zone to the destination format, language, and time zone. Fields Source Format Specify the source date/time format. Select a named time format or specify a custom format pattern. -
Page 249: Escape Destination Dn
Escape Destination DN Escapes the enclosed tokens according to the rules of the DN format of the destination data store. Example The example is from the predefined rules that come with Identity Manager. For more information, Section 6.16, “Placement - Publisher Flat,” on page 66. -
Page 250: Escape Source Dn
Escape Source DN Escapes the enclosed tokens according to the rules of the DN format of the source data store. Example 250 Policies in iManager for Identity Manager 3.6.1... -
Page 251: Join
Join Joins the values of the nodes in the node set result of the enclosed tokens, separating the values by the characters specified by delimiter. If the comma-separated values (CSV) are true, then CSV quoting rules are applied to the values. Fields Delimiter (Optional) Specify the string used to delimit the joined values. -
Page 252: Lowercase
This example sets the e-mail address to be name@slartybartfast.com where the name equals the first character of the Given Name plus the Surname. The policy name is Policy: Create E-mail from Given Name and Surname, and it is available for download at the Novell Support Web site. For more information, see “Downloading Identity Manager... -
Page 253: Map
Maps the result of the enclosed tokens from the values specified by the source column to the destination column in the specified mapping table. Remarks If this token is evaluated in a context where a node set result is expected and multiple rows are matched by the value being mapped, a node set is returned that contains the values from the destination column of each matching row. -
Page 254: Parse Dn
Parse DN Converts the enclosed token’s DN to an alternate format. Fields Start Specify the RDN index to start with: Index 0 is the root-most RDN Positive indexes are an offset from the root-most RDN Index -1 is the leaf-most segment Negative indexes are an offset from the leaf-most RDN towards the root-most RDN Length Number of RDN segment to include. - Page 255 Wildcard Character Escape Character If RDN Delimiter and Relative RDN Delimiter are the same character, the orientation of the name is root right, otherwise the orientation is root left. If there are more than eight characters in the delimiter set, the extra characters are considered as characters that need to be escaped, but they have no other special meaning.
-
Page 256: Replace All
Replace All Replaces all occurrences of a regular expression in the enclosed tokens. Fields Regular Expression Specify the regular expression that matches the substring to be replaced. Replace With Specify the replacement string. Remarks For details on creating regular expressions, see: Sun’s Java Web site (http://java.sun.com/j2se/1.4/docs/api/java/util/regex/Pattern.html) Sun’s Java Web site (http://java.sun.com/j2se/1.4/docs/api/java/util/regex/ Matcher.html#replaceAll (java.lang.String)) -
Page 257: Replace First
Replace First Replaces the first occurrence of a regular expression in the enclosed tokens. Fields Regular Expression Specify the regular expression that matches the substring to replace. Replace With Specify the replacement string. Remarks The matching instance is replaced by the string specified in the Replace with field. For details on creating regular expressions, see: Sun’s Web site (http://java.sun.com/j2se/1.4/docs/api/java/util/regex/Pattern.html) Sun’s Web site (java.lang.String) (http://java.sun.com/j2se/1.4/docs/api/java/util/regex/... - Page 258 The regular expression of ^\((\d\d\d)\)\s*(\d\d\d)-(\d\d\d\d)$ represents (nnn) nnn-nnnn and the regular expression of $1-$2-$3 represents nnn. This rule transforms the format of the telephone number from (nnn) nnn-nnnn to nnn-nnn-nnnn. 258 Policies in iManager for Identity Manager 3.6.1...
-
Page 259: Split
Split Splits the result of the enclosed tokens into a node set consisting of text nodes based on the pattern specified by delimiter. If comma-separated values (CSV) are true, then CSV quoting rules are honored during the parsing of the string. Fields Delimiter Regular expression that matches the delimiter characters. -
Page 260: Substring
This example sets the e-mail address to be name@slartybartfast.com where the name equals the first character of the Given Name plus the Surname. The policy name is Policy: Create E-mail from Given Name and Surname, and it is available for download at the Novell Support Web site. For more information, see “Downloading Identity Manager... - Page 261 The Substring token is used twice in the action Set Destination Attribute Value. It takes the first character of the First Name attribute and adds eight characters of the Last Name attribute together to form one substring. Verb Tokens 261...
-
Page 262: Uppercase
The example converts the first and last name attributes of the User object to uppercase. The policy name is Policy: Convert First/Last Name to Uppercase and it is available for download at the Novell Support Web site. For more information, see “Downloading Identity Manager... -
Page 263: Xml Parse
XML Parse Parses the result of the enclosed tokens as XML and returns the resulting document node in a node set. If the result of the enclosed tokens is not well-formed XML or cannot be parsed for any reason, an empty node set is returned. Example Verb Tokens 263... -
Page 264: Xml Serialize
XML Serialize Serializes the node set result of the enclosed tokens as XML. Depending on the content of the node set, the resulting string is either a well-formed XML document or a well-formed parsed general entity. Example 264 Policies in iManager for Identity Manager 3.6.1... -
Page 265: A Imanager Navigation
iManager Navigation Section A.1, “Accessing the Identity Manager Driver Set Overview Page,” on page 265 Section A.2, “Accessing the Identity Manager Driver Overview Page,” on page 266 A.1 Accessing the Identity Manager Driver Set Overview Page 1 In iManager, click to display the Identity Manager Administration page. -
Page 266: Accessing The Identity Manager Driver Overview Page
A.2 Accessing the Identity Manager Driver Overview Page 1 In iManager, click to display the Identity Manager Administration page. 2 In the Administration list, click Identity Manager Overview to display the Identity Manager Overview page. 3 In the Search in field, specify the fully distinguished name of the container where you want to start searching for the driver set and then click , or click to browse for and select the...
Need help?
Do you have a question about the POLICIES IN IMANAGER 3.6.1 - 06-05-2009 and is the answer not in the manual?
Questions and answers