This section contains detailed reference to all actions available using the Policy Builder interface.
Sends an add association command to the Identity Vault, with the specified association.
Adds a value to an attribute on an object in the destination data store.
The example adds the destination attribute value to the OU attribute. It creates the value from the local variables that are created. The rule is from the predefined rules that come with Identity Manager 3.0. For more information, see Command Transformation - Create Departmental Container - Part 1 and Part 2.
Creates a new object of the specified type in the destination data store.
Any attribute values to be added as part of the object creation must be done in subsequent Add Destination Attribute Value actions using the same DN.
The example creates the department container that is needed. The rule is from the predefined rules that come with Identity Manager 3.0. For more information, see Command Transformation - Create Departmental Container - Part 1 and Part 2 from the predefined rules.
The OU object is created. The value for the OU attribute is created from the destination attribute value action that occurs after this action.
Adds the specified value the specified attribute on an object in the source data store. The target object is the current object, a DN, or an association.
Creates an object of the specified type to be created in the source data store. Any attribute values to be added as part of the object creation must be done in subsequent Add Source Attribute Value actions using the same DN.
Appends an element to a set of elements selected by the XPath expression.
Appends text to a set of elements selected by the XPath expression.
Ends processing of the current operation by the current policy.
Removes the all values for the named attribute from an object in the destination data store.
Clears any operation property current operation.
Removes the all values of an attribute from an object in the source data store.
Appends deep copies of a set of XML nodes selected by an XPath expression to a set of elements selected by another XPath expression.
Copies all occurrences of an attribute within the current operation to a different attribute within the current operation.
The example adds a User object to the appropriate group, Employee or Manager, based on Title. It also creates the group, if needed, and setup security equal to that group. The policy is Govern Groups for User Based on Title Attribute, and it is available for download from Novell’s support Web site. For more information, see Downloadable Identity Manager Policies.
The Clone Operation Attribute is taking the information from the Group Membership attribute and adding that to the Security Equals attribute so the values are the same.
Deletes an object in the destination data store.
Deletes the object in the source data store.
Finds a match for the current object in the destination data store.
Find Matching Object is only valid when the current operation is an add.
The DN argument is required when scope is “entry”, and is optional otherwise. At least one match attribute is required when scope is “subtree” or “subordinates”.The results are undefined if scope is entry and there are match attributes specified. If the destination data store is the connected application, then an association is added to the current operation for each successful match that is returned. No query is performed if the current operation already has a non-empty association, thus allowing multiple find matching object actions to be strung together in the same rule.
If the destination data store is the Identity Vault, then the destination DN attribute for the current operation is set. No query is performed if the current operation already has a non-empty destination DN attribute, thus allowing multiple find matching object actions to be strung together in the same rule. If only a single result is returned and it is not already associated, then the destination DN of the current operation is set to the source DN of the matching object. If only a single result is returned and it is already associated, then the destination DN of the current operation is set to the single character . If multiple results are returned, then the destination DN of the current operation is set to the single character �.
The example matches on Users objects with the attributes CN and L. The location where the rule is searching starts at the Users container and adds the information stored in the OU attribute to the DN. The rule is from the predefined rules that come with Identity Manager 3.0. For more information, see Matching - By Attribute Value .
When you click on the Argument Builder icon, the Match Attribute Builder comes up. You specify the attribute you want to match on in the builder. This examples uses the CN and L attributes.
Repeats a set of actions for each node in a node set.
The current node is a different value for each iteration of the actions, if a local variable is used.
If a node in the node set is an entitlement, then the for each implicitly performs an Implement Entitlement action.
The following is an example of the Argument Actions Builder, used to provide the action argument:
Sends a user-defined event to Novell Audit.
The Novell Audit event structure contains a target, a subTarget, three strings (text1, text2, text3), two integers (value, value3), and a generic field (data). The text fields are limited to 256 bytes, and the data field can contain up to 3 KB of information, unless a larger data field is enabled in your environment.
