1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. POLICY IN DESIGNER 3.5 - 09-18-2009
  6. Manual

Novell POLICY IN DESIGNER 3.5 - 09-18-2009 Manual

Policies in designer 3.5
Hide thumbs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
Table of Contents

Advertisement

Quick Links

Download this manual
AUTHORIZED DOCUMENTATION
Policies in Designer 3.5
Novell
®
Designer for Identity Manager
3.5
September 18, 2009
www.novell.com
Policies in Designer 3.5

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the POLICY IN DESIGNER 3.5 - 09-18-2009 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Novell POLICY IN DESIGNER 3.5 - 09-18-2009

Summary of Contents for Novell POLICY IN DESIGNER 3.5 - 09-18-2009

  • Page 1 AUTHORIZED DOCUMENTATION Policies in Designer 3.5 Novell ® Designer for Identity Manager September 18, 2009 www.novell.com Policies in Designer 3.5...
  • Page 2 Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
  • Page 3 Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
  • Page 4 Policies in Designer 3.5...

  • Page 5: Table Of Contents

    Contents About This Guide 1 Overview Policies ..............17 2 Using the Pre-Identity Manager 3.5 Policy Builder 3 Managing Policies with the Policy Builder Accessing the Policy Builder .
  • Page 6 4.4.2 Additional Options for the Condition Builder ....... 52 Conditions Builder ............53 Match Attribute Builder .
  • Page 7 7.2.4 Setting Default Values for Attributes ........99 7.2.5 Changing the Filter Settings .
  • Page 8 8.10.2 Importing the Predefined Rule ......... 126 8.10.3 How the Rule Works .
  • Page 9 Using the Operation Data Editor ..........154 Using the Hex Editor .
  • Page 10 If Operation Property............. 219 If Password .
  • Page 11 Set Operation Template DN ............296 Set Source Attribute Value .
  • Page 12 Convert Time ..............356 Escape Destination DN .
  • Page 13 If XPath Expression ............. 417 18 Pre-Identity Manager 3.5 Actions Add Association .
  • Page 14 Strip XPath ..............470 Trace Message .

  • Page 15: About This Guide

    About This Guide ® Novell Identity Manager 3.6.1 is a data sharing and synchronization service that enables applications, directories, and databases to share information. It links scattered information and enables you to establish policies that govern automatic updates to designated systems when identity changes occur.
  • Page 16 Designer 3.0 for Identity Manager 3.6.1 Documentation Web site (http://www.novell.com/documentation/designer21/). Documentation Conventions In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path. ® A trademark symbol ( , etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark.

  • Page 17: Overview

    Overview Policies manage the data that is synchronizing between the Identity Vault and the remote data store. The policies are stored in the policy sets (see “Understanding Types of Policies” in Understanding Policies for Identity Manager 3.6.) Designer provides a wide set of tools for defining and debugging policies to control how information flows from one system to another, and under what conditions.
  • Page 18 A policy operates on an XDS document and its primary purpose is to examine and modify that document. An operation is any element in the XDS document that is a child of the input element and the ® output element. The elements are part of the Novell ; for more information, see nds.dtd “NDS DTD”...

  • Page 19: Using The Pre-Identity Manager 3.5 Policy Builder

    Using the Pre-Identity Manager 3.5 Policy Builder Designer contains two Policy Builders: the pre-Identity Manager 3.5 Policy Builder and the Identity Manager 3.5 and Newer Policy Builder. The Policy Builders are similar except for the following: You can enable and disable trace only at the driver level in the pre-Identity Manager 3.5 Policy Builder.
  • Page 20 Policies in Designer 3.5...

  • Page 21: Managing Policies With The Policy Builder

    Managing Policies with the Policy Builder The Policy Builder is a complete graphical interface for creating and managing the policies that define the exchange of data between connected systems. Section 3.1, “Accessing the Policy Builder,” on page 21 Section 3.2, “Using the Policy Builder,” on page 23 Section 3.3, “Creating a Policy,”...

  • Page 22: Policy Flow View

    3.1.2 Policy Flow View 1 Open a project in Designer. 2 Select the Outline tab, then select the Show Policy Flow icon. 3 Double-click a policy in the Policy Flow view. You can also right-click in the Policy Flow view, select Edit Policy, then select the policy you want to edit.

  • Page 23: Using The Policy Builder

    Policy Builder Full Screen Figure 3-1 For information on using the Policy Builder, see Section 3.2, “Using the Policy Builder,” on page 3.2 Using the Policy Builder The Policy Builder enables you to add, view, and delete the rules that make up a policy. You can also use it to import and save policies and rules, and manage XML namespaces.

  • Page 24: Creating A Policy

    Tasks Description Add a rule Adds a new rule or a predefined rule. Import Imports a policy from a file. Save to File Saves a policy to a file. Deploy Deploys a policy to the Identity Vault. Compare Compares the policy in the Policy Builder to an existing policy in the Identity Vault.

  • Page 25: Using The Policy Set

    2 Select the Policy Set tab. 3.3.2 Using the Policy Set The policy set contains a toolbar and a list of policies. The policy list displays all the policies contained in the selected policy set. During a transformation, the policies within the list are executed from top to bottom. The toolbar contains buttons and a drop- down menu that you can use to manage policies displayed in the list, including, editing, adding, deleting, renaming, and changing the processing order of the policies.

  • Page 26: Using The Add Policy Wizard

    Keyboard Support Table 3-3 Keystroke Description Up-arrow Moves the selected policy up in the processing order. Down-arrow Moves the selected policy down in the processing order. Delete Deletes the policy from the project. Minus Removes the policy from the selected policy set, but does not delete it.
  • Page 27 Accept the default container, or browse to and select the Driver, Publisher, or Subscriber object where you want the policy to be created. If a policy is not reused by multiple drivers, you typically create that policy under the driver or channel that is using it.

  • Page 28: Creating A Rule

    Accept the default container, or browse to and select the Driver, Publisher, or Subscriber object where you want the policy to be created. Browse to and select the policy you want to copy, then click Finish. Linking to a Policy 1 In the Add Policy Wizard, select Link a policy, then click Next.

  • Page 29: Creating A New Rule

    3.4.1 Creating a New Rule When you create a rule, you create condition groups, conditions, and actions. Each rule is composed of conditions, actions, and arguments. For more information, click the Help icon when creating each item. The help files contain a definition and an example of the item being used. “Creating a Rule”...
  • Page 30 6 In the Define the Action dialog box, select the action that you want, then click Next. 7 In the Continue Defining Actions dialog box, select the appropriate option, then click Next. If desired, you can define additional actions before proceeding. For this example, there is only one action.

  • Page 31: Using Predefined Rules

    You can change the condition by clicking the And/Or icon. Creating an Action 1 Right-click the action, then click New > Insert Action Before or Insert Action After. 3.4.2 Using Predefined Rules Designer includes a list of predefined rules. You can import and use these rules as well as create your own rules.

  • Page 32: Including An Existing Rule

    3.4.3 Including an Existing Rule Designer allows you to include the rules from another policy. 1 Right-click in the Policy Builder and click New > Include > Insert Include Before or Insert Include After. 2 Click the Browse icon 3 Browse to the policy you want to include, then click OK.

  • Page 33: Creating An Argument

    3 Click the browse icon and select the file that contains the policy, then click Open. 4 Click OK. 3.5 Creating an Argument The Argument Builder provides a dynamic graphical interface that enables you to construct complex argument expressions for use within the Policy Builder. To access the Argument Builder, see “Argument Builder”...
  • Page 34 Argument Builder Figure 3-2 For example, if you want the argument set to an attribute value, you select the attribute noun, then select the attribute name: 1 Double-click Attribute in the list of noun tokens to add it to the Expression pane. 2 Browse to and select the attribute name in the Editor field.

  • Page 35: Variable Selector

    If you only want a portion of this attribute, you can combine the attribute token with the substring token. The expression displays a substring length of 1 for the Given Name attribute combined with the entire Surname attribute. After you add a noun or verb, you can provide values in the editor, then immediately add another noun or verb.

  • Page 36: Dynamic Variable Expansion

    3.6.1 Dynamic Variable Expansion The variable selector allows for the use of dynamic variable expansion in conditions, actions, and tokens. It is used when the writer of the DirXML script doesn’t know what value to enter during the design phase, and wants the value to be populated dynamically when the code is run (for local variables) or when the driver starts (for global variables).

  • Page 37: Accessing The Variable Selector From The Actions Tab

    Not equal Not greater than Not less than 2 Click the Launch variable browser icon next to the field where you want to insert the dynamic variable. 3 Select the variable, then click OK. 3.6.3 Accessing the Variable Selector From the Actions Tab 1 In the Policy Builder, double-click the Actions tab.

  • Page 38: Accessing The Variable Selector From The Argument Builder

    Set Destination Password (page 288) Set Local Variable (page 289)Set Source Attribute Value (page 297) Set Source Password (page 299) Set SSO Credential (page 300) Set SSO Passphrase (page 301) Set XML Attribute (page 302) Start Workflow (page 303) Strip Operation Attribute (page 306) Strip XPath Expression (page 307) Veto If Operation Attribute Not Available (page 311) 3 Click the Launch variable browser icon...

  • Page 39: Xpath Expressions

    2 Click the Launch variable browser icon next to the field where you want to insert the dynamic variable. 3 Select the variable, then click OK. 3.6.5 XPath Expressions Instead of using the DirXMLScript engine to perform the variable expansion, as is the case with most variable expansion, XPath uses built in XPath functionality and the XSLT processor to do the variable expansion.
  • Page 40 Operation Description Copy and drop Select the item, press Ctrl, then drag the item. Cuts the selected item and copies it to the Clipboard. Delete Deletes the selected item. Deploy Policy Deploys the policy into the Identity Vault. Disable Displays a rule, condition, or action as disabled. Disable Trace Disables trace on the rule.

  • Page 41: Keyboard Support

    3.7.2 Keyboard Support You can move through the Policy Builder with keystrokes as well as using the mouse. The supported keystrokes are listed below. Keyboard Support in the Policy Builder Table 3-5 Keystroke Description Ctrl+C Copies the selected item into the Clipboard. Ctrl+X Cuts the selected item and adds it to the Clipboard.

  • Page 42: Policy Description

    Designer enables you to view, edit, and validate the XML by using an XML editor. Click the XML Source or XML Tree tabs to access the XML editor. For more information about the XML editor, see “The Novell XML Editor” in the Designer 3.0.1 for Identity Manager 3.6 Administration...
  • Page 43 View Policy in XML Figure 3-3 Managing Policies with the Policy Builder...
  • Page 44 Policies in Designer 3.5...

  • Page 45: Using Additional Builders And Editors

    Using Additional Builders and Editors Although you define most arguments in the Argument Builder, there are several more builders and editors that are used by the Condition editor and Action editor in the Policy Builder. Each builder can recursively call anyone of the builders in the following list: Section 4.1, “Action Builder,”...

  • Page 46: Additional Options For The Action Builder

    3 Select the desired action from the drop-down list, then click OK. 4.1.2 Additional Options for the Action Builder There are additional options in the action builder to manage the actions. Right-click the action to see the additional options. Action Builder Additional Options Table 4-1 Option Description...

  • Page 47: Argument Builder

    In the following example the add destination attribute value action is performed for each Group entitlement that is being added in the current operation. For Each Action Figure 4-1 To define the action of the add destination attribute value, click the Edit the actions icon. This launches the Actions Builder.
  • Page 48 Argument Builder Figure 4-3 The Argument Builder consists of six separate sections: Nouns: Contains a list of all of the available noun tokens. Double-click a noun token to add it to the Expression pane. See “Noun Tokens” on page 313 for more information.

  • Page 49: Launching The Argument Builder

    Option Description Cuts the selected token to the Clipboard. Copy Copies the selected token to the Clipboard. Paste Pastes the token from the Clipboard into the Argument Builder. Move Up Moves the selected token up. Move Down Moves the selected token down. Help Launches the help.

  • Page 50: Argument Builder Example

    Add Destination Object (page 238) Add Source Attribute Value (page 242) Append XML Text (page 246) Clear Destination Attribute Value (page 249) (when the selected object is DN or Association) Clear Source Attribute Value (page 251) (when the selected object is DN or Association) Delete Destination Object (page 255) (when the selected object is DN or Association) Delete Source Object (page 256)
  • Page 51 2 Specify or select the Given Name attribute. You can browse the Identity Vault attributes, the application attributes, or launch the variable browser. For more information on the variable browser, see Section 3.6, “Variable Selector,” on page 3 Double-click Substring from the list of verbs. 4 Type 1 in the Length field.

  • Page 52: Condition Builder

    The argument takes the first character of the Given Name attribute and adds it to the Surname attribute to build the desired value. 8 Click Finish to save the argument. 4.4 Condition Builder The Condition Builder enables you to add, view, and delete the conditions that make up a rule. A condition contains one or more conditions and one or more condition groups.

  • Page 53: Conditions Builder

    Condition Builder Options Table 4-3 Option Description New > Insert Condition Before Adds a condition before the current condition. New > Insert Condition After Adds a condition after the current condition. Edit Launches the Condition Builder. Move up Moves the selected condition up in the order of execution. Move down Moves the selected condition down in the order of execution.
  • Page 54 The Conditions Builder has additional options that the Condition Builder. Right-click the Conditions Builder. Conditions Builder Options Table 4-4 Option Description New > Insert Condition Group Before Adds a condition group before the selected condition group. New > Insert Condition Group After Adds a condition group after the selected condition group.

  • Page 55: Match Attribute Builder

    Conditions Builder And/Or Icons Figure 4-4 4.6 Match Attribute Builder The Match Attribute Builder enables you to select attributes and values used by the Find Matching Object (page 257) action to determine if a matching object exists in a data store. For example, if you wanted to match users based on a common name and a location: 1 Select the action of find matching object.
  • Page 56 If you want to add more than one attribute, click the Append new item icon to add another line. You can browse the Identity Vault schema or the connected system schema. 7 Click Finish. The Match Attribute Builder also allows you to specify another value, instead of using the value from the current object.

  • Page 57: Action Argument Component Builder

    teleNumber time 3 Specify the value, then click OK. 4.7 Action Argument Component Builder To launch the Action Argument Component Builder, select one of the following actions when the Select Value Type selection is structured, then click the Edit the components icon Add Destination Attribute Value (page 236) Add Source Attribute Value (page 242) Reformat Operation Attribute (page 270)

  • Page 58: Argument Value List Builder

    4.8 Argument Value List Builder To launch the Argument Value List Builder, select the following action, then click the Edit the arguments icon Set Default Attribute Value (page 284) Set Default Attribute Value Figure 4-6 1 Select the type of the value: counter, dn, int, interval, octet, state, string, structured, teleNumber, time.

  • Page 59: Condition Argument Component Builder

    Generate Event (page 261) Remove Role (page 274) Send Email (page 280) Send Email from Template (page 282) Start Workflow (page 303) 1 Select the name of the string from the drop-down list. 2 Create the value for the string by clicking the Edit the arguments icon to launch the Argument Builder.

  • Page 60: Pattern Builder

    If Operation Attribute (page 215) If Source Attribute (page 224) If Attribute mode Figure 4-7 1 Specify the name and value of the condition component. 2 Click Finish. 4.11 Pattern Builder You can launch the Pattern Builder from the Argument Builder editor when the Unique Name (page 348) token is selected.

  • Page 61: String Builder

    Unique Name Token in the Argument Builder Figure 4-8 1 Click the Edit patterns icon to launch the Pattern Builder. 2 Specify the pattern or click the Edit the arguments icon to use the Argument Builder to create the pattern. 3 Click Finish.

  • Page 62: Xpath Builder

    To open String Builder, select the Edit the Strings icon next to the appropriate field when defining a new action or modifying an existing action. For example, The Set SSO Credential action contains a Login Parameter Strings field for necessary login parameter strings. String Builder allows you to create the appropriate strings.
  • Page 63 Select Open the editor after creating the object to open the Mapping Table editor. 3 In the File Conflict message, click Yes to save the project before opening the Mapping Table editor. 4 In the Mapping Table editor, select column_new-1. 5 Specify a column name and data type, then click Close.

