Placement of the person

The Identity Manager Server determines where to place in the organization chart. The server uses a placement rule defined in the DSML Identity Feed service.

A person might be defined as a member of the marketing department in the identity source. The placement rule instructs the server to place the person in the marketing department in the IBM Verify Identity Governance organization chart. This rule is used for initial placement of persons during an add operation and for moving a person to a different location during a modify operation.
Note: Organization names returned by placement rules must be unique within the context of the service unless an organization path is used to specify an organization container. If an organization path is provided by the placement rule, the organization name must be unique within that organization container.
Placement rules are written with JavaScript that returns the organization path in a distinguished name (DN) format. This information is used to search for an organizational unit in which to place a person. This DN indicates the required organization path relative to the organization base. The syntax of this path can be represented with the following pseudo BNF notation:
orgDn ::= orgRdn | orgRdn "," orgDn
orgRdn ::= prefix '=' name
prefix ::= 'l' | 'o' | 'ou'
name ::= string
where string is the textural value, l is location, o is organization, and ou is the organizational unit, business partner organization, or Admin Domain.
Note: The prefixes noted here are the default values. If the customer uses a different schema, then these prefixes are the values mapped in entity configuration.

Example

To illustrate, examine the following organization chart:
IBM (organization)
   Marketing (organizational unit)
   Facilities (organizational unit)
      Irvine (location)
The path for the Marketing department is ou=Marketing, o=IBM. The path for the Irvine Facilities department is l=Irvine, ou=Facilities, o=IBM.

The JavaScript function returns a string in this format, but omits the organization. The attributes of the identity record from the identity source can be retrieved from the JavaScript code to construct the path. Because of the programming flexibility provided by JavaScript code, the information used from the identity source can be manipulated in several ways. Programming constructs such as switch statements can be used to map specific organization names to different paths in the server. String manipulation can be used to tokenize or concatenate names to derive paths. For example, a string of IBM/Facilities/Irvine can be tokenized and reconstructed in DN format as l=Irvine, ou=Facilities, o=IBM.

The following example demonstrates one use of this scripting capability. The identity source for the Acme organization uses the attributes div for division, bu for business unit, and dept for department. The logical layout of the organization is as follows:
organization
   division
      business-unit
         department
In the Identity Manager Server, this structure is mapped to organizations and organizational units and looks like this example:
organization
   organizational unit (division)
      organizational unit (business-unit)
         organizational unit (department)
The following JavaScript code can be used for the placement rule to make this conversion:
return "ou=" + entry.dept[o] + ",ou=" + entry.bu[o]  + ",ou=" + entry.dw[o];
Note: All identities in this feed are assumed to be within the Acme organization.
For an organization that uses a multi-valued ou attribute, the placement rule might be:
var ou =entry.ou;
var filt = '';
for (i = 0, i < ou.length, ++i)
{
  if (i==0)
      filt = ''ou='' + ou[i];
  }
else
     {
filt = filt + '',ou='' + ou[i];
     }
}
return filt;
The Identity Manager Server evaluates this script when adding a person to place that person in the organization. During a modify request, this script is evaluated. If the value is different from the current placement of the person, the person is moved to the new location based on the returned path.