Relationship expressions

Edit online

The connection between IBM Verify Identity Governance domain objects is given by a relationship.

The owner of an account, for example, is given by the owner relationship. The host service of an account is given by the service relationship. A role of a person is given by the role relationship.

In general: Target Object: relationship: Related Object

For example: Person:role:Role

Here, a person is related to a role through the role relationship. Relationship expressions in filters provide a way to match up domain objects that are based on their relationship to other domain objects.

The connection between IBM Verify Identity Governance domain objects is given by a relationship.

The filter expression syntax consists of an opening dollar sign ($) followed by a left curly brace ({) immediately followed by a relationship name, a dot (.) operator, then an attribute name followed by a right curly brace (}) to close the expression. For example:
(${relationship.attribute}=value)
relationship is the name of a relationship in IBM Verify Identity Governance and includes:
  • Parent
  • Owner
  • Organization
  • Supervisor
  • Sponsor
  • Administrator
  • Role
  • Account
  • Service

attribute is any attribute name that is valid for the related object. References to these connections or links between domain objects are often useful in searches. The references are useful in matching during authorization (in ACIs) and in lifecycle management (lifecycle rules) during operation execution.

In ACIs, relationship expressions are used to grant access to domain objects based in part on their relationship to another. For example, an ACI for a person that grants Modify with the following relationship expression used as the ACI filter grants permission to all people who have a supervisor, Jen Jenkins:
(${supervisor.cn}=Jen Jenkins)
Likewise, an ACI for an account that grants search with the following relationship expression used as the ACI filter grants permission to all accounts whose service (host) is named SuSE Server. Access is granted based on the relationship of one object to another.
(${service.erservicename}=SuSE Server)
In lifecycle management, relationship expressions are also used to match domain objects that are based on their relationship to other domain objects. The rules can start the same operation on all matches. For example, a lifecycle rule for a person where the operation is set to Suspend with the relationship expression effectively suspends all people in the Brokers role (dynamic or static) each time the lifecycle rule runs:
(${role.errolename}=Brokers)