  • Page 64: Adding A Mapping Table Object To A Policy

    7 (Optional) To add another column, click the Add Column icon , then repeat Step 4 Step 8 (Optional) To add another row, click the Add Row icon , then repeat Step 9 Press Ctrl+S to save the mapping table object. 10 Continue with Section 4.14.2, “Adding a Mapping Table Object to a Policy,”...

  • Page 65: Editing A Mapping Table Object

    5 Select whether the mapping table DN is set relative to the policy or not. 6 Select the source column name by clicking the Browse icon. 7 Select the destination column name by clicking the Browse icon. The mapping table can be used in any manner at this point. In this example, the OU attribute is populated with the value derived from the mapping table.

  • Page 66: Importing Data From A Csv File

    Option Description Delete Column Deletes a column from the mapping table. Delete Row Deletes a row from the mapping table. Move Row Up Moves the selected row up in the mapping table. Move Row Down Moves the selected row down in the mapping table. Move Column Left Moves the selected column left in the mapping table.

  • Page 67: Testing A Mapping Table Object

    2 Click Yes to save this editor’s changes and continue. 3 Specify a name and location for the CSV file, then click Save. 4.14.6 Testing a Mapping Table Object You can use the Policy Simulator to test the functionality of the mapping table. The Policy Simulator tests the mapping table by testing the policy that is using the mapping table.

  • Page 68: Accessing Java Classes Using Namespaces

    Java Extension check box. 4.15.1 Accessing Java Classes Using Namespaces Novell provides several Identity Manager Java classes that can be called by using XPath expressions from the Policy Builder. The following links open Javadoc references for these Java classes: com.novell.nds.dirxml.driver.XdsQueryProcessor (http://developer.novell.com/documentation/...

  • Page 69: Local Variable Selector

    For additional information on using XPath and the Novell Java classes listed above, consult the ® DirXML Driver Developer Kit (http://developer.novell.com/documentation/dirxml/dirxmlbk/ref/ dirxmlfaq.html). 4.16 Local Variable Selector Policies use local variables and they have different scopes. A local variable is defined for a specific policy or it is defined for a driver.
  • Page 70 Error Variables Figure 4-11 Policy Scope: Lists any local variables with a scope of policy. Driver Scope: Lists any local variables with a scope of driver. Error Variables: Lists local variables that are set, if an error is encountered during the execution of the policy that contains the following actions: Clear SSO Credential (page 252) Set SSO Credential (page 300)

  • Page 71: Using The Xpath Builder

    Using the XPath Builder The XPath Builder is a powerful tool that allows you to build and test an XPath expression against any XML document. You can test different expressions against an XDS document and modify the XDS document while testing the expression. For more information about XPath expression, see “XPath 1.0 Expressions”...
  • Page 72 Designer comes with sample event files you can use to test the XPath expression against. The files are located in the plug-in com.novell.designer.idm.policy_version\simulation where version is the current version of Designer. The events are Add, Association, Delete, Instance, Modify, Move, Query, Rename, and Status.
  • Page 73 If you want to see the XDS document without scrolling, click the Hide XPath Details icon . To see the XPath Expression and Results windows, click Show XPath Details icon. 5 Select the current position in the document from which you want to start building your XPath expression.
  • Page 74 The XPath context that you have selected is displayed in the XPath Selected Context as shown. 6 Select Generic or Unique. Generic searches the entire XML document to match the specified XPath expression. It returns results for each instance of the XPath expression. In this example, the XPath expression is “/ nds/input/add”.
  • Page 75 NOTE: Using the keystroke combination Ctrl+Space+3, /, [, or ( triggers code completion. The expression is evaluated up until the cursor location, and insertable elements are shown in a drop-down box. The results of your XPath expression appear in the Results text area below. If the XPath editor does not evaluate the expression, click the Evaluate XPath expression icon to force the XPath Builder to evaluate the expression.
  • Page 76 Policies in Designer 3.5...

  • Page 77: Defining Schema Map Policies

    Defining Schema Map Policies Schema Map policies map class names and attribute names between the Identity Vault namespace and the application namespace. All documents passed between the Metadirectory engine and the application shim in either direction on either channel are passed through the Schema Map policy. There is one Schema Map policy per driver.

  • Page 78: Using The Schema Map Editor

    Section 6.5, “Accessing the Schema Map Policy in XML,” on page 87 Section 6.6, “Additional Schema Map Policy Options,” on page 87 6.1 Using the Schema Map Editor The Schema Map editor allows you to edit the Schema Map policies. This section includes the following topics: Section 6.1.1, “Accessing the Schema Map Editor,”...

  • Page 79: Navigating The Schema Map Editor

    3 In the Outline view, select the appropriate driver object. 4 In the Policy Set view, open the Schema Mapping folder, then double-click the Schema Mapping policy to launch the Schema Map editor. You can also right-click the Schema Mapping policy, then click Edit to launch the Schema Map editor.

  • Page 80: Understanding The Schema Map Editor Toolbar

    6.1.3 Understanding the Schema Map Editor Toolbar The Schema Map editor includes a toolbar that provides access to the following features. Several of these features, along with an option to Edit a selected mapping, is also available from a drop- down menu by right-clicking in the Schema Map editor.

  • Page 81: Editing A Schema Map Policy

    Tool Description The pull-down menu opens a secondary menu of schema map editor tools, including the following: Save to File exports the current schema map to an XML file. Import from File imports a schema map from a previously saved XML file. Manage Identity Vault Schema launches the Manage Schema tool.
  • Page 82 To add a new Identity Vault class and attributes to a schema map: 1 In the Schema Map Editor, select Insert Identity Vault Class You can also right-click in the Schema Map editor, then click Insert Identity Vault Class. 2 In the Select Identity Vault Class and its Attributes page, select a class and the relevant class attributes to add to the schema map, then click OK.

  • Page 83: Adding An Application Class Or Attribute

    To add additional Identity Vault attributes to an existing class mapping: 1 In the Schema Map Editor, select a class mapping, then select Add Identity Vault Attributes You can also right-click in the Schema Map editor, then select Insert Identity Vault Attributes. 2 In the Select ID Vault Attributes page, select the desired attributes to add to the class mapping, then click OK.

  • Page 84: Adding A Non-Class-Specific Attribute Mapping

    4 To save the schema map changes, select File > Save. To add additional Application attributes to an existing class mapping: 1 In the Schema Map Editor, select a class mapping, then select Insert Application Attributes You can also right-click in the Schema Map editor, then select Insert Identity Vault Attributes. 2 In the Select App Attributes page, select the desired attributes to add to the class mapping, then click OK.

  • Page 85: Refreshing The Application Schema

    Deleting a Class or Attribute Mapping If you do not want an Identity Vault class or an attribute to be mapped to an Application class or attribute, the best practice is to completely remove the class or the attribute from the Schema Map policy.

  • Page 86: Sorting Schema Map Entries

    In-line Edits in the Schema Map Editor Figure 6-2 6.2.4 Sorting Schema Map Entries The Schema Map editor allows you to sort entries in ascending/descending order by clicking on the column heading. Click the Identity Vault heading to sort entries based on Identity Vault items. Click the connected system heading to sort entries based on connected system items.

  • Page 87: Exporting And Importing With The Schema Map Editor

    Designer enables you to view, edit, and validate the XML by using an XML editor. Click the XML Source tab or the XML Tree tab to access the XML editor. For more information about the XML editor, see “The Novell XML Editor” in the Designer 3.0.1 for Identity Manager 3.6 Administration Guide.

  • Page 88: Outline View Additional Options

    Designer 3.0.1 for Identity Manager 3.6 Administration Guide. Open With > Designer Built-in Editor Launches the Schema Map editor. Open With > Novell XML Editor Launches the XML editor. For more information, “The Novell XML Editor” in the Designer 3.0.1 for Identity Manager 3.6 Administration...
  • Page 89 Enter Table Title Here Table 6-3 Option Description ® Add Policy > DirXML Script Adds a new Schema Map policy by using DirXML Script. Add Policy > XSLT Adds a new Schema Map policy by using XSLT. Add Policy > Schema Map Adds a new Schema Map policy containing no information.

  • Page 90: Policy Set View Additional Options

    Option Description Live > Driver Configuration > Compare Attributes Allows you to compare attributes from the selected Schema Map policy to attributes in the Identity Vault. For more information, see “Using the Compare Feature When Deploying” in the Designer 3.0.1 for Identity Manager 3.6 Administration Guide.
  • Page 91 Option Description Live > Deploy Deploys the Schema Map policy into the Identity Vault. Live > Compare Compares the Schema Map policy in Designer to the Schema Map policy in the Identity Vault. Delete Deletes the selected Schema Map policy. Properties Allows yo to rename the Schema Map policy.
  • Page 92 Policies in Designer 3.5...

  • Page 93: Controlling The Flow Of Objects With The Filter

    Controlling the Flow of Objects with the Filter The Filter editor allows you to manage the filter. In the Filter editor, you define how each class and attribute should be handled by the Publisher and Subscriber channels. The Filter Editor Figure 7-1 When information is synchronized between connected systems, the connected system can receive the changes or just be notified that a change has occurred.

  • Page 94: Using The Filter Editor

    Section 7.2, “Editing the Filter,” on page 98 Section 7.3, “Testing the Filter,” on page 104 Section 7.4, “Exporting and Importing Filter Files,” on page 104 Section 7.5, “Adding Comments to Classes and Attributes,” on page 104 Section 7.6, “Viewing the Filter in XML,” on page 105 Section 7.7, “Deploying the Filter,”...
  • Page 95 3 Double-click the Filter object (or right-click it and select Edit) to launch the Filter editor. Policy Flow View 1 In the Outline view, select the Show Policy Flow icon. Controlling the Flow of Objects with the Filter...

  • Page 96: Navigating The Filter Editor

    2 In the Policy Flow, double-click the Sync icon or the Notify objects (or Right-click and select Edit Policy > Filter) to launch the Filter editor. Policy Set View 1 Double-click the filter object in the Policy Set view. 7.1.2 Navigating the Filter Editor The Filter Editor uses standard point-and-click navigation.

  • Page 97: Understanding The Filter Editor Toolbar

    NOTE: The Filter Editor lets you order the classes/attributes as needed: Click the header bar above the class/attribute list to switch between ascending and descending order. This sorts both the classes and the attributes within the classes. Click and drag individual classes or attributes to create a custom order. Filter Editor Keyboard Support Table 7-1 Keystroke...

  • Page 98: Editing The Filter

    Tool Description Deploy Filter deploys the filter policy to a live Identity Manager environment. For more information, see Section 7.7, “Deploying the Filter,” on page 105. Expand All expands all Class/Attribute groups in the filter policy. Collapse All collapses all Class/Attribute groups in the filter policy. Clear Filter deletes all class and attribute entries from the filter policy.

  • Page 99: Modifying Multiple Attributes

    2 Browse and select the class you want to add, then click OK. 3 Change the options to synchronize the information. 4 To save the changes, click File > Save. Adding an Attribute 1 Click Add Attributes You can also right-click in the Filter editor, then select Add Attribute. 2 Browse and select the attribute you want to add, then click OK.
  • Page 100 2 Change the filter settings for the selected class. Table 7-2 on page 101 for information on each of the class settings available in the Filter Editor. 3 In the Filter Editor, select an attribute. 100 Policies in Designer 3.5...
  • Page 101 4 Change the filter settings for the selected attribute, then click Save (in the Designer toolbar) to save the changes. Table 7-3 on page 102 for information on each of the attribute settings available in the Filter Editor. Filter Editor Class Settings Table 7-2 Options Definitions...
  • Page 102 Filter Editor Attribute Settings Table 7-3 Options Definitions Publish Synchronize: Changes to this object are reported and automatically synchronized. Ignore: Changes to this object are neither reported nor automatically synchronized. Notify: Changes to this object are reported, but not automatically synchronized.
  • Page 103 Options Definitions Merge Authority Default: If an attribute is not being synchronized in either channel, no merging occurs. If an attribute is being synchronized in one channel and not the other, then all existing values on the destination for that channel are removed and replaced with the values from the source for that channel.

  • Page 104: Testing The Filter

    7.3 Testing the Filter Designer comes with a tool called the Policy Simulator, which allows you to test policies without implementing them in a production environment. You can launch the Policy Simulator through the Filter editor to test your policy after you have modified it. 1 Click Launch Policy Simulator 2 Select To Identity Vault or From Identity Vault as the simulation point of the filter.

  • Page 105: Viewing The Filter In Xml

    Designer enables you to view, edit, and validate the XML by using an XML editor. Click the XML Source tab or the XML Tree tab to access the XML editor. For more information about the XML editor, see “The Novell XML Editor” in the Designer 3.0.1 for Identity Manager 3.6 Administration Guide.

  • Page 106: Policy Flow View Additional Options

    Identity Vault. Open With > Designer Built-in Editor Launches the Filter editor. For more information, Section 7.2, “Editing the Filter,” on page Open With > Novell XML Editor Launches the XML editor. For more information, “The Novell XML Editor” in the Designer 3.0.1...

  • Page 107: Policy Set View Additional Options

    Option Description Live > Restart Driver Restarts the driver. 7.8.3 Policy Set View Additional Options The Policy Set view offers the following filter-related options. To access them, right-click the filter object in the Policy Set view. Filter Policy Set View Additional Options Table 7-6 Option Description...
  • Page 108 108 Policies in Designer 3.5...

  • Page 109: Using Predefined Rules

    Using Predefined Rules Designer includes 19 predefined rules. You can import and use these rules as well as create your own rules. These rules include common tasks that administrators use. You need to provide information specific to your environment to customize the rules. Section 8.1, “Command Transformation - Create Departmental Container - Part 1 and Part 2,”...

  • Page 110: Command Transformation - Create Departmental Container - Part 1 And Part 2

    The Predefined Rules dialog box displays a list of the available rules. 8.1 Command Transformation - Create Departmental Container - Part 1 and Part 2 This rule creates a department container in the destination data store, if one does not exist. Implement the rule on the Command Transformation policy in the driver.

  • Page 111: Importing The Predefined Rule

    4 Name the policy. 5 Use the default location or browse and select another location to place the policy in the driver. 6 Select Open Editor after creating policy, then click Next. 7 Select DirXML Script for the type of policy, then click Finish. 8 A file conflict window appears with the message “...

  • Page 112: How The Rule Works

    5 Save the rule by clicking File > Save. There is no information to change that is specific to your environment. IMPORTANT: Make sure that the rules are listed in order. Part 1 must be executed before Part 2. 8.1.3 How the Rule Works This rule is used when the destination location for an object does not exist.

  • Page 113: Command Transformation - Publisher Delete To Disable

    8.2 Command Transformation - Publisher Delete to Disable This rule transforms the Delete event for a user object into disabling the user object. Implement the rule on the Command Transformation policy in the driver. The rule needs to be implemented on the Publisher channel.

  • Page 114: How The Rule Works

    User object, the destination attribute value of Login Disabled is set to True and the association is ® removed from the User object. The User object can no longer log in to the Novell eDirectory tree, but the User object was not deleted.

  • Page 115: Importing The Predefined Rule

    5 Use the default location or browse and select another location to place the policy in the driver. 6 Select Open Editor after creating policy, then click Next. 7 Select DirXML Script for the type of policy, then click Finish. 8 A file conflict window appears with the message “...

  • Page 116: How The Rule Works

    8.4 Creation - Publisher - Use Template This rule allows the use of a Novell eDirectory template object during the creation of a User object. Implement the rule on the Publisher Creation policy in the driver. You can implement the rule only on the Publisher channel.

  • Page 117: Importing The Predefined Rule

    8.4.2 Importing the Predefined Rule 1 Right-click in the Policy Builder, then click New > Predefined Rule > Insert Predefined Rule Before or Insert Predefined Rule After. 2 Select Creation - Publisher - Use Template, then click OK. 3 Expand the predefined rule. 4 Edit the action by double-clicking the Actions tab.

  • Page 118: Creating A Policy

    Section 8.5.2, “Importing the Predefined Rule,” on page 118 Section 8.5.3, “How the Rule Works,” on page 119 8.5.1 Creating a Policy 1 From the Outline view or the Policy Flow view, select the Publisher or Subscriber channel. 2 Select the Creation policy set in the Policy Set view, then click the Create or add a new policy to the Policy Set icon to create a new policy.

