You can customize
join directive behavior for your provisioning
policies for each attribute based on service type.
Before you begin
Depending on how your system administrator customized your system, you might not
have access to this task. To obtain access to this task or to have someone complete it for you,
contact your system administrator.
About this task
IBM Verify Identity Governance provides several types of join directives. You can extend
existing join directive functions, or you can create your own.
You can define custom join directives by writing a custom Java™ class, adding it to the classpath
of your application server. Provide the fully qualified Java class name in the policy configuration
interface when you set a join directive for an attribute.
If
you are extending or replacing one of the existing join directive
classes in addition to the tasks above, you must add the custom property
key and value to the enrolepolicies.properties file. For example, if you developed a new class such as com.abc.TextualEx
to replace the existing class for textual
joins, the registration line is similar to the following example:
provisioning.policy.join.Textual= com.abc.TextualEx
Procedure
- From the navigation tree, select . The Policy Join Behavior
table for configuring provisioning
policy join directives is displayed as two panes in the window.
-
In the Policy Join Behavior window, click Service
Type to select from a list of available services, such as
ITIM
Service
.
- Select one of the attributes for the type. The right pane
displays the name, description, and applicable join directives of
the selected attribute.
- Click Join
Directive in the right
pane to configure provisioning policy precedence by selecting one
of the listed join directives. The following values can apply, depending
on the attribute you select:
- Union
- Specifies the attribute values and removes the redundancies. This
join directive is the default if no other join directive is specified.
- Intersection
- Specifies only parameter
values that are common to all policies.
- Priority
- Uses the priority of the policy to determine which
attribute value
to use. If the conflicting policies have the same priority, the first
policy found by the system is used.
- OR
- Specifies the mathematical OR used on a boolean string that represents
a boolean value. TRUE || TRUE = TRUE TRUE || FALSE = TRUE FALSE ||
FALSE = FALSE
- AND
- Specifies the
mathematical AND used on a boolean string that represents
a boolean value. TRUE & TRUE = TRUE TRUE & FALSE = FALSE FALSE
& FALSE = FALSE
- Append
- Appends
the textual attribute value defined in one policy to the
attribute value defined in another policy.
The APPEND join type
is used on single-valued text attributes (such as comment
on WinNT service).
When joining provisioning parameters with
the APPEND join type, all individual values are concatenated into
a single string value with a user-defined delimiter between them.
The delimiter can be defined (changed) in enrolepolicies.properties
file, where the current line reads:
provisioning.policy.join.Textual.AppendSeparator=<<<>>>
- Bitwise OR
- Specifies the
mathematical Bitwise OR used on a bitstring.
- Bitwise AND
- Specifies the mathematical Bitwise AND used on
a bitstring.
- Highest
- Uses the highest
numeric attribute value from the conflicting
policies.
- Lowest
- Uses the lowest
numeric attribute value from the conflicting policies.
- Average
- Averages the numeric attribute values
from the conflicting policies
and uses the average value.
- Precedence
sequence
- Uses a user-defined ordering precedence to determine
which attribute
value to use.
- Custom
- Defines a
custom join directive with Java. Custom join directives provide administrators with the
ability to completely change the built-in join logic. Enter the fully
qualified Java class name of
the custom join directive class you created for the attribute.
- Click Compliance
Alert Rule to configure
a compliance alert rule that specifies when compliance alerts are
sent. To configure a compliance alert rule, select one of the following
options:
- Numeric Order (higher value generates
alert)
- Select this option if you want to generate a compliance
alert
before sending a higher attribute value to the managed resource. Use
this option if the attribute value was increased as a result of a
provisioning policy evaluation. If the attribute value was decreased
as a result of the evaluation, the attribute value is automatically
sent to the managed resource. No alert is generated.
- Numeric Order (lower value generates alert)
- Select
this option if you want to generate a compliance alert
before sending a lower attribute value to the managed node. Use this
option if the attribute value was decreased as a result of a provisioning
policy evaluation. If the attribute value was increased as a result
of the evaluation, the attribute value is automatically sent to the
managed resource and no alert is generated.
- Never generate alert
- Select this option if you do not want
to generate a compliance
alert when a provisioning policy evaluation leads to a new value for
an attribute. Because no compliance alert is generated, the new attribute
value is automatically sent to the managed resource.
- Always generate alert
- Select this option if you
want to generate a compliance alert
when a provisioning policy evaluation leads to a new value for an
attribute. The participant must accept the new attribute value before
it is sent to the managed resource. This value is the default for
attributes that have a single value.
- Precedence
sequence
- Select this option if you want higher values in the
list to be
considered more privileged than lower values. When a provisioning
policy evaluation leads to assignment of a higher attribute value,
the attribute value is sent to the managed resource. No compliance
alert is generated. If the attribute value is decreased as a result
of the evaluation, a compliance alert is generated. Then, the attribute
value is sent to the managed resource.
Note: When you select this option,
you can select Move Up, Move Down, Delete, or Add to
organize your precedence sequence.
- Click Save to save the changes.