JavaScript examples for writing adoption policies
An administrator of IBM Verify Identity Governance, and can use JavaScript examples to write adoption policies.
Example 1
The following example shows a simple script that matches the account user ID to the alias field of the person.
var ps = new PersonSearch();
return ps.searchByFilter("","(eraliases="+subject.eruid[0]+")",2); Example 2
This example is a more
complicated
sample you can use for orphan adoption. This script uses the following
three strategies to deduce an owner for an account:
- Locate
a single person with an
eraliasesentry that matches the account eruid field. - If this action yields multiple matches and the new entry has a cn field, check the matching list for one with a cn field that matches the account cn field.
- If no matches are obtained
in the first step, check for a matching
account (the same
eruid) in the master service, such as a Windows Active Directory Service. If this account has an owner, use that person. If all three strategies fail, return null, which causes an orphan.Note: Log messages are written to the message log with the script category.
var entryUid = subject.eruid[0];
Enrole.log("script", "Starting script for eruid=" + entryUid);
/* change the following value to the name of the master service: */
/* var masterServiceName = "Master AD Service";
*/
var masterServiceName = "NT4 (local)";
/* change the following value to the service profile name of the master service:
This change is required only if the profile of master service and profile of the
service for which the adoption policy is defined are different */
/* var serviceProfileNameOfMasterService = "ADProfile";
*/
var scriptResult = null;
var personsearch = new PersonSearch();
var filter = "(eraliases=" + entryUid + ")";
var psResult = personsearch.searchByFilter("", filter,2);
if (psResult.length == 1) {
/* found one person with matching alias */
Enrole.log("script", "single match for eraliases=" + entryUid);
scriptResult = psResult;
}
else if (psResult.length > 1) {
/* more than one person matched alias.
* if the account has a "cn" attribute value, see if this matches
the "cn" of one of them
*/
Enrole.log("script", "multiple matchs for eraliases=" + entryUid);
var entryCn = subject.cn;
if (typeof entryCn != "undefined") {
Enrole.log("script", "checking cn=" + entryCn[0]);
for (idx=0; idx<psResult.length; ++idx) {
var cn1 = psResult[idx].getProperty("cn");
if (cn1.length != 0 && cn1[0] == entryCn[0]) {
/* we found a match for the cn */
scriptResult = psResult[idx];
break;
}
}
}
else {
Enrole.log("script", "cn field not defined for eruid=" + entryUid);
}
}
else {
/* no person matched specified alias.
See if there is a matching account uid in the company Active Directory */
var acctSearch = new AccountSearch();
/* Method acctSearch.searchByUidAndService(entryUid, masterServiceName) is used
if the profile of the master service is same as the profile of the service
for which the adoption policy is defined.
If the profile of master service and the profile of the service for which the
adoption policy is defined are different then the profile name of the master
service is passed to the searchByUidAndService() method as follows–
var asResult = acctSearch.searchByUidAndService(entryUid, masterServiceName,
serviceProfileNameOfMasterService); */
var asResult = acctSearch.searchByUidAndService(entryUid, masterServiceName);
if (asResult != null && asResult.length == 1) {
/* found a matching AD account -- use this accounts owner,
if it is not an orphan */
var owner = asResult[0].getProperty("owner");
if (owner.length == 1) {
var owner_dn = owner[0];
Enrole.log("script", "single match for service " + masterServiceName + " uid="
+ entryUid + ", returning person with dn=" + owner_dn);
scriptResult = new Person(owner_dn);
}
else {
Enrole.log("script", "service " + masterServiceName + " uid="
+ entryUid + " is an orphan");
}
}
else {
Enrole.log("script", "No match or more than one match for uid=" + entryUid
+ " on master service " + masterServiceName);
}
}
return scriptResult;
/* end of script */ Example 3
The following example checks to
see whether the name of a person, the
gecos field
in Linux®, matches their full name in IBM Verify Identity Governance, ,
and . /*
* OrphanAdoption JavaScript
*/
if (subject["gecos"] == null) {
return null;
} else {
var buf = "(|";
for (i = 0; i < subject["gecos"].length; i++) {
buf += "(cn=" + subject["gecos"][i] + ")";
}
buf += ")";
var ps = new PersonSearch();
/* Have to use sub-tree search type (2) */
return ps.searchByFilter("Person", buf, 2);
}Example 4
This
example uses the new JavaScript
API ExtendedPerson to adopt a "root" account as a "System" account
and adopt other accounts as "Individual" accounts.
/*
* OrphanAdoption JavaScript
*/
if ((subject[ "eruid"]==null)){
return null;
} else if (subject["eruid"]!=null){
var buff='(|';
for (i=0;i<subject["eruid"].length;i++){
buff+='(uid='+subject["eruid"][i]+')';
}
buff+=')';
var ps = new PersonSearch();
var searchResult = ps.searchByFilter("",buff, 2);
if (searchResult!=null && searchResult.length==1) {
var person = searchResult[0];
// If it is a "root" account, adopt it as a "System" account;
// otherwise, adopt it as an "Individual" account by default.
if (subject.eruid[0] == "root") {
return new ExtendedPerson(person, "System");
} else {
return person;
}
} else if (searchResult!=null && searchResult.length>1) {
return searchResult;
} else {
return null;
}
}