  • Page 119: How The Rule Works

    4 Edit the action by double-clicking the Actions tab. 5 In the Specify attribute name field, click the browse icon, then browse to and select the attribute you want to create. 6 Click the Edit the value list icon to launch the Argument Value List Builder. 7 Select the type of data you want the value to be.

  • Page 120: Importing The Predefined Rule

    6 Select Open Editor after creating policy, then click Next. 7 Select DirXML Script for the type of policy, then click Finish. 8 A file conflict window appears with the message “ Before editing this item you need ” Click Yes. to save.

  • Page 121: Event Transformation - Scope Filtering - Include Subtrees

    8.7 Event Transformation - Scope Filtering - Include Subtrees This rule excludes all events that occur except for the specific subtree. Implement the rule on the Event Transformation policy in the driver. You can implement the rule on either the Subscriber or the Publisher channel or on both channels.

  • Page 122: How The Rule Works

    3 Expand the predefined rule. 4 Edit the condition by double-clicking the Conditions tab. 5 Delete [Enter a subtree to include] in the Value field. 6 Click the browse button to browse the Identity Vault for the part of the tree you were you want events to synchronize, then click OK.

  • Page 123: Importing The Predefined Rule

    5 Use the default location or browse and select another location to place the policy in the driver. 6 Select Open Editor after creating policy, then click Next. 7 Select DirXML Script for the type of policy, then click Finish. 8 A file conflict window appears with the message “...

  • Page 124: How The Rule Works

    8.8.3 How the Rule Works This rule is used when you want to exclude part of the Identity Vault from synchronizing. It allows you to synchronize some objects and not other objects, without using the Filter. When an event occurs in that specific part of the Identity Vault, it is vetoed. 8.9 Input or Output Transformation - Reformat Telephone Number from (nnn) nnn-nnnn to nnn- nnn-nnnn...

  • Page 125: Importing The Predefined Rule

    8.9.2 Importing the Predefined Rule 1 Right-click in the Policy Builder, then click New > Predefined Rule > Insert Predefined Rule Before or Insert Predefined Rule After. 2 Select Input or Output Transformation - Reformat Telephone Number from (nnn) nnn-nnnn to nnn-nnn-nnnn, then click OK.

  • Page 126: Creating A Policy

    8.10.1 Creating a Policy 1 From the Outline view or the Policy Flow view, select a driver. 2 Select the Input or Output Transformation policy set in the Policy Set view, then click Create or add a new policy to the Policy Set icon to create a new policy.

  • Page 127: How The Rule Works

    5 Define the condition you want to have occur when the telephone number is reformatted. 6 Click OK. 7 Save the rule by clicking File > Save. 8.10.3 How the Rule Works This rule is used when you want to reformat the telephone number. You define the condition that is to be met when the telephone number is reformatted.

  • Page 128: Importing The Predefined Rule

    8 A file conflict window appears with the message “ Before editing this item you need ” Click Yes. to save. Do you wish to save the editor’s changes and continue? The Policy Builder is launched and the new Matching policy is saved. 9 Continue with Importing the Predefined Rule.

  • Page 129: Matching - Subscriber Mirrored - Ldap Format

    8.12 Matching - Subscriber Mirrored - LDAP Format This rule matches for objects in the data store by using the mirrored structure in the Identity Vault from a specified point. Implement the rule on the Matching policy in the driver. You can implement the rule only on the Subscriber channel.

  • Page 130: How The Rule Works

    3 Expand the predefined rule. 4 Edit the condition by double-clicking the Conditions tab. 5 In the Value field, browse to and select the container in the source hierarchy where you want the matching to start, then click OK. 6 Click OK. 7 Edit the action by double-clicking the Actions tab.

  • Page 131: Creating A Policy

    There are two steps involved in using the predefined rules; creating a policy in the Matching policy set and importing the predefined rule. If you already have a Matching policy that you would like to add this rule to, skip to Importing the Predefined Rule.

  • Page 132: How The Rule Works

    4 Edit the action by double-clicking the Actions tab. 5 Delete [Enter base DN to start search] from the Specify DN field. 6 Click the Edit the arguments icon to launch the Argument Builder. 7 Select Text in the noun list. 8 Double-click Text to add it to the argument.

  • Page 133: Creating A Policy

    8.14.1 Creating a Policy 1 From the Outline view or the Policy Flow view, select the Publisher channel. 2 Select the Placement policy set in the policy set, then click Create or add a new policy to the Policy Set icon to create a new policy.

  • Page 134: How The Rule Works

    5 In the Value field, browse to and select the container in the source hierarchy where you want the object to be acted upon, then click OK. 6 Edit the action by double-clicking the Actions tab. 7 Delete [Enter base of destination hierarchy] from the Specify String field. 8 Click the Edit the arguments icon to launch the Argument Builder.

  • Page 135: Importing The Predefined Rule

    6 Select Open Editor after creating policy, then click Next. 7 Select DirXML Script for the type of policy, then click Finish. 8 A file conflict window appears with the message “ Before editing this item you need ” Click Yes. to save.

  • Page 136: How The Rule Works

    12 Click Finish. 13 Save the rule by clicking File > Save. 8.15.3 How the Rule Works If the User object resides in the source hierarchy, then the object is placed in the mirrored structure from the Identity Vault. The placement starts at the point that the local variable dest-base is defined. It places the User object in the location of the unmatched source DN, dest-base.

  • Page 137: Importing The Predefined Rule

    8 A file conflict window appears with the message “ Before editing this item you need ” Click Yes. to save. Do you wish to save the editor’s changes and continue? The Policy Builder is launched and the new Placement policy is saved. 9 Continue with Importing the Predefined Rule.

  • Page 138: Placement - Subscriber Flat - Ldap Format

    8.17 Placement - Subscriber Flat - LDAP Format This rule places objects from the Identity Vault into one container in the data store. Implement the rule on the Subscriber Placement policy in the driver. There are two steps involved in using the predefined rules: creating a policy in the Placement policy set and importing the predefined rule.

  • Page 139: How The Rule Works

    4 Edit the action by double-clicking the Actions tab. 5 Delete [Enter DN of destination container] from the Specify String field. 6 Click the Edit the arguments icon to launch the Argument Builder. 7 Select Text in the noun list. 8 Double-click Text to add it to the argument.

  • Page 140: Creating A Policy

    8.18.1 Creating a Policy 1 From the Outline view or the Policy Flow view, select the Publisher channel. 2 Select the Placement policy set in the Policy Set view, then click Create or add a new policy to the Policy Set icon to create a new policy.

  • Page 141: How The Rule Works

    4 Edit the action by double-clicking the Actions tab. 5 Delete [Enter DN of destination Organization] from the Specify String field. 6 Click the Edit the arguments icon to launch the Argument Builder. 7 Select Text in the noun list. 8 Double-click Text to add it to the argument.

  • Page 142: Placement - Subscriber By Dept - Ldap Format

    8.19 Placement - Subscriber By Dept - LDAP Format This rule places objects from one container in the Identity Vault into multiple containers in the data store based on the OU attribute. Implement the rule on the Placement policy in the driver. You can implement the rule only on the Subscriber channel.

  • Page 143: How The Rule Works

    3 Expand the predefined rule. 4 Edit the action by double-clicking the Actions tab. 5 Delete [Enter DN of destination Organization] from the Specify string field. 6 Click the Edit the arguments icon to launch the Argument Builder. 7 Select Text in the noun list. 8 Double-click Text to add it to the argument.
  • Page 144 144 Policies in Designer 3.5...

  • Page 145: Testing Policies With The Policy Simulator

    Testing Policies with the Policy Simulator The Policy Simulator allows you to test and debug a single policy or a group of policies contained in a policy set without implementing the policy in the Identity Vault. It also provides a graphical editor to create XDS Input documents.

  • Page 146: Policy Flow View

    9.1.2 Policy Flow View 1 Click the Show Policy Flow icon 2 Right-click the Input, Output, Schema Map, filter, or any policy set icons you want to simulate, then select Simulate 9.1.3 Editors You can access the Policy Simulator through the Policy Builder, the Schema Map editor, or the Filter editor by selecting the Policy Simulator icon in the toolbar of each editor.
  • Page 147 XDS Builder Figure 9-1 Click the Source tab in the Policy Simulator to display the input document in XML. The XDS Builder creates this input document. You can modify the XML by editing the XML directly or using the XDS Builder. The XDS Builder allows you to select the operation type as well as provide the operation parameters, attributes, and values.

  • Page 148: Source

    Designer comes with sample input document files you can use. The files are located in the plug-in . The events are Add, Association, Delete, com.novell.designer.idm.policy\simulation Instance, Modify, Move, Query, Rename, and Status. 9.2.3 Use an Identity Vault Object As a Template The Policy Simulator allows you to use an existing Identity Vault object to populate the input document.

  • Page 149: Use An Application Object As A Template

    Identity Vault attribute names to the corresponding application attribute by using the Schema Map policy, as long as the driver references the Schema Map policy. However, the values for the attributes might be in an incorrect format. 4 Click OK if a warning message is displayed. 5 Click Next to test the policy against the object.

  • Page 150: Save The Input Document

    2 Browse to a location where you want to save the file, then specify a filename. 3 Click Save to save the input document. ® Novell recommends that you do not save the input document in the same directory where Designer is installed or it might be overwritten during a Designer upgrade.

  • Page 151: Operation

    9.2.9 Operation The XDS Builder allows you to select the type of operation that the input document performs. Operation Options in the XDS Builder Figure 9-3 The available operations are: Modify Remove Association Add Association Modify Association Rename Check Object Password Modify Password Status Check Password...

  • Page 152: Attributes

    All parameter values are edited inline, with the exception of Class and Operation Data parameters. Editing these parameters launches a dialog box that allows you to select a class name or edit the operation data. Parameters that contain a reference to an object enable the Browse button. Although these values can be edited inline, the Browse button allows you to browse for an object in the application or the Identity Vault, depending on the current simulation point.
  • Page 153 Working with Attribute Values Because there are several different attribute types, the Attributes field provides different ways of manipulating attribute values. Add a New Attribute: To add a new attribute to the attribute list, click Add Attribute. For more information, see “Simulating the Adding of an Attribute”...

  • Page 154: Using The Operation Data Editor

    Simulating the Modification of an Attribute There are multiple events that cause an attribute to be modified. They are: Add Value: Adds a new value to the attribute. Remove Value: Removes a single value from the attribute. Remove All Values: Removes all values stored in the attribute. Remove: Removes the attribute.

  • Page 155: Using The Hex Editor

    5 If you want to add an additional attribute, repeat Step 2 through Step 6 Click the Data field, then specify the XML fragment. 7 Click OK to save the information. 9.4 Using the Hex Editor The Hex editor allows you to view or edit any attribute values in hex mode. For example, if you are synchronizing eDirectory attribute values of type octet string, then you can edit this information through Designer.

  • Page 156: Accessing The Hex Editor

    Hex Editor Figure 9-6 Section 9.4.1, “Accessing the Hex Editor,” on page 156 Section 9.4.2, “Importing Data into the Hex Editor,” on page 157 Section 9.4.3, “Inserting Data in the Hex Editor,” on page 157 Section 9.4.4, “Appending Data in the Hex Editor,” on page 158 Section 9.4.5, “Editing Data in the Hex Editor,”...

  • Page 157: Importing Data Into The Hex Editor

    1b Add a class parameter of User. 1c Click the Add Attribute button to add a new attribute to the class. 2 In the Schema Browser, select Add an Attribute Follow the steps in the New Attribute Wizard to create a new attribute. Make sure you specify the attribute’s syntax type as Octet String.

  • Page 158: Appending Data In The Hex Editor

    2 Specify the amount of data to add in bytes (B) or kilobytes (kB). 3 Specify the initial hex value, then click OK. 9.4.4 Appending Data in the Hex Editor 1 Right-click in the Hex editor, then select Append. 158 Policies in Designer 3.5...

  • Page 159: Editing Data In The Hex Editor

    The Append option is available when you right-click the first byte in the table, if there is no data. It is also available when you right-click the last byte if there is data. 2 Specify the amount of data to append in bytes or kilobytes. 3 Specify the initial hex value, then click OK.
  • Page 160 When the encoding is selected, the far right column displays the value encoded. 2 Select the cell of data to edit, then edit the data. When a cell is selected, the value is displayed in blue. 3 Click OK to save the changes. The Hex editor also displays the value as hex, decimal, octet, and binary.

  • Page 161: Reverting Changes In The Hex Editor

    Value Displayed in Multiple Formats Figure 9-7 9.4.6 Reverting Changes in the Hex Editor If you make a change in the Hex editor and want to undo it: 1 Right-click in the Hex editor, then select Undo. The last change you had made is undone. If you decide you want that change back: 1 Right click in the Hex editor, then select Redo.

  • Page 162: Moving The Cursor In The Hex Editor

    Data is deleted from the current cursor position. If you select From the cursor position to the end, it deletes all data in the Hex editor from the cursor position in the table to the end of the table. 9.4.8 Moving the Cursor in the Hex Editor You can move the cursor to a specified position in the Hex editor: 1 Right-click in the Hex editor, then select Goto.

  • Page 163: Simulating A Policy

    9.5 Simulating a Policy After the XDS input document has been created, you can use it to simulate the behavior of a policy. 1 In the Policy Simulator, after the XDS input document is complete, click Next. 2 If the policy you are simulating generates a query, review the query in the Query tab, and model the query response in the Response tab, then click Next.
  • Page 164 Field Description Parameter Table Displays the query parameters generated during the policy simulation. This matches the XML displayed in the Source tab. For information on using the Parameter table, see Section 9.2.10, “Parameter and Value,” on page 151. You can adjust the query parameters to vary the response generated when you send the query to the Application or ID Vault.
  • Page 165 Field Description Submit to Vault Sends the specified query to the Identity Vault to generate a Response instance document. The Simulator determines the query destination automatically and displays the appropriate button. Submit to Vault requires valid associations in the Association parameter. This is typically possible only when the ID Vault is deployed.
  • Page 166 Field Description Attributes Field Allows you to modify the response by adding or modifying the attributes in the instance document. For information on the Attributes field, see Section 9.2.11, “Attributes,” on page 152. 3 Click Next. 4 In the View Transform Results page, examine the results of the transformation based on your defined XDS input document.
  • Page 167 Compare: The Compare tab displays the input document and the output document side-by- side so you can examine the changes resulting from the policy processing of the input document. Testing Policies with the Policy Simulator 167...

  • Page 168: Simulating Policies With Java Extensions

    Java class path: .jar 1 Select Windows > Preferences from the tool bar. 2 Navigate to the Novell > Identity Manager > Simulation page. 3 Copy the file containing the Java class to the specified directory and simulate the policy.

  • Page 169: Storing Information In Resource Objects

    Objects Resource objects store information that drivers use. The resource objects can hold arbitrary data in ® any format. Novell Identity Manager contains different types of resource objects. Section 10.1, “Generic Resource Objects,” on page 169 Section 10.2, “Mapping Table Objects,” on page 171 Section 10.3, “ECMAScript Objects,”...

  • Page 170: Using A Generic Resource Object

    5 Click Yes in the file conflict messages. 6 Specify the desired text or XML, then press Ctrl+S to save the resource object. 10.1.2 Using a Generic Resource Object A resource object is a place to store information. It is an eDirectory object, and to use the information in the object, you treat it as any other eDirectory object.

  • Page 171: Mapping Table Objects

    3.6. 10.5 Repository Objects Repository objects store static configuration information for Novell Credential Provisioning policies. There are repository objects for Novell SecureLogin and for Novell SecretStore. For information on how to create repository objects for SecureLogin, see “Creating a Repository Object”...

  • Page 172: Creating Library Objects

    1 Right-click the library object, select New, then select the type of object you want stored in the library. The options are: Credential Application: Stores application authentication parameter values for Novell Credential Provisioning policies. For information, see “Creating an Application Object”...

  • Page 173: Using Policies In The Library Objects

    XSLT: Creates an XSLT style sheet in the library. For more information, see “Defining Policies by Using XSLT Style Sheets”. From Copy: Creates a copy of an existing object. 10.6.3 Using Policies in the Library Objects After you have created the library, you can use any of the resources stored in the library in any policy.
  • Page 174 174 Policies in Designer 3.5...