The example has four rules that implements a placement policy for User objects based on the first character of the Surname attribute and generates both a trace message and a custom Novell Audit event. The Generate Event action is used to send Novell Audit an event. The policy name is Policy to Place by Surname and is available for download from Novell’s support Web site. For more information Downloadable Identity Manager Policies.
The following is an example of the Named String Builder, used to provide the strings argument.
Generate Event is creating and event with the ID 1000 and displaying the text that is generated by the local variable of LVUser1. The local variable LVUser1 is the string of User:Operation Attribute “cn” +” added to the “+”Training\Users\Active\Users1”+” container”. The event will read User:jsmith added to the Trainging\Users\Active\Users1 container.
Designates actions that implement an entitlement so that the status of those entitlements might be reported to the agent that granted or revoked the entitlement.
The following is an example of the Argument Actions Builder, used to provide the action argument:
Moves an object in the destination data store.
The example contains a single rule which disables a user’s account and moves them to a disabled container when the Description attribute indicates they are terminated. The policy is named Disable User Account and Move When Terminated, and it is available for download from Novell’s support Web site. For more information, see Downloadable Identity Manager Policies.
The policy checks to see if it is a modify event on a User object and if the attribute Description contains the value of terminated. If that is the case, then it sets the attribute of Login Disabled to true and moves the object in to the User\Disabled container.
Moves an object in the source data store.
Reformats all values of an attribute within the current operation using a pattern.
The example reformats the telephone number. It changes it from (nnn)-nnn-nnnn to nnn-nnn-nnnn. The rule is from the predefined rules that come with Identity Manager 3.0. For more information, see Input or Output Transformation - Reformat Telephone Number from (nnn) nnn-nnnn to nnn-nnn-nnnn.
The action reformat operation attribute changes the format of the telephone number. The rule uses the Argument Builder and regular expressions to change how the information is displayed.
Sends a remove association command to the Identity Vault.
The example takes a delete operation and disables the User object instead. The transforms an event. The rule is from the predefined rules that come with Identity Manager 3.0. For more information, see Command Transformation - Publisher Delete to Disable.
When a delete operation occurs for a User object, value of the attribute Login Disabled is set to true and the association is removed from the object. The association is removed because the associated object in the connected application no longer exists.
Removes an attribute value from an object in the destination data store.
Removes the specified value from the named attribute on an object in the source data store.
Renames an object in the destination data store.
Renames all occurrences of an attribute within the current operation.
Renames an object in the source data store.
Sends an e-mail notification.
IMPORTANT:The value of the password attribute is stored in clear text.
The following is an example of the Named String Builder being used to provide the strings argument:
Generates an e-mail notification using a template.
IMPORTANT:The value of the password attribute is stored in clear text.
Each template might also define fields that can be replaced in the subject and body of the email message.
The following is an example of the Named String Builder, used to provide the strings argument:
Adds default values to the current operation (and optionally to the current object in the source data store) if no values for that attribute already exist. It is only valid when the current operation is add.
The example sets the default value for the attribute company. You can set the value for an attribute of your choice. The rule is from the predefined rules that come with Identity Manager 3.0. For more information, see Creation - Set Default Attribute Value.
To build the value, the Argument Value List Builder is launched. See Argument Value List Builder for more information on the builder. You can set the value to what is needed. In this case, we used the Argument Builder and set the text to be the name of the company.
Adds a value to an attribute on an object in the destination data store, and removes all other values for that attribute.
The example takes a delete operation and disables the User object instead. The rule is from the predefined rules that come with Identity Manager 3.0. For more information, see Command Transformation - Publisher Delete to Disable.
The rule sets the value for the attribute of Login Disabled to true. The rule uses the Argument Builder to add the text of true for the value of the attribute. See Argument Builder for more information about the builder.
Sets the password for the current object in the destination data store.
The example sets a default password for the User object that is created. The rule is from the predefined rules that come with Identity Manager 3.0. For more information, see Creation - Set Default Password.
When a User object is created, the password is set to the Given Name attribute plus the Surname attribute.
Sets a local variable.
