System expressions

Edit online

System expressions target domain objects that are based on generalized time values relative to the current system date.

The system expression syntax has relatively few elements.

System expressions consist of:
  • an attribute name
  • a relational operator (<= or >=)
  • a dollar sign ($) followed by a curly brace ({)
  • immediately followed by the system.date keywords
  • a plus or minus arithmetic operator (+/-) followed by a number in days
  • a right curly brace (}) to close the expression
For example:
(gmtattributename[<=|>=]${system.date [ + | - ] days})
System expressions resolve to a concrete LDAP filter that is understood by an LDAP directory server or the built-in IBM Verify Identity Governance filter interpreter. For example, this filter targets accounts with passwords 90 days or older.
(erpswdlastchanged<=${system.date – 90})
That example can be used in an ACI for accounts that grants read and write access to the password attribute so that users can update their passwords. The same filter can also be used in a lifecycle rule that suspends accounts if the account password was not changed in the last 90 days. This particular filter expression resolves to the following concrete LDAP filter:
(erpswdlastchanged<=200912311200Z)
It is also possible and syntactically valid to express a range of dates as the criteria to match against domain objects. Embed more than one system expression in a composite filter as in the following example:
(&(erpswdlastchanged>=${system.date – 90})(!(erpswdlastchanged>
=${system.date – 30})))

The filter matches accounts with passwords that range from 90 to 30 days old. Other combinations and composite filters are useful, depending on how complex the filter must be and how many objects are targeted for a match.