  • Page 175: Using Ecmascript In Policies

    ECMAScript function in policies. For more information on custom forms, see Creating Custom Forms (http://www.novell.com/documentation/ idm35/dgpro/data/prdefcreateformschapter.html). This section explains how to use the ECMAScript editor, how to use ECMAScript with policies, and how to use ECMAScript with custom forms.

  • Page 176: Using The Ecmascript Editor

    5 Either type the ECMAScript, or copy the ECMAScript into the editor from an existing file. 6 To save the ECMAScript press Ctrl+S after the ECMAScript is finished. For information on how to use the ECMAScript editor, see Section 11.2, “Using the ECMAScript Editor,”...
  • Page 177 Main Scripting Area Figure 11-1 “Using an Existing ECMAScript” on page 177 “Editing an ECMAScript” on page 177 “Coding Help for ECMAScript” on page 178 Using an Existing ECMAScript 1 Open the ECMAScript in a text editor, then copy the script. 2 Paste the ECMAScript into the ECMAScript editor.

  • Page 178: Expression Builder

    Option Description Paste Pastes the information in the clipboard into the main scripting area. Delete Deletes the selected information from the main scripting area. Select All Selectes all of the information in the main scripting area. Find/Replace Finds and replaces the specified information. Show Expression Builder Launches the Expression Builder.
  • Page 179 To access the Expression Builder in the ECMAScript editor: 1 Right-click in the main scripting area of the ECMAScript editor, then click Show Expression Builder. Right-click the shell area of the ECMAScript editor, then click Show Expression Builder. To access the Expression Builder through the Policy Builder: 1 Click the Launch ECMA Expression Builder icon next to the following actions or conditions:.

  • Page 180: Functions And Variables

    To use the Expression Builder: 1 (Optional) Click the desired ECMAScript Objects. 2 (Optional) Click the desired Functions/Methods. 3 (Optional) Click the desired ECMAScript Operators. 4 Click Check Syntax to validate the expression. 5 Click OK to close the Expression Builder. In the following example, the join ECMAScript variable is used with the toString function or method, but there is no ECMAScript operator selected.

  • Page 181: Error Display

    Functions and Variables Figure 11-4 All of the variables that are stored in a function are grouped together. You can expand a function to view all of the variables, by clicking the plus icon (arrow icon in Linux). You can view the function without the variables by clicking the minus icon (arrow icon in Linux).

  • Page 182: Shell Area

    Main Scripting Area Errors Figure 11-5 The Problems view accumulates the errors as the ECMAScript is typed, displays the cause of the error. Double-click the error in the Problems view. The cursor jumps to the problem line in the main scripting area.
  • Page 183 Shell Area Figure 11-6 Figure 11-6 contains an example of a function that determines the area of a circle. The function is tested by specifying a value of . The shell displays the value of areaOfCircle(10) 628.3185307179587. To execute the expression, press the Enter key. If you want to enter more than one line of code in the console, press Enter on the numeric keypad.

  • Page 184: Examples Of Ecmascripts With Policies

    Shell Area Additional Options Figure 11-7 Cut, Copy and Paste: Enables you to cut, copy and paste from and into the shell area. Show Expression Builder: Launches ECMA Expression Builder. 11.3 Examples of ECMAScripts with Policies The following examples use the ECMAScript file (../samples/demo.js) with different demo.js...

  • Page 185: Dirxml Script Policy Calling An Ecmascript Function

    Input Transformation or Output Transformation policy. The function reads an image from a URL and returns the content as a Base64 encoded string. <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-builder- dtd" "C:\Program Files\Novell\Designer\eclipse\plugins\com.novell.designer.idm.policybuilder_1 .2.0.200612180606\DTD\dirxmlscript.dtd"><policy> <rule> <description>Reformat photo from URL to octet</description>...

  • Page 186: Xslt Policy Calling An Ecmascript Function At The Driver Level

    The ECMAScript calls the getB64ImageFromURL function, which then returns the current value as a string. 11.3.2 XSLT Policy Calling an ECMAScript Function at the Driver Level The XSLT policy either splits a single comma-delimited value into multiple values, or joins multiple values into a single comma-delimited value.

  • Page 187: Xslt Policy Calling An Ecmascript Function In The Style Sheet

    Function: <static> NodeSet split(<String> inputString, <String> delimiter Parameters: inputString (the script to split) and (the delimiter to split on. Optional: delimiter default = “,”). Returns: A NodeSet containing text nodes. The file (../samples/SplitJoin.xsl) calls the join or split functions in an XSLT style SplitJoin.xsl sheet.
  • Page 188 188 Policies in Designer 3.5...

  • Page 189: Conditions

    Conditions Conditions define when actions are performed. Conditions are always specified in either Conjunctive Normal Form (CNF) (http://mathworld.wolfram.com/ConjunctiveNormalForm.html) Disjunctive Normal Form (DNF) (http://mathworld.wolfram.com/DisjunctiveNormalForm.html). These are logical expression forms. The actions of the enclosing rule are only performed when the logical expression represented in CNF or DNF evaluates to True or when no conditions are specified.

  • Page 190: If Association

    If Association Performs a test on the association value of the current operation or the current object. The type of test performed depends on the operator specified by the operation attribute. Fields Operator Operator Returns True When... Associated There is an established association for the current object. Available There is a non-empty association value specified by the current operation.
  • Page 191 Mode Description Case Sensitive Character-by-character case sensitive comparison. Case Insensitive Character-by-character case insensitive comparison. Regular Expression The regular expression matches the entire string. It defaults to case insensitive, but can be changed by an escape in the expression. For more information, see Sun’s Web site (http://java.sun.com/j2se/1.4/docs/ api/java/util/regex/Pattern.html).

  • Page 192: If Attribute

    If Attribute Performs a test on attribute values of the current object in either the current operation or the source data store. It can be logically thought of as If Operation Attribute or If Source Attribute, because the test is satisfied if the condition is met in the source data store or in the operation. The test performed depends on the specified operator.
  • Page 193 The example uses the condition If Attribute when filtering for User objects that are disabled or have a certain title. The policy is Policy to Filter Events, and it is available for download from the ® Novell Support Web site. For more information, see “Downloading Identity Manager Policies”...
  • Page 194 The condition is looking for any User object that has an attribute of Title with a value of consultant or sales. 194 Policies in Designer 3.5...

  • Page 195: If Class Name

    If Class Name Performs a test on the object class name in the current operation. Fields Operator Select the condition test type. Operator Returns True When... Available There is an object class name available in the current operation. Equal There is an object class name available in the current operation, and it equals the specified value when compared by using the specified comparison mode.
  • Page 196 The example uses the condition If Class Name to govern group membership for a User object based on the title. The policy is Govern Groups for User Based on Title Attribute, and it is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager Policies”...
  • Page 197 Checks to see if the class name of the current object is User. Conditions 197...

  • Page 198: If Destination Attribute

    If Destination Attribute Performs a test on attribute values of the current object in the destination data store. The test performed depends on the specified operator. Fields Name Specify the name of the attribute to test. Supports variable expansion. For more information, Section 3.6, “Variable Selector,”...
  • Page 199 The example uses the condition If Attribute to govern group membership for a User object based on the title. The policy is Govern Groups for User Based on Title Attribute, and it is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager Policies”...
  • Page 200 The policy checks to see if the value of the title attribute contains manager. 200 Policies in Designer 3.5...

  • Page 201: If Destination Dn

    If Destination DN Performs a test on the destination DN in the current operation. The test performed depends on the specified operator. Fields Operator Select the condition test type. Operator Returns True When... Available There is a destination DN available. Equal There is a destination DN available, and it equals the specified value when compared by using semantics appropriate to the DN format of the...

  • Page 202: If Entitlement

    If Entitlement Performs a test on entitlements of the current object, in either the current operation or the Identity Vault. The test performed depends on the specified operator. Fields Name Specify the name of the entitlement to test for the selected condition. Supports variable expansion.
  • Page 203 Value Contains the value defined for the selected operator. The value is used by the condition. Each value supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page 35. The operators that contain the value field are: Changing From Changing To Equal...
  • Page 204 Not Changing To Not Equal Not Greater Than Not Less Than Example 204 Policies in Designer 3.5...

  • Page 205: If Global Configuration Value

    If Global Configuration Value Performs a test on a global configuration value. The test performed depends on the specified operator. Remark For more information on using variables with policies, see “Understanding Policy Components” in Understanding Policies for Identity Manager 3.6. Fields Name Specify the name of the global value to test for the selected condition.
  • Page 206 Not Greater Than Not Less Than Mode The condition has a comparison mode parameter that indicates how a comparison is done. Mode Description Case Sensitive Character-by-character case sensitive comparison. Case Insensitive Character-by-character case insensitive comparison. Regular Expression The regular expression matches the entire string. It defaults to case insensitive, but can be changed by an escape in the expression.

  • Page 207: If Local Variable

    If Local Variable Performs a test on a local variable. The test performed depends on the specified operator. Remark For more information on using variables with policies, see “Understanding Policy Components” in Understanding Policies for Identity Manager 3.6. Fields Name Specify the name of the local variable to test for the selected condition.
  • Page 208 The policy is Govern Groups for User Based on Title Attribute, and it is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager...
  • Page 209 The policy contains five rules that are dependent on each other. For the If Locate Variable condition to work, the first rule sets four different local variables to test for groups and where to place the groups. Conditions 209...
  • Page 210 The condition the rule looks for is to see if the local variable of manager-group-info is available and if manager-group-info is not equal to group. If these conditions are met, then the destination object of group is added. 210 Policies in Designer 3.5...

  • Page 211: If Named Password

    If Named Password Performs a test on a named password from the driver in the current operation with the specified name. The test performed depends on the selected operator. Fields Name Specify the name of the named password to test for the selected condition. Supports variable expansion.

  • Page 212: If Operation

    If Operation Performs a test on the name of the current operation. The type of test performed depends on the specified operator. Fields Operator Select the condition test type. Operator Returns True When... Equal The name of the current operation is equal to the content of the condition when compared by using the specified comparison mode.
  • Page 213 The operators that contain the comparison mode parameter are: Equal Greater Than Less Than Not Equal Not Greater Than Not Less Than Value Contains the value defined for the selected operator. The value is used by the condition. Each value supports variable expansion. For more information, see Section 3.6, “Variable Selector,”...
  • Page 214 The policy name is Govern Groups for User Based on Title Attribute, and it is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager...

  • Page 215: If Operation Attribute

    If Operation Attribute Performs a test on attribute values in the current operation. The test performed depends on the specified operator. Fields Name Specify the name of the attribute to test. Supports variable expansion. For more information, Section 3.6, “Variable Selector,” on page Operator Select the condition test type.
  • Page 216 Operator Returns True When... Not Available Available would return False. Not Changing Changing would return False. Not Changing From Changing From would return False. Not Changing To Changing To would return False. Not Equal Equal would return False. Not Greater Than Greater Than or Equal would return False.
  • Page 217 The policy name is Govern Groups for User Based on Title Attribute, and it is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager...
  • Page 218 The condition checks to see if the attribute of Title is equal to , which is a regular .*manager.* expression. The condition looks for a title that has zero or more characters before manager and a single character after manager. It would find a match if the User object’s title was sales managers. 218 Policies in Designer 3.5...

  • Page 219: If Operation Property

    If Operation Property Performs a test on an operation property on the current operation. An operation property is a named value that is stored as an attribute on an element within an operation. It is <operation-data> typically used to supply additional context that might be needed by the policy that handles the results of an operation.
  • Page 220 Mode The condition has a comparison mode parameter that indicates how a comparison is done. Mode Description Case Sensitive Character-by-character case sensitive comparison. Case Insensitive Character-by-character case insensitive comparison. Regular Expression The regular expression matches the entire string. It defaults to case insensitive, but can be changed by an escape in the expression.

  • Page 221: If Password

    If Password Performs a test on a password in the current operation. The test performed depends on the specified operator. Fields Operator Select the condition test type. Operator Returns True When... Available There is a password available in the current operation. Equal There is a password available in the current operation, and its value equals the content of the condition when compared by using the specified...
  • Page 222 SampleSubCommandTransform.xml The Subscriber Command Transformation policy checks to see if a password is available when an ® object is added. If the password is available, then the Novell SecureLogin and Novell SecretStore credentials are provisioned. 222 Policies in Designer 3.5...
  • Page 223 Conditions 223...

  • Page 224: If Source Attribute

    If Source Attribute Performs a test on attribute values of the current object in the source data store. The test performed depends on the specified operator. Fields Name Specify the name of the source attribute to test for the selected condition. Supports variable expansion.
  • Page 225 Mode The condition has a comparison mode parameter that indicates how a comparison is done. Mode Description Case Sensitive Character-by-character case sensitive comparison. Case Insensitive Character-by-character case insensitive comparison. Regular Expression The regular expression matches the entire string. It defaults to case insensitive, but can be changed by an escape in the expression.

  • Page 226: If Source Dn

    If Source DN Performs a test on the source DN in the current operation. The test performed depends on the specified operator. Fields Operator Select the condition test type. Operator Returns True When... Available There is a source DN available. Equal There is a source DN available, and it equals the content of the specified value in-container.
  • Page 227 The condition checks to see if the source DN is in the Users container. If the object comes from that container, it is vetoed. Conditions 227...

  • Page 228: If Xml Attribute

    If XML Attribute Performs a test on an XML attribute of the current operation. The type of test performed depends on the operator specified by the operation attribute. Fields Name Specify the name of the XML attribute. An XML attribute is a name/value pair associated with an element in an XDS document.
  • Page 229 Mode Description Case Sensitive Character-by-character case sensitive comparison. Case Insensitive Character-by-character case insensitive comparison. Regular Expression The regular expression matches the entire string. It defaults to case insensitive, but can be changed by an escape in the expression. For more information, see Sun’s Web site (http://java.sun.com/j2se/1.4/docs/ api/java/util/regex/Pattern.html).

  • Page 230: If Xpath Expression

    SampleSubCommandTransform.xml The sample Credential Provisioning policy checks each Add operation to see if there is operation data associated with the Add. If there is no operation data, the Novell SecureLogin and Novell SecretStore credentials are provisioned. 230 Policies in Designer 3.5...
  • Page 231 Conditions 231...
  • Page 232 232 Policies in Designer 3.5...

  • Page 233: Actions

    Actions Policies perform actions when the associated conditions are met. Some actions have a Mode field. The policy does not honor the mode at run time if the context in which the policy is running is incompatible with the selected mode. This section contains detailed information about the actions available in the Policy Builder interface: “Add Association”...
  • Page 234 “Rename Source Object” on page 279 “Send Email” on page 280 “Send Email from Template” on page 282 “Set Default Attribute Value” on page 284 “Set Destination Attribute Value” on page 286 “Set Destination Password” on page 288 “Set Local Variable” on page 289 “Set Operation Association”...

  • Page 235: Add Association

    Add Association Sends an command with the specified association to the Identity Vault. add association Fields Mode Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store. Specify the DN of the target object or leave the field blank to use the current object. Association Specify the value of the association to be added.

  • Page 236: Add Destination Attribute Value

    Add Destination Attribute Value Adds a value to an attribute on an object in the destination data store. Fields Attribute Name Specify the name of the attribute. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Class Name (Optional) Specify the class name of the target object.
  • Page 237 Actions 237...

  • Page 238: Add Destination Object

    Add Destination Object Creates an object of the specified type in the destination data store, with the name and location specified in the Enter DN field. Any attribute values to be added as part of the object creation must be done in subsequent Add Destination Attribute Value actions, using the same DN. Fields Class Name Specify the class name of the object to be created.
  • Page 239 The OU object is created. The value for the OU attribute is created from the destination attribute value action that occurs after this action. Actions 239...

  • Page 240: Add Role

    Add Role Initiates a request to the Roles Based Provisioning Module (RBPM) to assign the specified role (in the Role DN field) to the specified user (in the Authorized User DN field). This field is only available if the Identity Manager server version is set to 3.6 or later. Fields Role DN Specify the name of the role to assign, in LDAP format.
  • Page 241 String Name Description sod-justification A justification for requesting an exception for any Separation of Duty violations this assignment will trigger. Default: No exception will be requested and the request will fail if it causes a violation. NOTE: By default, the Named String Builder does not display this string. However, you can manually add it to the string list.

