Provisioning policy JavaScript functions
You can use a script to define provisioning parameters.
- The person for whom the entitlement is being enforced.
- The service the entitlement is protecting.
- The
eruid
attribute of the target account.
- Subject
- Owner of the account.
- Service
- Service on which the account exists or to be created.
- uid
- User ID of the account.
- Context
- Information about the parameter evaluation, which can be validation of a new account or validation of existing account.
eruid
to evaluate the script in the
context of provisioning policy parameters. To obtain its value, use
the following syntax: parameters.eruid[0]
The
value of zero in this syntax returns the first value of the array
object.A JavaScript object named subject represents a user for whom the entitlement is being enforced. The service is represented by another JavaScript data model entity named service. The script author uses both the subject and service object to access attributes of these objects.
The values of attributes of objects that are part of the evaluation context can also be retrieved with the IBM® Security Identity Manager custom JavaScript functions.
To use JavaScript to define the value of an attribute, the JavaScript parameter type must be selected. Select JavaScript/Constant in the Expression Type field.
The following examples demonstrate the use of IBM Security Identity Manager custom JavaScript functions within provisioning policies. For a complete reference to all custom JavaScript functions, see the JavaScript Extension Reference.
Person attributes
subject.getProperty(String rowAttrName)
subject.getProperty("sn")[0];
# Concatenates user’s given name and family name with space in between.
# Resulting string value may be used to on account attribute such as
# Description.
{subject.getProperty("givenname")[0] + " " + subject.getProperty("sn")[0];}
# Set a user’s Password attribute to the user’s Shared Secret Attribute
# (if the account is automatically provisioned)
{
function passInit()
{var password = subject.getProperty("ersharedsecret");
if (password.length > 0){
return password[0];
} else {
return ""
}
}return
passInit();
}
Search for person
PersonSearch.searchByFilter(String profileName, String filter, [int scope])
where scope =1 is a single level search and scope =2
is a subtree search.PersonSearch.searchByFilter("Person", "(sn=Smith)", 1);
Search for service
ServiceSearch.searchByFilter(String filter, [int scope])
where scope=1
is a single level search and scope=2
is a subtree search.ServiceSearch.searchByFilter("(erntlocalservername=*srv)", 1);
Service closest to the person
ServiceSearch.searchForClosestToPerson(Person person, [int scope])
where scope=1
is a single level search and scope=2
is a subtree search.ServiceSearch.searchForClosestToPerson(subject);
Name of the business unit in which the person is located
subject.getProperty(String propertyName)
subject.getProperty("Parent")[0].name;
Specifying the current account Uid
uid = parameters.eruid[0];
var accountId = parameters.eruid[0];
Enrole.toGeneralizedTime statement
Enrole.toGeneralizedTime(Date date)
Examples:
var gt = Enrole.toGeneralizedTime(new Date());
{Enrole.toGeneralizedTime(new Date())}
Enrole.toMilliseconds statement
Enrole.toMilliseconds(String generalizedTime)
var millis = Enrole.toMilliseconds("200101012004Z");
var date = new Date(millis);