enrolepolicies.properties

The enrolepolicies.properties file provides standard and custom settings that support the functions of the provisioning policy.

Functions supported by this properties file includes:

  • Specifying Java™ classes to process provisioning policy conflicts with join directives
  • Specifying default and non-default join directive caching timeouts
  • Declaring policy attributes to be ignored during policy compliance validation

A join directive is a set of rules that is used to determine how attributes are handled when a provisioning policy conflicts with another. Join directives use logical constructs to resolve conflicts. Examples include combining all policy attributes (union), with only common attributes (intersection), and resolving conflicts with Boolean AND or OR logic.

There are 12 types of join directives that you can use. Provisioning policy join directives take effect when more than one provisioning policy is defined for the same user (or group of users) for the same target service, service instance, or service type.

Custom join directives can be defined by writing a custom Java class, adding it to your class path, and then providing the fully qualified Java class name in the policy configuration GUI. If you extend or replace one of the existing join directive classes, you must add the custom property key and value to the enrolepolicies.properties file. For example if you developed a new class (com.abc.TextualEx) to replace the existing class for textual joins, the registration line is as follows:
provisioning.policy.join.Textual= com.abc.TextualEx

The enrolepolicies.properties properties page defines the properties used to configure IBM Verify Identity Governance policies.

enrolepolicies.properties properties

Join directive classes
provisioning.policy.join.PrecedenceSequence=com.ibm.itim.policy.join.
	PrecedenceSequence

provisioning.policy.join.Boolean=com.ibm.itim.policy.join.Boolean
provisioning.policy.join.Bitwise=com.ibm.itim.policy.join.Bitwise
provisioning.policy.join.Numeric=com.ibm.itim.policy.join.Numeric
provisioning.policy.join.Textual=com.ibm.itim.policy.join.Textual
provisioning.policy.join.Textual.AppendSeparator=<<<>>>
provisioning.policy.join.Multivalued=com.ibm.itim.policy.join.Multivalued

Do not modify these property keys and values.

Each property key specifies a Java class. It can be used to process the logic of a join directive that is required to resolve a provisioning policy conflict.

Append separator characters
provisioning.policy.join.Textual.AppendSeparator

Specifies the character that is used by the textual join directive Java class to separate individual values of a multi-value attribute.

Example:

provisioning.policy.join.Textual.AppendSeparator=<<<>>>
Join directive cache timeouts
provisioning.policy.join.defaultCacheTimeout

Specifies the timeout interval [in seconds] between refreshes of the cache that stores default join directive cache values.

The default is 86400 seconds, which is 24 hours.

Example (default):

provisioning.policy.join.defaultCacheTimeout=86400
provisioning.policy.join.overridingCacheTimeout

Specifies the timeout interval [in seconds] between refreshes of the cache that stores non-default join directive values.

The default is 300 seconds, which is 5 minutes.

Example:

provisioning.policy.join.overridingCacheTimeout=300