  • Page 242: Add Source Attribute Value

    Add Source Attribute Value Adds the specified attribute on an object in the source data store. Fields Attribute Name Specify the name of the attribute. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Class Name (Optional) Specify the class name of the target object.

  • Page 243: Add Source Object

    Add Source Object Creates an object of the specified type in the source data store, with the name and location provided in the DN field. Any attribute values to be added as part of the object creation must be done in subsequent Add Source Attribute Value actions, using the same DN.

  • Page 244: Append Xml Element

    Understanding Policies for Identity Manager 3.6. To view the policy in XML, see (../samples/SampleSubCommandTransform.xml). SampleSubCommandTransform.xml The sample file uses the append XML element action to add the Novell SecureLogin or Novell ® SecretStore credentials to the user object when it is provisioned.
  • Page 245 Actions 245...

  • Page 246: Append Xml Text

    3.6. To view the policy in XML, see (../samples/SampleSubCommandTransform.xml). SampleSubCommandTransform.xml The example is using the append XML text action to find the Novell SecureLogin or Novell SecretStore application username. By obtaining the application name, the credentials can be set for the user object when it is provisioned.
  • Page 247 Actions 247...

  • Page 248: Break

    Break Ends processing of the current operation by the current policy. Example 248 Policies in Designer 3.5...

  • Page 249: Clear Destination Attribute Value

    Clear Destination Attribute Value Removes all values for the named attribute from an object in the destination data store. Fields Attribute Name Specify the name of the attribute. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Class Name (Optional) Specify the class name of the target object.

  • Page 250: Clear Operation Property

    Clear Operation Property Clears any operation property with the provided name from the current operation. The operation property is the XML attribute attached to an element by a policy. An XML <operation-data> attribute is a name/value pair associated with an element in the XDS document. Fields Property Name Specify the name of the operation property to clear.

  • Page 251: Clear Source Attribute Value

    Clear Source Attribute Value Removes all values of an attribute from an object in the source data store. Fields Attribute Name Specify the name of the attribute. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Class Name (Optional) Specify the class name of the target object.

  • Page 252: Clear Sso Credential

    Enter login parameter strings field. The number of the strings and the names used are dependent on the credential repository and application for which the credential is targeted. For more information, see Novell Credential Provisioning for Identity Manager 3.6.

  • Page 253: Clone By Xpath Expressions

    Clone By XPath Expressions Appends deep copies of the nodes specified by the source field to the set of elements specified by the destination field. If Before XPath Expression is not specified, the non-attribute cloned nodes are appended after any existing children of the selected elements. If Before XPath Expression is specified, it is evaluated relative to each of the elements selected by expression to determine which of the children to insert before.

  • Page 254: Clone Operation Attribute

    The policy is Govern Groups for User Based on Title Attribute, and it is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager...

  • Page 255: Delete Destination Object

    Delete Destination Object Deletes an object in the destination data store. Fields Class Name (Optional) Specify the class name of the object to delete in the destination data store. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Mode Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store.

  • Page 256: Delete Source Object

    Delete Source Object Deletes an object in the source data store. Fields Class Name (Optional) Specify the class name of the object to delete in the source data store. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Object Select the target object type to delete in the source data store.

  • Page 257: Find Matching Object

    IMPORTANT: To improve performance when using the find matching object verb, create an index for the attributes that you are going to use when querying the Identity Vault. For more information about indexes, see the Novell eDirectory 8.8 Administration Guide (http:// www.novell.com/documentation/edir88/edir88/index.html?page=/documentation/edir88/ edir88/data/a5tuuu5.html).
  • Page 258 When you click the Argument Builder icon, the Match Attribute Builder comes up. You specify the attribute you want to match on in the builder. This example uses the CN and L attributes. The left fields store the attributes to match. The right fields allow you to specify to use the value from the current object to match or to use another value.
  • Page 259 2 Select the desired value type. 3 Specify the value, then click Finish. Actions 259...

  • Page 260: For Each

    For Each Repeats a set of actions for each node in a node set. Fields Node Set Specify the node set. Action Specify the actions to perform on each node in the node set. Remarks The current node is a different value for each iteration of the actions, if a local variable is used. If the current node in the node set is an entitlement element, then the actions are marked as if they are also enclosed in an Implement Entitlement...

  • Page 261: Generate Event

    Generate Event Sends a user-defined event to Novell Audit or Sentinel Fields ID of the event. The provided value must result in an integer in the range of 1000-1999 when parsed by using the parseInt method of java.lang.Integer. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,”...
  • Page 262 The example has four rules that implement a placement policy for User objects based on the first character of the Surname attribute. It generates both a trace message and a custom Novell Audit or Sentinel event. The Generate Event action is used to send Novell Audit or Sentinel an event. The policy name is Policy to Place by Surname and is available for download from the Novell Support Web site.
  • Page 263 Actions 263...
  • Page 264 Conditionally performs a set of actions. Fields If Conditions Specify the desired condition. Then Perform Actions Specify the desired actions, if the conditions are True. Else Perform Actions (Optional) Specify the desired actions, if the conditions are False. Example During an Add or Modify operation, if the attribute of Title equals manager, the user object is added to the ManagerGroup group.
  • Page 265 The action is to add the user object to the ManagerGroup group. If the title does not equal manager, the user object is placed in the UsersGroup group. Actions 265...

  • Page 266: Implement Entitlement

    Implement Entitlement Designates actions that implement an entitlement so that the status of those entitlements can be reported to the agent that granted or revoked the entitlement. Fields Node Set Node set containing the entitlement being implemented by the specified actions. Action Actions that implement the specified entitlements.

  • Page 267: Move Destination Object

    The example contains a single rule that disables a user’s account and moves it to a disabled container when the Description attribute indicates it is terminated. The policy is named Disable User Account and Move When Terminated, and it is available for download from the Novell Support Web site. For more information, see “XPath 1.0...
  • Page 268 The policy checks to see if it is a modify event on a User object and if the attribute Description contains the value of terminated. If that is the case, then it sets the attribute of Login Disabled and moves the object into the container.

  • Page 269: Move Source Object

    Move Source Object Moves an object into the source data store. Fields Class Name (Optional) Specify the class name of the object to move into the source data store. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Object to Move Select the object to be moved.

  • Page 270: Reformat Operation Attribute

    Reformat Operation Attribute Reformats all values of an attribute within the current operation by using a pattern. Fields Name Specify the name of the attribute. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Value Type Specify the syntax of the new attribute value.
  • Page 271 Actions 271...

  • Page 272: Remove Association

    Remove Association Sends a remove association command to the Identity Vault. Fields Mode Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store. Association Specify the value of the association to be removed. Example The example takes a Delete operation and disables the User object instead.

  • Page 273: Remove Destination Attribute Value

    Remove Destination Attribute Value Removes an attribute value from an object in the destination data store. Fields Attribute Name Specify the name of the attribute. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Class Name (Optional) Specify the class name of the target object.

  • Page 274: Remove Role

    Remove Role Initiates a request to the Roles Based Provisioning Module (RBPM) to revoke the specified role (in the Role DN field) from the specified user (in the Authorized User DN field). This field is only available if the Identity Manager server version is set to 3.6 or later. Fields Role DN Specify the name of the role to revoke, in LDAP format.
  • Page 275 Example Actions 275...

  • Page 276: Remove Source Attribute Value

    Remove Source Attribute Value Removes the specified value from the named attribute on an object in the source data store. Fields Attribute Name Specify the name of the attribute. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Class Name (Optional) Specify the class name of the target object.

  • Page 277: Rename Destination Object

    Rename Destination Object Renames an object in the destination data store. Fields Class Name (Optional) Specify the class name of the object to rename in the destination data store. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Mode Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store.

  • Page 278: Rename Operation Attribute

    Rename Operation Attribute Renames all occurrences of an attribute within the current operation. Fields Source Name Specify the original attribute name. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Destination Name Specify the new attribute name. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,”...

  • Page 279: Rename Source Object

    Rename Source Object Renames an object in the source data store. Fields Class Name (Optional) Specify the class name of the object to rename in the source data store. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Select Object Select the target object.

  • Page 280: Send Email

    Send Email Sends an e-mail notification. Fields (Optional) Specify the User ID in the SMTP system sending the message. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Server Specify the SMTP server name. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,”...
  • Page 281 String Name Description Adds the address to the list of e-mail recipients; multiple instances are allowed. Can contain a comma-separated list of recipients. Example Actions 281...

  • Page 282: Send Email From Template

    Send Email from Template Generates an e-mail notification by using a template. Fields Notification DN Specify the slash form DN of the SMTP notification configuration object. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Template DN Specify the slash form DN of the e-mail template object.
  • Page 283 In addition to the reserved field names listed above, Send Email from Template supports Global Configuration Values (GCVs) for creating the desired string. Each template can also define fields that can be replaced in the subject and body of the e-mail message.

  • Page 284: Set Default Attribute Value

    Set Default Attribute Value Adds default values to the current operation (and optionally to the current object in the source data store) if no values for that attribute already exist. It is only valid when the current operation is Add. Fields Attribute Name Specify the name of the default attribute.
  • Page 285 To build the value, the Argument Value List Builder is launched. See Section 4.8, “Argument Value List Builder,” on page 58 for more information on the builder. You can set the value to what is needed. In this case, we used the Argument Builder and set the text to be the name of the company. Actions 285...

  • Page 286: Set Destination Attribute Value

    Set Destination Attribute Value Adds a value to an attribute on an object in the destination data store, and removes all other values for that attribute. Fields Attribute Name Specify the name of the attribute. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,”...
  • Page 287 The rule sets the value for the attribute of Login Disabled to true. The rule uses the Argument Builder to add the text of true as the value of the attribute. See Section 4.3, “Argument Builder,” on page 47 for more information about the builder. Actions 287...

  • Page 288: Set Destination Password

    Set Destination Password Sets the password for an object in the destination data store. Fields Class Name (Optional) Specify the class name for the object to set the password on in the destination data store. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,”...

  • Page 289: Set Local Variable

    The policy name is Govern Groups for User Based on Title, and it is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager...
  • Page 290 The local variable is set to the value that is in the User object’s destination attribute of Object Class plus the Local Variable of manager-group-info. The Argument Builder is used to construct the local variable. See Section 4.3, “Argument Builder,” on page 47 for more information.

  • Page 291: Set Operation Association

    Set Operation Association Sets the association value for the current operation. Fields Association Provide the new association value. Example Actions 291...

  • Page 292: Set Operation Class Name

    Set Operation Class Name Sets the object class name for the current operation. Fields String Specify the new class name. Example 292 Policies in Designer 3.5...

  • Page 293: Set Operation Destination Dn

    Set Operation Destination DN Sets the destination DN for the current operation. Fields Specify the new destination DN. Example This example places the objects in the Identity Vault, by using the structure that is mirrored from the connected system. You need to define at what point the mirroring begins in the source and destination data stores.

  • Page 294: Set Operation Property

    Set Operation Property Sets an operation property. An operation property is a named value that is stored within an operation. It is typically used to supply additional context that might be needed by the policy that handles the results of an operation. Fields Property Name Specify the name of the operation property.

  • Page 295: Set Operation Source Dn

    Set Operation Source DN Sets the source DN for the current operation. Fields Specify the new source DN. Example Actions 295...

  • Page 296: Set Operation Template Dn

    The example applies the Manager template if the Title attribute contains the word Manager. The name of the policy is Policy: Assign Template to User Based on Title, and it is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager Policies”...

  • Page 297: Set Source Attribute Value

    The example detects when an e-mail address is changed and sets it back to what it was. The policy name is Policy: Reset Value of the E-mail Attribute, and it is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager...
  • Page 298 The action takes the value of the destination attribute Internet EMail Address and sets the source attribute of Email to this same value. 298 Policies in Designer 3.5...

  • Page 299: Set Source Password

    Set Source Password Sets the password for an object in the source data store. Fields Class Name (Optional) Specify the class name of the object to set the password on in the source data store. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,”...

  • Page 300: Set Sso Credential

    Set SSO Credential Sets the SSO credential when a user object is created or when a password is modified. This action is part of the Credential Provisioning policies. For more information, see Novell Credential Provisioning for Identity Manager 3.6. Fields Credential Repository Object DN Specify the DN of the repository object.

  • Page 301: Set Sso Passphrase

    Set SSO Passphrase Sets the Novell SecureLogin passphrase and answer when a User object is provisioned. This action is part of the Credential Provisioning policies. For more information, see Novell Credential Provisioning for Identity Manager 3.6. Fields Credential Repository Object DN Specify the DN of the repository object.

  • Page 302: Set Xml Attribute

    Set XML Attribute Sets an XML attribute on a set of elements selected by an XPath expression. Fields Name Specify the name of the XML attribute. This name can contain a namespace prefix if the prefix has been previously defined in this policy. Supports variable expansion. For more information, Section 3.6, “Variable Selector,”...

  • Page 303: Start Workflow

    Start Workflow Starts the workflow specified by workflow-id for the recipient DN on the User Application server specified by a URL and by using credentials specified by the ID and password. The recipient must be an LDAP format DN of an object in the directory served by the User Application server. The additional arguments to the workflow can be specified by named strings.
  • Page 304 Example The following example starts a workflow process each time there in an Add operation. The workflow is a request for a cell phone. To view the policy in XML, see (../ start_workflow.xml samples/start_workflow.xml). 304 Policies in Designer 3.5...

  • Page 305: Status

    Status Generates a status notification. Fields Level Specify the status level of the notification. The levels are error, fatal, retry, success, and warning. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page String Provide the status message by using the Argument Builder. Remarks If level is retry, then the policy immediately stops processing the input document and schedules a retry of the event currently being processed.

  • Page 306: Strip Operation Attribute

    The example detects when an e-mail address is changed and sets it back to what it was. The policy name is Policy: Reset Value of the E-mail Attribute, and it is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager...

  • Page 307: Strip Xpath Expression

    Strip XPath Expression Strips nodes selected by an XPath 1.0 expression. Fields XPath Expression Specify the XPath 1.0 expression that returns a node set containing the nodes to be stripped. Supports variable expansion. For more information on variable expansion and XPath, see Section 3.6.5, “XPath Expressions,”...

  • Page 308: Trace Message

    Sentinel event. The Trace Message action is used to send a trace message to DSTRACE. The policy name is Policy to Place by Surname and it is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager...
  • Page 309 The action sends a trace message to DSTRACE. The contents of the local variable is LVUsers1 and it shows up in yellow in DSTRACE. Actions 309...

  • Page 310: Veto

    Veto Vetoes the current operation. Example The example excludes all events that come from the specified subtree. The rule is from the predefined rules that come with Identity Manager. For more information, see Section 8.8, “Event Transformation - Scope Filtering - Exclude Subtrees,” on page 122.

  • Page 311: Veto If Operation Attribute Not Available

    The example does not allow User objects to be created unless the attributes Given Name, Surname, Title, Description, and Internet EMail Address are available. The policy name is Policy to Enforce the Presences of Attributes, and it is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager...

  • Page 312: While

    While Causes the specified actions to be repeated while the specified conditions evaluate to True. Fields Conditions Specify the condition to be evaluated. Actions Specify the actions to be repeated if the conditions evaluate to True. Example 312 Policies in Designer 3.5...

  • Page 313: Noun Tokens

    Noun Tokens Noun tokens expand to values that are derived from the current operation, the source or destination data stores, or some external source. This section contains detailed information about the noun tokens available in the Policy Builder interface. “Text” on page 314 “Added Entitlement”...

  • Page 314: Text

    Section 3.6, “Variable Selector,” on page Example The example is from the Govern Groups for User Based on Title policy, which is available for ® download from the Novell Support Web site. For more information, see “Downloading Identity Manager Policies” in Understanding Policies for Identity Manager 3.6.
  • Page 315 The Text token contains the DN for the manager’s group. You can browse to the object you want like to use, or type the information into the editor. Noun Tokens 315...

  • Page 316: Added Entitlement

    Added Entitlement Expands to the values of an entitlement granted in the current operation. Fields Name Name of the entitlement. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Remarks If the token is used in a context where a node set is expected, the token expands to a node set containing all of the values for that entitlement.

  • Page 317: Association

    Association Expands to the association value from the current operation. Example The example is from the predefined rules that come with Identity Manager. For more information on the predefined rule, see Section 8.2, “Command Transformation - Publisher Delete to Disable,” on page 113.