The example adds a User object to the appropriate group, Employee or Manager, based on Title. It also creates the group, if needed, and setup security equal to that group. The policy name is Govern Groups for User Based on Title and it is available for download from Novell’s support Web site. For more information, see Downloadable Identity Manager Policies.
The local variable is set to the value that is in the User object’s destination attribute of Object Class plus the Local Variable of manager-group-info. The Argument Builder is used to construct the local variable. See Argument Builder for more information.
Sets the association value for the current operation.
Sets the object class name for the current operation.
Sets the destination DN for the current operation.
The example places the objects in the Identity Vault using the structure that is mirrored from the connected system. You need to define at what point the mirroring begins in the source and destination data stores. The rule is from the predefined rules that come with Identity Manager 3.0. For more information, see Creation - Set Default Attribute Value .
The rule sets the operation destination DN to be the local variable of the destination base location plus the source DN.
Sets an operation property. An operation property is a named value that is stored within an operation. It is typically used to supply additional context that might be needed by the policy that handles the results of an operation.
Sets the source DN for the current operation.
Sets the template DN for the current operation to the specified value. This action is only valid when the current operation is add.
The example applies the Manager template if the Title attribute contains the word Manager. The name of the policy is Policy: Assign Template to User Based on Tile, and it is available for download from Novell’s support Web site. For more information, see Downloadable Identity Manager Policies.
The template Manager Template is applied to any User object the has the attribute of Title available and it contains the word manager somewhere in the title. The policy uses regular expressions to find all possible matches.
Adds a value to an attribute on an object in the source data store, and removes all other values for that attribute.
The example detects when an e-mail address is changed and sets it back to what it was. The policy name is Policy: Reset Value of the E-mail Attribute, and it is available for download from Novell’s support Web site. For more information, see Downloadable Identity Manager Policies.
The action takes the value of the destination attribute Internet EMail Address and set the source attribute of Email to this same value.
Sets the password for the current object in the source data store.
Sets an XML on a set of elements selected by an XPath expression.
Generates a status notification.
If level is retry then the policy immediately halt processing of the input document and schedules a retry of the event currently being processed.
If level is fatal then the policy immediately halt processing of the input document and initiates a shutdown of the driver.
If a the current operation has an event-id, then that event-id is used for the status notification, otherwise there is no event-id reported.
Strips all occurrences of an attribute from the current operation.
The example detects when an e-mail address is changed and sets it back to what it was. The policy name is Policy: Reset Value of the E-mail Attribute and it is available for download from Novell’s support Web site. For more information, see Downloadable Identity Manager Policies.
The action strips the attribute of Email. The value that is kept is what was in the destination Email attribute.
Strips nodes selected by an XPath 1.0 expression.
Sends a message to DSTRACE.
For information on how to set the trace level on the driver,
see Viewing
Identity Manager Processes
in the Novell
Identity Manager 3.0 Administration Guide.
The example has four rules that implements a Placement policy for User objects based on the first character of the Surname attribute. It generates both a trace message and a custom Novell Audit event. The Trace Message action is used to send a trace message into DSTRACE. The policy name is Policy to Place by Surname and it is available for download from Novell’s support Web site. For more information Downloadable Identity Manager Policies.
The action sends a trace message to DSTRACE. The contents of the local variable is LVUsers1 and it shows up in yellow in DSTRACE.
Vetoes the current operation.
The example excludes all events that come from the specified subtree. The rule is from the predefined rules that come with Identity Manager 3.0. For more information, see Event Transformation - Scope Filtering - Exclude Subtrees from the predefined rules.
The action vetoes all events that come from the specified subtree.
Conditionally cancels the current operation and ends processing of the current policy, based on the availability of an attribute in the current operation.
The example does not all User objects to be created unless the attributes Given Name, Surname, Title, Description, and Internet EMail Address are available. The policy name is Policy to Enforce the Presences of Attributes and it is available for download from Novell’s support Web site. For more information, see Downloadable Identity Manager Policies.
The actions vetoes the operation if the attributes of Given Name, Surname, Title, Description, and Internet Email Address are not available.