Examples of Rules

In the IBM® Security Identity Governance and Intelligence platform, the rules engine provides the flexibility and expressive strength that is required to model the customization of company processes.

Rules can be used in different situations, which in IBM Security Identity Governance and Intelligence, represents a layer of intelligence that enhances the expressive nature of the data model. Rules are used to implement specific and dynamic behaviors.

The following example situations demonstrate how the AG Core is linked to the external repository by integrating specific rules with simple USER_ERC attribute mapping.

Example 1

In an external system that contains personal data, the User Type attribute is set for each user. It is defined by a grouping of codes that have a specific meaning in the system, for example 46=External Consultant. Assume that there is one attribute with the same meaning, but that the types have different names, External Consultant=Consultant.

In this case, the simple mapping that is described in the previous paragraph does not work.

The problem can be resolved with a rule that implements the following simple logic:

if type=46 AG Type=Consultant

This rule must be applied automatically each time a mapping is executed.

Example 2

Assume that based on the value of each USER_ERC attribute, the value of the PERSON attribute can be calculated from either of the following methods:

NAME and SURNAME à MAIL=<NAME>.<SURNAME>@<companyname>.com

ID NUMBER à USERID=<constant><ID NUMBER>

Again, a rule can automatically implement the same logic. The use of a rule is not limited to mappings between USER_ERC and PERSON. It can also be applied in many general cases of communication between the AG Core and an external repository. See the following examples.

Example 3

A rule can be used to automatically create an account on the target system when a new user is inserted.

Example 4

Certain codes in the external system can indicate whether a user is on sick-leave, on holiday, or temporarily transferred. Based on these codes, a rule can be used to temporarily disable the user's account.

Example 5

As a function of User Type, OU Type, or Reason for Transfer, a rule can regulate which roles the user maintains when the user is transferred from one OU to another.

Example 6

By using a rule, you can ensure that a user has an account on the target system before you assign an entitlement to that user. If the user has no account, one can be created.