  • Page 318: Attribute

    Attribute Expands to the value of an attribute from the current object in the current operation and in the source data store. It can be logically thought of as the union of the operation attribute token and the source attribute token. It does not include the removed values from a Modify operation. Fields Name Specify the name of the attribute.

  • Page 319: Character

    Character Expands to a character specified by a Unicode* code point. Remarks For a listing of Unicode values and characters, see Unicode Code Charts (http://www.unicode.org/ charts/). Fields Character Value The Unicode code point of the character. Supports variable expansion. For more information, Section 3.6, “Variable Selector,”...

  • Page 320: Class Name

    Class Name Expands to the object class name from the current operation. Example 320 Policies in Designer 3.5...

  • Page 321: Destination Attribute

    Example The example is from the Govern Groups for User Based on Title policy, which is available for ® download from the Novell Support Web site. For more information, see “Downloading Identity Manager Policies”...
  • Page 322 You build the Destination Attribute through the Editor. In this example, the attribute of Object Class is set. The DN is used to select the object. The value of DN is the Local Variable of manager-group- 322 Policies in Designer 3.5...

  • Page 323: Destination Dn

    Destination DN Expands to the destination DN specified in the current operation. Fields Start Specify the RDN index to start with: Index 0 is the root-most RDN Positive indexes are an offset from the root-most RDN Index -1 is the leaf-most segment Negative indexes are an offset from the leaf-most RDN towards the root-most RDN Length Specify the number of RDN segments to include.
  • Page 324 324 Policies in Designer 3.5...

  • Page 325: Destination Name

    Destination Name Expands to the unqualified Relative Distinguished Name (RDN) of the destination DN specified in the current operation. Example Noun Tokens 325...

  • Page 326: Document

    Document Reads the XML document pointed to by the URI and returns the document node in a node set. The URI can be relative to the URI of the including policy. With any error, the result is an empty node set.

  • Page 327: Entitlement

    Entitlement Expands to the values of a granted entitlement from the current object. Fields Name Name of the entitlement. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Remarks If the token is used in a context where a node set is expected, the token expands to a node set containing all of the values for that entitlement.

  • Page 328: Generate Password

    Generate Password Generates a random password that conforms to the specified password policy. Fields Password Policy The DN of the password policy that receives the randomly generated password. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Set DN relative to policy Select whether the DN of the password policy is relative to the policy being created.

  • Page 329: Global Configuration Value

    Global Configuration Value Expands to the value of a global configuration variable. Fields Name Name of the global configuration value. Supports variable expansion. For more information, Section 3.6, “Variable Selector,” on page Example Noun Tokens 329...

  • Page 330: Local Variable

    Section 3.6, “Variable Selector,” on page Example The example is from the Govern Groups for User Based on Title policy, which is available for download from the Novell Support Web site. For more information, see “Downloading Identity Manager Policies” in Understanding Policies for Identity Manager 3.6.
  • Page 331 The Local Variable can only be used if the action Set Local Variable has been used previously in the policy. It sets the value that is stored in the Local Variable. In the Editor, you click the browse icon and all of the local variables that have been defined are listed. Select the correct local variable. The value of the local variable is group-manager-dn.

  • Page 332: Named Password

    Named Password Expands to the named password from the driver. Fields Name Name of the password. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Example The Named Password noun token can only be used if a Named Password has been set on the driver object.
  • Page 333 Noun Tokens 333...

  • Page 334: Operation

    Operation Expands to the name of the current operation. Example 334 Policies in Designer 3.5...

  • Page 335: Operation Attribute

    Example The example has four rules that implement a Placement policy for User objects based on the first character of the Surname attribute. It generates both a trace message and a custom Novell Audit or Sentinel event. The policy name is Policy to Place by Surname, and it is available for download from the Novell Support Web site.
  • Page 336 The action Set Operation Destination DN contains the Operation Attribute token. The Operation Attribute token sets the Destination DN to the CN attribute. The rule takes the context of Training\Users\Active\Users and adds a \ plus the value of the CN attribute. 336 Policies in Designer 3.5...

  • Page 337: Operation Property

    Operation Property Expands to the value of the specified operation property on the current operation. Fields Name Specify the name of the operation property. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Example Noun Tokens 337...

  • Page 338: Password

    Password Expands to the password specified in the current operation. Example 338 Policies in Designer 3.5...

  • Page 339: Query

    IMPORTANT: To improve performance when using the query noun, create an index for the attributes that you are going to use when querying the Identity Vault. For more information about indexes, see the Novell eDirectory 8.8 Administration Guide (http://www.novell.com/ documentation/edir88/edir88/index.html?page=/documentation/edir88/edir88/data/ a5tuuu5.html).
  • Page 340 “XPath 1.0 Expressions” in Understanding Policies for Identity Manager 3.6. Chapter 5, “Using the XPath Builder,” on page 71 Example 340 Policies in Designer 3.5...

  • Page 341: Removed Attribute

    Removed Attribute Expands to the specified attribute value being removed in the current operation. It applies only to a Modify operation. Fields Name Specify the name of the attribute. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Remarks If the token is used in a context where a node set is expected, the token expands to a node set containing all of the values for that attribute.

  • Page 342: Removed Entitlement

    Removed Entitlement Expands to the values of the an entitlement revoked in the current operation. Fields Name Specify the name of the entitlement. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Remarks If the token is used in a context where a node set is expected, the token expands to a node set containing all of the values for that entitlement.

  • Page 343: Resolve

    Resolve Resolves the DN to an association key, or the association key to a DN in the specified data store. Fields Datastore Select the destination or source datastore to be queried. Resolve Type Select to resolve the association key to a DN or to resolve the DN to an association key. Example Noun Tokens 343...

  • Page 344: Source Attribute

    Source Attribute Expands to the values of an attribute from an object in the source data store. Fields Name Name of the attribute. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Class Name (Optional) Specify the class name of the target object. Leave the field blank to use the class name from the current object.

  • Page 345: Source Dn

    Source DN Expands to the source DN from the current operation. Fields Start Specify the RDN index to start with: Index 0 is the root-most RDN Positive indexes are an offset from the root-most RDN Index -1 is the leaf-most segment Negative indexes are an offset from the leaf-most RDN towards the root-most RDN Length Number of RDN segments to include.

  • Page 346: Source Name

    Source Name Expands to the unqualified relative distinguished name (RDN) of the source DN specified in the current operation. Example 346 Policies in Designer 3.5...

  • Page 347: Time

    Time Expands to the current date/time into the format, language, and time zone specified. Fields Format Specify the date/time format. Select a named time format or specify a custom format pattern. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Language Specify the language.

  • Page 348: Unique Name

    IMPORTANT: To improve performance when using the unique name noun, create an index for the attributes that you are going to use when querying the Identity Vault. For more information about indexes, see the Novell eDirectory 8.8 Administration Guide (http:// www.novell.com/documentation/edir88/edir88/index.html?page=/documentation/edir88/ edir88/data/a5tuuu5.html).
  • Page 349 If Cannot Construct Name Select the action to take if a unique name cannot be constructed. The options are: Ignore, return empty Generate warning, return empty name Generate error, abort current transaction Generate fatal error, shut down driver Remarks Each element provides a pattern to be used to create a proposed name.
  • Page 350 The following pattern was constructed to provide unique names: If this pattern does not generate a unique name, a digit is appended, incrementing up to the specified number of digits. In this example, nine additional unique names would be generated by the appended digit before an error occurs (pattern1 - pattern99).

  • Page 351: Unmatched Source Dn

    Unmatched Source DN Expands to the part of the source DN in the current operation that corresponds to the part of the DN that was not matched by the most recent match of an If Source DN condition. Fields Convert Select whether or not to convert the DN format used by the destination data store.

  • Page 352: Xpath

    XPath Expands to the results of evaluating an XPath 1.0 expression. Fields Expression XPath 1.0 expression to evaluate. Remarks For more information on using XPath expressions with policies, see “XPath 1.0 Expressions” in Understanding Policies for Identity Manager 3.6. Example 352 Policies in Designer 3.5...

  • Page 353: Verb Tokens

    Verb Tokens Verb tokens modify the concatenated results of other tokens that are subordinate to them. This section contains detailed information about all verbs that are available through the Policy Builder interface. “Base64 Decode” on page 354 “Base64 Encode” on page 355 “Convert Time”...

  • Page 354: Base64 Decode

    Base64 Decode Decodes the result of the enclosed tokens from Base64-encoded data to bytes, then converts the bytes into a string by using the specified character set. Fields Character Set Specify the character set that converts the decoded bytes to a string. It can be any character set supported by Java.

  • Page 355: Base64 Encode

    Base64 Encode Converts the result of the enclosed tokens to bytes by using the specified character set, then Base64- encodes the bytes. Fields Character Set Specify the character set that converts the string to bytes. It can be any Java-supported character set.

  • Page 356: Convert Time

    Convert Time Converts the date and time represented by the result of the enclosed tokens from the source format, language, and time zone to the destination format, language, and time zone. Fields Source Format Specify the source date/time format. Select a named time format or specify a custom format pattern.
  • Page 357 Verb Tokens 357...

  • Page 358: Escape Destination Dn

    Escape Destination DN Escapes the enclosed tokens according to the rules of the DN format of the destination data store. Example The example is from the predefined rules that come with Identity Manager. For more information, Section 8.16, “Placement - Publisher Flat,” on page 136.

  • Page 359: Escape Source Dn

    Escape Source DN Escapes the enclosed tokens according to the rules of the DN format of the source data store. Example Verb Tokens 359...

  • Page 360: Join

    Join Joins the values of the nodes in the node set result of the enclosed tokens, separating the values by the characters specified by delimiter. If the comma-separated values (CSV) are true, then CSV quoting rules are applied to the values. Fields Delimiter (Optional) Specify the string used to delimit the joined values.

  • Page 361: Lowercase

    This example sets the e-mail address to be name@slartybartfast.com where the name equals the first character of the Given Name plus the Surname. The policy name is Policy: Create E-mail from ® Given Name and Surname, and it is available for download at the Novell Support Web site. For more information, see “Downloading Identity Manager...

  • Page 362: Map

    Maps the result of the enclosed tokens from the values specified by the source column to the destination column in the specified mapping table. Remarks If this token is evaluated in a context where a node set result is expected and multiple rows are matched by the value being mapped, a node set is returned that contains the values from the destination column of each matching row.
  • Page 363 Example Verb Tokens 363...

  • Page 364: Parse Dn

    Parse DN Converts the enclosed token’s DN to an alternate format. Fields Start Specify the RDN index to start with: Index 0 is the root-most RDN Positive indexes are an offset from the root-most RDN Index -1 is the leaf-most segment Negative indexes are an offset from the leaf-most RDN towards the root-most RDN Length Number of RDN segments to include.
  • Page 365 Wildcard Character Escape Character If RDN Delimiter and Relative RDN Delimiter are the same character, the orientation of the name is root right, otherwise the orientation is root left. If there are more than eight characters in the delimiter set, the extra characters are considered as characters that need to be escaped, but they have no other special meaning.

  • Page 366: Replace All

    Replace All Replaces all occurrences of a regular expression in the enclosed tokens. Fields Regular Expression Specify the regular expression that matches the substring to be replaced. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Replace With Specify the replacement string.

  • Page 367: Replace First

    Replace First Replaces the first occurrence of a regular expression in the enclosed tokens. Fields Regular Expression Specify the regular expression that matches the substring to replace. Supports variable expansion. For more information, see Section 3.6, “Variable Selector,” on page Replace With Specify the replacement string.
  • Page 368 The regular expression of ^\((\d\d\d)\)\s*(\d\d\d)-(\d\d\d\d)$ represents (nnn) nnn-nnnn and the regular expression of $1-$2-$3 represents nnn. This rule transforms the format of the telephone number from (nnn) nnn-nnnn to nnn-nnn-nnnn. 368 Policies in Designer 3.5...

  • Page 369: Split

    Split Splits the result of the enclosed tokens into a node set consisting of text nodes based on the pattern specified by delimiter. If comma-separated values (CSV) are true, then CSV quoting rules are honored during the parsing of the string. Fields Delimiter Regular expression that matches the delimiter characters.

  • Page 370: Substring

    This example sets the e-mail address to be name@slartybartfast.com where the name equals the first character of the Given Name plus the Surname. The policy name is Policy: Create E-mail from Given Name and Surname, and it is available for download at the Novell Support Web site. For more information, see “Downloading Identity Manager...
  • Page 371 The Substring token is used twice in the action Set Destination Attribute Value. It takes the first character of the First Name attribute and adds eight characters of the Last Name attribute to form one substring. Verb Tokens 371...

  • Page 372: Uppercase

    The example converts the first and last name attributes of the User object to uppercase. The policy name is Policy: Convert First/Last Name to Uppercase and it is available for download at the Novell Support Web site. For more information, see “Downloading Identity Manager...

  • Page 373: Xml Parse

    XML Parse Parses the result of the enclosed tokens as XML and returns the resulting document node in a node set. If the result of the enclosed tokens is not well-formed XML or cannot be parsed for any reason, an empty node set is returned. Example Verb Tokens 373...

  • Page 374: Xml Serialize

    XML Serialize Serializes the node set result of the enclosed tokens as XML. Depending on the content of the node set, the resulting string is either a well-formed XML document or a well-formed parsed general entity. Example 374 Policies in Designer 3.5...

  • Page 375: Pre-Identity Manager 3.5 Builders

    Pre-Identity Manager 3.5 Builders Although you define most arguments by using the Argument Builder, there are several more builders that are used by the Condition Editor and Action Editor in the Policy Builder. Each builder can recursively call anyone of the builders in the following list: Section 16.1, “Action Builder,”...

  • Page 376: Actions Builder

    New > Insert Action Before: Adds a new action before the current action. New > Insert Action After: Adds a new action after the current action. Edit: Launches the Action Builder. Move the selected item up: Moves the selected action up in the order of execution. Move the selected item down: Moves the selected action down in the order of execution.

  • Page 377: Argument Builder

    Actions Builder Figure 16-2 16.3 Argument Builder The Argument Builder provides a dynamic graphical interface that enables you to construct complex argument expressions for use within Rule Builder. The Argument Builder consists of five separate sections: Nouns: Contains a list of all of the available noun tokens. Select a noun token, then click Add to add the noun token to the Expression pane.

  • Page 378: Launching The Argument Builder

    Pre-Identity Manager 3.5 Argument Builder Figure 16-3 Section 16.3.1, “Launching the Argument Builder,” on page 378 Section 16.3.2, “Argument Builder Example,” on page 379 16.3.1 Launching the Argument Builder To launch the Argument Builder, select one of the following actions, then click the Edit the Arguments icon Add Association (page 421) Add Destination Attribute Value (page 422)

  • Page 379: Argument Builder Example

    Find Matching Object (page 437) For Each (page 438) Move Destination Object (page 442) Move Source Object (page 443) Reformat Operation Attribute Value (page 444) Remove Association (page 445) Remove Destination Attribute Value (page 446) Remove Source Attribute Value (page 447) Rename Destination Object (page 448) (when the selected object is DN or Association and Enter String)
  • Page 380 2 Specify or select the Given Name attribute. 3 Double-click Substring from the list of verbs. 4 Type 1 in the Length field. 5 Select the Given Name attribute, then click the Move Down icon. 6 Double-click Attribute from the list of nouns. 7 Specify or browse to the Surname attribute.

  • Page 381: Action Argument Component Builder

    The argument takes the first character of the Given Name attribute and adds it to the Surname attribute to build the desired value. 8 Click OK to save the argument. 16.4 Action Argument Component Builder To launch the Action Argument Component Builder, select one of the following actions when the Enter value type selection is structured, then click the Edit components icon Add Destination Attribute Value (page 422) Add Source Attribute Value (page 424)

  • Page 382: Condition Builder

    16.5 Condition Builder The Condition Builder enables you to add, view, and delete the conditions that make up a rule. A condition contains one or more conditions and one or more condition groups. The condition groups contain two different condition structures, which define the logic of condition groups. The two condition structures are: OR Conditions, AND Groups AND Conditions, OR Groups...

