Provisioning policy JavaScript functions

You can use a script to define provisioning parameters.

The provisioning parameters of an entitlement within a provisioning policy can be defined by a script. The context of the script is

The person for whom the entitlement is being enforced.
The service the entitlement is protecting.
The eruid attribute of the target account.

The context of the script includes the following elements:

Subject: Owner of the account.
Service: Service on which the account exists or to be created.
uid: User ID of the account.
Context: Information about the parameter evaluation, which can be validation of a new account or validation of existing account.

A special object named parameters is available for eruid to evaluate the script in the context of provisioning policy parameters. To obtain its value, use the following syntax:

parameters.eruid[0]

The value of zero in this syntax returns the first value of the array object.

A JavaScript object named subject represents a user for whom the entitlement is being enforced. The service is represented by another JavaScript data model entity named service. The script author uses both the subject and service object to access attributes of these objects.

The values of attributes of objects that are part of the evaluation context can also be retrieved with the IBM® Security Identity Manager custom JavaScript functions.

To use JavaScript to define the value of an attribute, the JavaScript parameter type must be selected. Select JavaScript/Constant in the Expression Type field.

The following examples demonstrate the use of IBM Security Identity Manager custom JavaScript functions within provisioning policies. For a complete reference to all custom JavaScript functions, see the JavaScript Extension Reference.

Person attributes

Syntax:

subject.getProperty(String rowAttrName)

Example:

subject.getProperty("sn")[0];

Example:

# Concatenates user’s given name and family name with space in between. 
# Resulting string value may be used to on account attribute such as 
# Description.
{subject.getProperty("givenname")[0] + " " + subject.getProperty("sn")[0];}

Example:

# Set a user’s Password attribute to the user’s Shared Secret Attribute 
# (if the account is automatically provisioned)

{
   function passInit()
     {var password = subject.getProperty("ersharedsecret");
     if (password.length > 0){
         return password[0];
     } else {
         return ""
     }
   }return 
   passInit();
}

Search for person

Syntax:

PersonSearch.searchByFilter(String profileName, String filter, [int scope])

where scope =1 is a single level search and scope =2 is a subtree search.

Example:

PersonSearch.searchByFilter("Person", "(sn=Smith)", 1);

Search for service

Syntax:

ServiceSearch.searchByFilter(String filter, [int scope])

where scope=1 is a single level search and scope=2 is a subtree search.

Example:

ServiceSearch.searchByFilter("(erntlocalservername=*srv)", 1);

Service closest to the person

Syntax:

ServiceSearch.searchForClosestToPerson(Person person, [int scope])

where scope=1 is a single level search and scope=2 is a subtree search.

Example:

ServiceSearch.searchForClosestToPerson(subject);

Name of the business unit in which the person is located

Syntax:

subject.getProperty(String propertyName)

Example:

subject.getProperty("Parent")[0].name;

Specifying the current account Uid

Syntax:

uid = parameters.eruid[0];

Example:

var accountId = parameters.eruid[0];

Enrole.toGeneralizedTime statement

Syntax:

Enrole.toGeneralizedTime(Date date)

Examples:

Using the function to return today's date string:

var gt = Enrole.toGeneralizedTime(new Date());

Using the function to return today's date string as a default attribute:

{Enrole.toGeneralizedTime(new Date())}

Enrole.toMilliseconds statement

Syntax:

Enrole.toMilliseconds(String generalizedTime)

Examples:

var millis = Enrole.toMilliseconds("200101012004Z");
var date = new Date(millis);