Join logic examples

This topic provides examples that show how to use provisioning policy join directives.

This section provides more examples of join logic.

Scenario 1

Multiple applicable entitlements might be joined. The parameter value is only allowed to take on the value that is specified by the second policy under these conditions:

  • No parameter values are selected for an attribute in one policy, that is, all values are allowed.
  • One allowed parameter value is entered for an attribute in another policy, that is, only the specified value is allowed.

Scenario 2

This example illustrates a priority-based provisioning policy join directive for a single-valued attribute. The following table identifies two provisioning policies for this scenario:

Table 1. Two provisioning policies
Policy Description

Policy 1

Priority = 1
Attribute: erdivision = divisionA, enforcement = DEFAULT

Policy 2

Priority = 2
Attribute: erdivision = divisionB, enforcement = MANDATORY

Because Policy 1 has a higher priority, only Policy 1's definition for the erdivision attribute is used. Policy 2's value for the erdivision attribute is ignored. All other values besides divisionA are disallowed.

Scenario 3

This example illustrates a union-based provisioning policy join directive for a multivalued attribute. The following table identifies two provisioning policies for this scenario:

Table 2. Example provisioning policies
Policy Description

Policy 1

Priority = 1
Attribute: localgroup = groupA, enforcement = DEFAULT

Policy 2

Priority = 2
Attribute: localgroup = groupB, enforcement = MANDATORY
Because the join directive is defined as UNION, the resulting policy uses the following definitions for the policies:
  • During account creation, localgroup attribute is defined with both values groupA and groupB.
  • During reconciliations, localgroup is defined as groupB if the attribute is undefined or incorrectly defined.