  • Page 383: Condition Argument Component Builder

    New > Insert Condition After: Adds a condition after the current condition. Edit: Launches the Condition Builder. Move the selected item up: Moves the selected condition up in the order of execution. Move the selected item down: Moves the selected condition down in the order of execution.
  • Page 384 For example, if you wanted to match users based on a common name and a location: 1 Select the action of find matching object. 2 Select the scope of the search for the matching objects. Select from entry, subordinates, or subtree.

  • Page 385: Named String Builder

    8 Click Finish. The Match Attribute Builder also allows you to specify another value, instead of using the value from the current object. To use a different value, select Other Value instead of Use values from current object. There are multiple value types to specify: counter interval octet...

  • Page 386: Pattern String Builder

    Send Email (page 451) Send Email from Template (page 452) 1 Select the name of the string from the drop-down list. 2 Create the value for the string by clicking the Edit the arguments icon to launch the Argument Builder. 3 Click Finish.
  • Page 387 Unique Name Token in the Argument Builder Figure 16-6 1 Click the Edit patterns icon to launch the Pattern Builder. 2 Specify the pattern or click the Edit the arguments icon to use the Argument Builder to create the pattern. 3 Click Finish.

  • Page 388: Argument Value List Builder

    16.10 Argument Value List Builder To launch the Argument Value List Builder, select the following action, then click the Edit the arguments icon Set Default Attribute Value (page 453) Set Default Attribute Value Figure 16-7 1 Select the type of the value: counter, dn, int, interval, octet, state, string, structured, teleNumber, time.

  • Page 389: Accessing Java Classes By Using Namespaces

    The Java Developer Kit (JDK*) also provides several useful classes, such as java.lang.String, and java.lang.System. References for these classes are available with the JDK. For additional information on using XPath and the Novell Java classes listed above, consult the ®...
  • Page 390 390 Policies in Designer 3.5...

  • Page 391: Pre-Identity Manager 3.5 Conditions

    Pre-Identity Manager 3.5 Conditions Conditions define when actions are performed. Conditions are always specified in either Conjunctive Normal Form (CNF) (http://mathworld.wolfram.com/ConjunctiveNormalForm.html) Disjunctive Normal Form (DNF) (http://mathworld.wolfram.com/DisjunctiveNormalForm.html). These are logical expression forms. The actions of the enclosing rule are only performed when the logical expression represented in CNF or DNF evaluates to True or when no conditions are specified.

  • Page 392: If Association

    If Association Performs a test on the association value of the current operation or the current object. The type of test performed depends on the operator specified by the operation attribute. Fields Operator Select the condition test type. Operator Returns True when... Associated There is an established association for the current object.

  • Page 393: If Attribute

    If Attribute Performs a test on attribute values of the current object in either the current operation or the source data store. It can be logically thought of as If Operation Attribute or If Source Attribute, because the test is satisfied if the condition is met in the source data store or in the operation. The test performed depends on the specified operator.
  • Page 394 Mode Description Source DN Compares by using semantics appropriate to the DN format for the source data store. Destination DN Compares by using semantics appropriate to the DN format for the destination data store. Numeric Compares numerically. Binary Compares the binary information. The operators that contain the comparison mode parameter are: Equal Not Equal...

  • Page 395: If Class Name

    If Class Name Performs a test on the object class name in the current operation. Fields Operator Select the condition test type. Operator Returns True when... Available There is an object class name available in the current operation. Not Available Available would return False.
  • Page 396 The operators that contain the comparison mode parameter are: Equal Not Equal 396 Policies in Designer 3.5...

  • Page 397: If Destination Attribute

    If Destination Attribute Performs a test on attribute values of the current object in the destination data store. The test performed depends on the specified operator. Fields Name Specify the name of the attribute to test. Operator Select the condition test type. Operator Returns True when...
  • Page 398 Mode Description Destination DN Compares by using semantics appropriate to the DN format for the destination data store. Numeric Compares numerically. Binary Compares the binary information. Structured Compares the structured attribute according to the comparison rules for the structured syntax of the attribute. The operators that contain the comparison mode parameter are: Equal Not Equal...

  • Page 399: If Destination Dn

    If Destination DN Performs a test on the destination DN in the current operation. The test performed depends on the specified operator. Fields Operator Select the condition test type. Operator Returns True when... Available There is a destination DN available. Not Available Available would return False.

  • Page 400: If Entitlement

    If Entitlement Performs a test on entitlements of the current object, in either the current operation or the Identity Vault. The test performed depends on the specified operator. Fields Name Specify the name of the entitlement to test for the selected condition. Operator Select the condition test type.
  • Page 401 Comparison Mode The condition has a comparison mode parameter that indicates how a comparison is done. Mode Description Case Sensitive Character-by-character case sensitive comparison. Case Insensitive Character-by-character case insensitive comparison. Regular Expression The regular expression matches the entire string. It defaults to case insensitive, but can be changed by an escape in the expression.

  • Page 402: If Global Configuration Value

    If Global Configuration Value Performs a test on a global configuration value. The test performed depends on the specified operator. Remark For more information on using variables with policies, see “Understanding Policy Components” in Understanding Policies for Identity Manager 3.6. Fields Name Specify the name of the global value to test for the selected condition.
  • Page 403 Mode Description Regular Expression The regular expression matches the entire string. It defaults to case insensitive, but can be changed by an escape in the expression. Sun’s Web site (http://java.sun.com/j2se/1.4/docs/api/java/util/regex/ Pattern.html). The pattern options CASE_INSENSITIVE, DOTALL, and UNICODE_CASE are used but can be reversed by using the appropriate embedded escapes. Source DN Compares by using semantics appropriate to the DN format for the source data store.

  • Page 404: If Local Variable

    If Local Variable Performs a test on a local variable. The test performed depends on the specified operator. Remark For more information on using variables with policies, see “Understanding Policy Components”in Understanding Policies for Identity Manager 3.6. Fields Name Specify the name of the local variable to test for the selected condition. Operator Select the condition test type.
  • Page 405 Mode Description Source DN Compares by using semantics appropriate to the DN format for the source data store. Destination DN Compares by using semantics appropriate to the DN format for the destination data store. Numeric Compares numerically. Binary Compares the binary information. The operators that contain the comparison mode parameter are: Equal Not Equal...

  • Page 406: If Named Password

    If Named Password Performs a test on a named password from the driver in the current operation with the specified name. The test performed depends on the selected operator. Fields Name Specify the name of the named password to test for the selected condition. Operator Select the condition test type.

  • Page 407: If Operation Attribute

    If Operation Attribute Performs a test on attribute values in the current operation. The test performed depends on the specified operator. Fields Name Specify the name of the attribute to test. Operator Select the condition test type. Operator Returns True when... Operator Returns True when...
  • Page 408 Not Changing To Not Changing From Comparison Mode The condition has a comparison mode parameter that indicates how a comparison is done. Mode Description Case Sensitive Character-by-character case sensitive comparison. Case Insensitive Character-by-character case insensitive comparison. Regular Expression The regular expression matches the entire string. It defaults to case insensitive, but can be changed by an escape in the expression.

  • Page 409: If Operation Property

    If Operation Property Performs a test on an operation property on the current operation. An operation property is a named value that is stored as an attribute on an element within an operation. It is <operation-data> typically used to supply additional context that might be needed by the policy that handles the results of an operation.
  • Page 410 Mode Description Source DN Compares by using semantics appropriate to the DN format for the source data store. Destination DN Compares by using semantics appropriate to the DN format for the destination data store. Numeric Compares numerically. Binary Compares the binary information. The operators that contain the comparison mode parameter are: Equal Not Equal...

  • Page 411: If Operation

    If Operation Performs a test on the name of the current operation. The type of test performed depends on the specified operator. Fields Operator Select the condition test type. Operator Returns True when... Equal The name of the current operation is equal to the content of the condition when compared by using the specified comparison mode.
  • Page 412 status sync This list is not exclusive. Custom operations can be implemented by drivers and administrators. Comparison Mode The condition has a comparison mode parameter that indicates how a comparison is done. Mode Description Case Sensitive Character-by-character case sensitive comparison. Case Insensitive Character-by-character case insensitive comparison.

  • Page 413: If Password

    If Password Performs a test on a password in the current operation. The test performed depends on the specified operator. Fields Operator Select the condition test type. Operator Returns True when... Available There is a password available in the current operation. Not Available Available would return False.

  • Page 414: If Source Attribute

    If Source Attribute Performs a test on attribute values of the current object in the source data store. The test performed depends on the specified operator. Fields Name Specify the name of the source attribute to test for the selected condition. Operator Select the condition test type.
  • Page 415 Mode Description Destination DN Compares by using semantics appropriate to the DN format for the destination data store. Numeric Compares numerically. Binary Compares the binary information. Structured Compares the structured attribute according to the comparison rules for the structured syntax of the attribute. The operators that contain the comparison mode parameter are: Equal Not Equal...

  • Page 416: If Source Dn

    If Source DN Performs a test on the source DN in the current operation. The test performed depends on the specified operator. Fields Operator Select the condition test type. Operator Returns True when... Available There is a source DN available. Not Available Available would return False.

  • Page 417: If Xpath Expression

    If XPath Expression Performs a test on the results of evaluating an XPath 1.0 expression. Fields Operator Select the condition test type. Operator Returns True when... True The XPath expression evaluates to True. Not True True would return False. Remarks For more information on using XPath expressions with policies, see “XPath 1.0 Expressions”...
  • Page 418 418 Policies in Designer 3.5...

  • Page 419: Pre-Identity Manager 3.5 Actions

    Pre-Identity Manager 3.5 Actions Actions are performed when conditions of the enclosing rule are met. Some actions have a Mode field. The mode is not honored at run time if the context in which the policy is running is incompatible with the selected mode. This section contains detailed information about all actions that are available through using the pre- Identity Manager Policy Builder interface.
  • Page 420 “Send Email from Template” on page 452 “Set Default Attribute Value” on page 453 “Set Destination Attribute Value” on page 454 “Set Destination Password” on page 455 “Set Local Variable” on page 456 “Set Operation Association” on page 457 “Set Operation Class Name” on page 458 “Set Operation Destination DN”...

  • Page 421: Add Association

    Add Association Sends an command with the specified association to the Identity Vault. add association Fields Mode Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store. Specify the DN of the target object or leave the field blank to use the current object. Association Specify the value of the association to be added.

  • Page 422: Add Destination Attribute Value

    Add Destination Attribute Value Adds a value to an attribute on an object in the destination data store. Fields Attribute Name Specify the name of the attribute. Class Name (Optional) Specify the class name of the target object. Leave the field blank to use the class name from the current object.

  • Page 423: Add Destination Object

    Add Destination Object Creates an object of the specified type in the destination data store, with the name and location specified in the Enter DN field. Any attribute values to be added as part of the object creation must be done in subsequent Add Destination Attribute Value actions, using the same DN. Fields Class Name Specify the class name of the object to be created.

  • Page 424: Add Source Attribute Value

    Add Source Attribute Value Adds the specified attribute on an object in the source data store. Fields Attribute Name Specify the name of the attribute. Class Name (Optional) Specify the class name of the target object. Leave the field blank to use the class name from the current object.

  • Page 425: Add Source Object

    Add Source Object Creates an object of the specified type in the source data store, with the name and location provided in the DN field. Any attribute values to be added as part of the object creation must be done in subsequent Add Source Attribute Value actions, using the same DN.

  • Page 426: Append Xml Element

    Append XML Element Appends a custom element, with the name specified in the Name field, to the set of elements selected by the XPath expression. Fields Name Specify the tag name of the XML element. This name can contain a namespace prefix if the prefix has been previously defined in this policy.

  • Page 427: Append Xml Text

    Append XML Text Appends the specified text to the set of elements selected by the XPath expression. Fields XPath Expression Specify the XPath 1.0 expression that returns a node set containing the elements to which the new elements should be appended. String Specify the text to be appended.

  • Page 428: Break

    Break Ends processing of the current operation by the current policy. Fields There are no fields for the Break action. 428 Policies in Designer 3.5...

  • Page 429: Clear Destination Attribute Value

    Clear Destination Attribute Value Removes all values for the named attribute from an object in the destination data store. Fields Attribute Name Specify the name of the attribute. Class Name (Optional) Specify the class name of the target object. Leave the field blank to use the class name from the current object.

  • Page 430: Clear Operation Property

    Clear Operation Property Clears any operation property with the provided name from the current operation. The operation property is the XML attribute attached to an element by a policy. An XML <operation-data> attribute is a name/value pair associated with an element in the XDS document. Fields Property Name Specify the name of the operation property to clear.

  • Page 431: Clear Source Attribute Value

    Clear Source Attribute Value Removes all values of an attribute from an object in the source data store. Fields Attribute Name Specify the name of the attribute. Class Name (Optional) Specify the class name of the target object. Leave the field blank to use the class name from the current object.

  • Page 432: Clear Sso Credential

    Enter login parameter strings field. The number of the strings and the names used are dependent on the credential repository and application for which the credential is targeted. For more information, see Novell Credential Provisioning for Identity Manager 3.6.

  • Page 433: Clone By Xpath Expression

    Clone By XPath Expression Appends deep copies of the nodes specified by the source field to the set of elements specified by the destination field. Fields Source XPath Expression Specify the XPath 1.0 expression that returns a node set containing the nodes to be copied. Destination XPath Expression Specify the XPath 1.0 expression that returns a node set containing the elements to which the copied nodes are to be appended.

  • Page 434: Clone Operation Attribute

    Clone Operation Attribute Copies all occurrences of an attribute within the current operation to a different attribute within the current operation. Fields Source Name Specify the name of the attribute to be copied from. Destination Name Specify the name of the attribute to be copied to. 434 Policies in Designer 3.5...

  • Page 435: Delete Destination Object

    Delete Destination Object Deletes an object in the destination data store. Fields Mode Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store. Object Select the target object type to delete in the destination data store. This object can be the current object, or can be specified by a DN or an association.

  • Page 436: Delete Source Object

    Delete Source Object Deletes an object in the source data store. Fields Object Select the target object type to delete in the source data store. This object can be the current object, or can be specified by a DN or an association. Select the DN, association, or current object as the target object.

  • Page 437: Find Matching Object

    Find Matching Object Finds a match for the current object in the destination data store. Fields Scope Select the scope of the search. The scope might be an entry, a subordinate, or a subtree. Specify the DN that is the base of the search. Match Attributes Specify the attribute values to search for.

  • Page 438: For Each

    For Each Repeats a set of actions for each node in a node set. Fields Node Set Specify the node set. Action Specify the actions to perform on each node in the node set. Remarks The current node is a different value for each iteration of the actions, if a local variable is used. If the current node in the node set is an entitlement element, then the actions are marked as if they are also enclosed in an Implement Entitlement...

  • Page 439: Generate Event

    Generate Event Sends a user-defined event to Novell Audit or Sentinel Fields ID of the event. The provided value must result in an integer in the range of 1000-1999 when parsed by using the parseInt method of java.lang.Integer. Level Level of the event.
  • Page 440 Data entered here is stored in the blob event field. Remarks The Novell Audit or Sentinel event structure contains a target, a subTarget, three strings (text1, text2, text3), two integers (value, value3), and a generic field (data). The text fields are limited to 256 bytes, and the data field can contain up to 3 KB of information, unless a larger data field is enabled in your environment.

  • Page 441: Implement Entitlement

    Implement Entitlement Designates actions that implement an entitlement so that the status of those entitlements can be reported to the agent that granted or revoked the entitlement. Fields Node Set Node set containing the entitlement being implemented by the specified actions. Action Actions that implement the specified entitlements.

  • Page 442: Move Destination Object

    Move Destination Object Moves an object into the destination data store. Fields Mode Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store. Object to Move Select the object to be moved. This object can be the current object, or can be specified by a DN or an association.

  • Page 443: Move Source Object

    Move Source Object Moves an object in the source data store. Fields Object to Move Select the object to be moved. This object can be the current object, or it can be specified by a DN or an association. Select Container Select the container to receive the object.

  • Page 444: Reformat Operation Attribute Value

    Reformat Operation Attribute Value Reformats all values of an attribute within the current operation by using a pattern. Fields Name Specify the name of the attribute. Value Type Specify the syntax of the new attribute value. Value Specify a value to use as a pattern for the new format of the attribute values. If the original value is needed to constructed the new value, it must be obtained by referencing the local variable current-value.

  • Page 445: Remove Association

    Remove Association Sends a remove association command to the Identity Vault. Fields Mode Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store. Association Specify the value of the association to be removed. Pre-Identity Manager 3.5 Actions 445...

  • Page 446: Remove Destination Attribute Value

    Remove Destination Attribute Value Removes an attribute value from an object in the destination data store. Fields Attribute Name Specify the name of the attribute. Class Name (Optional) Specify the class name of the target object. Leave the field blank to use the class name from the current object.

  • Page 447: Remove Source Attribute Value

    Remove Source Attribute Value Removes the specified value from the named attribute on an object in the source data store. Fields Attribute Name Specify the name of the attribute. Class Name (Optional) Specify the class name of the target object. Leave the field blank to use the class name from the current object.

  • Page 448: Rename Destination Object

    Rename Destination Object Renames an object in the destination data store. Fields Mode Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store. Object Select the target object. This object can be the current object, or can be specified by a DN or an association.

  • Page 449: Rename Operation Attribute

    Rename Operation Attribute Renames all occurrences of an attribute within the current operation. Fields Source Name Specify the original attribute name. Destination Name Specify the new attribute name. Pre-Identity Manager 3.5 Actions 449...

  • Page 450: Rename Source Object

    Rename Source Object Renames an object in the source data store. Fields Select Object Select the target object. This object can be the current object, or can be specified by a DN or an association. String Specify the new name of the object. 450 Policies in Designer 3.5...

  • Page 451: Send Email

    This allows the password to be encrypted; otherwise, you enter the password and it is stored in clear text. For more information on Named Passwords, see Using Named Password in the Novell Identity Manager Administration Guide (http://www.novell.com/ documentation/idm35/index.html). Message Type Select the e-mail message type.

  • Page 452: Send Email From Template

    This allows the password to be encrypted; otherwise, you enter the password and it is stored in clear text. For more information on Named Passwords, see Using Named Passwords in the Novell Identity Manager Administration Guide (http://www.novell.com/ documentation/idm35/index.html). Strings Specify additional fields for the e-mail message.

  • Page 453: Set Default Attribute Value

    Set Default Attribute Value Adds default values to the current operation (and optionally to the current object in the source data store) if no values for that attribute already exist. It is only valid when the current operation is Add. Fields Attribute Name Specify the name of the default attribute.

  • Page 454: Set Destination Attribute Value

    Set Destination Attribute Value Adds a value to an attribute on an object in the destination data store, and removes all other values for that attribute. Fields Attribute Name Specify the name of the attribute. Class Name (Optional) Specify the class name of the target object in the destination data store. Leave the field blank to use the class name from the current object.

  • Page 455: Set Destination Password

    Set Destination Password Sets the password for an object in the destination data store. Fields Mode Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store. String Specify the password to be set. Pre-Identity Manager 3.5 Actions 455...

  • Page 456: Set Local Variable

    Set Local Variable Sets a local variable with the given name to the string value specified, the XPath 1.0 Node Set specified, or the Java* Object specified. Fields Variable Name Specify the name of the new local variable. Variable Type Select the type of local variable.

  • Page 457: Set Operation Association

    Set Operation Association Sets the association value for the current operation. Fields Association Specify the new association value. Pre-Identity Manager 3.5 Actions 457...

  • Page 458: Set Operation Class Name

    Set Operation Class Name Sets the object class name for the current operation. Fields String Specify the new class name. 458 Policies in Designer 3.5...

  • Page 459: Set Operation Destination Dn

    Set Operation Destination DN Sets the destination DN for the current operation. Fields Specify the new destination DN. Pre-Identity Manager 3.5 Actions 459...

  • Page 460: Set Operation Property

    Set Operation Property Sets an operation property. An operation property is a named value that is stored within an operation. It is typically used to supply additional context that might be needed by the policy that handles the results of an operation. Fields Property Name Specify the name of the operation property.

  • Page 461: Set Operation Source Dn

    Set Operation Source DN Sets the source DN for the current operation. Fields Specify the new source DN. Pre-Identity Manager 3.5 Actions 461...

  • Page 462: Set Operation Template Dn

    Set Operation Template DN Sets the template DN for the current operation to the specified value. This action is only valid when the current operation is Add. Fields Specify the template DN. 462 Policies in Designer 3.5...

  • Page 463: Set Source Attribute Value

    Set Source Attribute Value Adds a value to an attribute on an object in the source data store, and removes all other values for that attribute. Fields Attribute Name Specify the name of the attribute. Class Name (Optional) Specify the class name of the target object in the source data store. Leave the field blank to use the class name from the current object.

  • Page 464: Set Source Password

    Set Source Password Sets the password for an object in the source data store. Fields String Specify the password to be set. 464 Policies in Designer 3.5...

  • Page 465: Set Sso Credential

    Set SSO Credential Sets the SSO credential when a user object is created or when a password is modified. This action is part of the Credential Provisioning policies. For more information, see Novell Credential Provisioning for Identity Manager 3.6. Fields Credential Repository Object DN Specify the DN of the repository object.

  • Page 466: Set Sso Passphrase

    Set SSO Passphrase Sets the Novell SecureLogin passphrase and answer when a User object is provisioned. This action is part of the Credential Provisioning policies. For more information, see Novell Credential Provisioning for Identity Manager 3.6. Fields Credential Repository Object DN Specify the DN of the repository object.

  • Page 467: Set Xml Attribute

    Set XML Attribute Sets an XML attribute on a set of elements selected by an XPath expression. Fields Name Specify the name of the XML attribute. This name can contain a namespace prefix if the prefix has been previously defined in this policy. XPath Expression XPath 1.0 expression that returns a node set containing the elements on which the XML attribute should be set.

  • Page 468: Status

    Status Generates a status notification. Fields Level Specify the status level of the notification. The levels are error, fatal, retry, success, and warning. Message Provide the status message by using the Argument Builder. Remarks If level is retry, then the policy immediately stops processing the input document and schedules a retry of the event currently being processed.

  • Page 469: Strip Operation Attribute

    Strip Operation Attribute Strips all occurrences of an attribute from the current operation. Fields Name Specify the name of the attribute to be stripped. Pre-Identity Manager 3.5 Actions 469...

  • Page 470: Strip Xpath

    Strip XPath Strips nodes selected by an XPath 1.0 expression. Fields XPath Expression Specify the XPath 1.0 expression that returns a node set containing the nodes to be stripped. Remarks For more information on by using XPath expressions with policies, see “XPath 1.0 Expressions”...

  • Page 471: Trace Message

    Trace Message Sends a message to DSTRACE. Fields Level Specify the trace level of the message. The default level is 0. The message only appears if the specified trace level is less than or equal to the trace level configured in the driver. For information on how to set the trace level on the driver, see “Viewing Identity Manager Processes”...

  • Page 472: Veto

    Veto Vetoes the current operation. Fields There are no fields. 472 Policies in Designer 3.5...

  • Page 473: Veto If Operation Attribute Not Available

    Veto If Operation Attribute Not Available Conditionally cancels the current operation and ends processing of the current policy, based on the availability of an attribute in the current operation. Fields Name Specify the name of the attribute. Pre-Identity Manager 3.5 Actions 473...
  • Page 474 474 Policies in Designer 3.5...

  • Page 475: Pre-Identity Manager 3.5 Noun Tokens

    Pre-Identity Manager 3.5 Noun Tokens Noun tokens expand to values that are derived from the current operation, the source or destination data stores, or some external source. This section contains detailed information about all noun tokens that are available through using the pre-Identity Manager Policy Builder interface.

  • Page 476: Added Entitlement

    Added Entitlement Expands to the values of an entitlement granted in the current operation. Fields Name Name of the entitlement. Remarks If the token is used in a context where a node set is expected, the token expands to a node set containing all of the values for that entitlement.

  • Page 477: Association

    Association Expands to the association value from the current operation. Fields There are no fields. Pre-Identity Manager 3.5 Noun Tokens 477...

  • Page 478: Attribute

    Attribute Expands to the value of an attribute from the current object in the current operation and in the source data store. It can be logically thought of as the union of the operation attribute token and the source attribute token. It does not include the removed values from a Modify operation. Fields Name Specify the name of the attribute.

  • Page 479: Class Name

    Class Name Expands to the object class name from the current operation. Fields There are no fields. Pre-Identity Manager 3.5 Noun Tokens 479...

  • Page 480: Destination Attribute

    Destination Attribute Expands to the specified attribute value an object. Fields Name Name of the attribute. Class Name (Optional) Specify the class name of the target object. Leave the field blank to use the class name from the current object. Select Object Select Current Object, DN, or Association.

  • Page 481: Destination Dn

    Destination DN Expands to the destination DN specified in the current operation. Fields Convert Select whether or not to convert the DN to the format used by the source data store. Start Specify the RDN index to start with: Index 0 is the root-most RDN Positive indexes are an offset from the root-most RDN Index -1 is the leaf-most segment Negative indexes are an offset from the leaf-most RDN towards the root-most RDN...

  • Page 482: Destination Name

    Destination Name Expands to the unqualified Relative Distinguished Name (RDN) of the destination DN specified in the current operation. Fields There are no fields. 482 Policies in Designer 3.5...

  • Page 483: Entitlement

    Entitlement Expands to the values of a granted entitlement from the current object. Fields Name Name of the entitlement. Remarks If the token is used in a context where a node set is expected, the token expands to a node set containing all of the values for that entitlement.

  • Page 484: Global Configuration Value

    Global Configuration Value Expands to the value of a global configuration variable. Fields Name Name of the global configuration value. 484 Policies in Designer 3.5...

  • Page 485: Local Variable

    Local Variable Expands to the value of a local variable. Fields Name Specify the name of the local variable. Pre-Identity Manager 3.5 Noun Tokens 485...

  • Page 486: Named Password

    Named Password Expands to the Named Password from the driver. Fields Name Specify the Named Password. 486 Policies in Designer 3.5...

  • Page 487: Operation

    Operation Expands to the name of the current operation. Fields There are no fields. Pre-Identity Manager 3.5 Noun Tokens 487...

  • Page 488: Operation Attribute

    Operation Attribute Expands to the value of an attribute from the current operation. It does not include the removed values from a modify operation. Fields Name Specify the name of the attribute. 488 Policies in Designer 3.5...

  • Page 489: Operation Property

    Operation Property Expands to the value of the specified operation property on the current operation. Fields Name Specify the name of the operation property. Pre-Identity Manager 3.5 Noun Tokens 489...

  • Page 490: Password

    Password Expands to the password specified in the current operation. Fields There are no fields. 490 Policies in Designer 3.5...

  • Page 491: Removed Attribute

    Removed Attribute Expands to the specified attribute value being removed in the current operation. It applies only to a Modify operation. Fields Name Specify the name of the attribute to remove. Remarks If the token is used in a context where a node set is expected, the token expands to a node set containing all of the values for that attribute.

  • Page 492: Removed Entitlements

    Removed Entitlements Expands to the values of the an entitlement revoked in the current operation. Fields Name Specify the name of the entitlement. Remarks If the token is used in a context where a node set is expected, the token expands to a node set containing all of the values for that entitlement.

  • Page 493: Source Attribute

    Source Attribute Expands to the values of an attribute from an object in the source data store. Fields Class Name (Optional) Specify the class name of the target object. Leave the field blank to use the class name from the current object. Name Name of the attribute.

  • Page 494: Source Dn

    Source DN Expands to the source DN from the current operation. Fields Convert Select whether or not to convert the DN to the format used by the destination data store. Start Specify the RDN index to start with: Index 0 is the root-most RDN Positive indexes are an offset from the root-most RDN Index -1 is the leaf-most segment Negative indexes are an offset from the leaf-most RDN towards the root-most RDN...

  • Page 495: Source Name

    Source Name Expands to the unqualified relative distinguished name (RDN) of the source DN specified in the current operation. Fields There are no fields. Pre-Identity Manager 3.5 Noun Tokens 495...

  • Page 496: Text

    Text Expands to the text. Fields Text Specify the text. 496 Policies in Designer 3.5...

  • Page 497: Unique Name

    Unique Name Expands to a pattern-based name that is unique in the destination data store according to the criteria specified. Fields Attribute Name Specify the name of attribute to check for uniqueness. Scope Specify the scope in which to check uniqueness. The options are subtree or subordinates. Start Search Select a starting point for the search.
  • Page 498 The order of proposed names is tested as follows: Each pattern is tested in the order specified. If counter-use=“always” and the pattern is one of the patterns indicated by the counter-pattern, then the pattern is tested with a counter; otherwise, it is tested without a counter. If no unique name has been found after the patterns have been exhausted and counter- use=“fallback”, then the patterns indicated by the counter-pattern are retried with a counter.

  • Page 499: Unmatched Source Dn

    Unmatched Source DN Expands to the part of the source DN in the current operation that corresponds to the part of the DN that was not matched by the most recent match of an If Source DN condition. Fields Convert Select whether or not to convert the DN format used by the destination data store.

  • Page 500: Xpath

    XPath Expands to the results of evaluating an XPath 1.0 expression. Fields Expression XPath 1.0 expression to evaluate. Remarks For more information on using XPath expressions with policies, see “XPath 1.0 Expressions” in Understanding Policies for Identity Manager 3.6. 500 Policies in Designer 3.5...

  • Page 501: Pre-Identity Manager 3.5 Verb Tokens

    Pre-Identity Manager 3.5 Verb Tokens Verb tokens modify the concatenated results of other tokens that are subordinate to them. This section contains detailed information about all verbs that are available through the pre-Identity Manager Policy Builder interface. “Escape Destination DN” on page 502 “Escape Source DN”...

  • Page 502: Escape Destination Dn

    Escape Destination DN Escapes the enclosed tokens according to the rules of the DN format of the destination data store. Fields There are no fields. 502 Policies in Designer 3.5...

  • Page 503: Escape Source Dn

    Escape Source DN Escapes the enclosed tokens according to the rules of the DN format of the source data store. Fields There are no fields. Pre-Identity Manager 3.5 Verb Tokens 503...

  • Page 504: Lowercase

    Lowercase Converts the characters in the enclosed tokens to lowercase. Fields There are no fields. 504 Policies in Designer 3.5...

  • Page 505: Parse Dn

    Parse DN Converts the enclosed token’s DN to an alternate format. Fields Start Specify the RDN index to start with: Index 0 is the root-most RDN Positive indexes are an offset from the root-most RDN Index -1 is the leaf-most segment Negative indexes are an offset from the leaf-most RDN towards the root-most RDN Length Number of RDN segments to include.
  • Page 506 Wildcard Character Escape Character If RDN Delimiter and Relative RDN Delimiter are the same character, the orientation of the name is root right, otherwise the orientation is root left. If there are more than eight characters in the delimiter set, the extra characters are considered as characters that need to be escaped, but they have no other special meaning.

  • Page 507: Replace All

    Replace All Replaces all occurrences of a regular expression in the enclosed tokens. Fields Regular Expression Specify the regular expression that matches the substring to be replaced. Replace With Specify the replacement string. Remarks For details on creating regular expressions, see: Sun’s Java Web site (http://java.sun.com/j2se/1.4/docs/api/java/util/regex/Pattern.html) Sun’s Java Web site (http://java.sun.com/j2se/1.4/docs/api/java/util/regex/ Matcher.html#replaceAll (java.lang.String))

  • Page 508: Replace First

    Replace First Replaces the first occurrence of a regular expression in the enclosed tokens. Fields Regular Expression Specify the regular expression that matches the substring to replace. Replace With Specify the replacement string. Remarks The matching instance is replaced by the string specified in the Replace with field. For details on creating regular expressions, see: Sun’s Java Web site (http://java.sun.com/j2se/1.4/docs/api/java/util/regex/Pattern.html) Sun’s Java Web site (java.lang.String) (http://java.sun.com/j2se/1.4/docs/api/java/util/regex/...

  • Page 509: Substring

    Substring Extracts a portion of the enclosed tokens. Fields Start Specify the starting character index: Index 0 is the first character. Positive indexes are an offset from the start of the string. Index -1 is the last character. Negative indexes are an offset from the last character toward the start of the string. For example, if the start is specified as -2, then it starts reading at the first character from the end.

  • Page 510: Uppercase

    Uppercase Converts the characters in the enclosed tokens to uppercase. Fields There are no fields. 510 Policies in Designer 3.5...

This manual is also suitable for:

Designer for identity manager 3.5

Table of Contents