2.2 Policy Builder Tasks in Designer

This section contains instructions on performing common tasks in the Policy Builder:

2.2.1 Opening Policy Builder

The Policy Builder can be opened from the Model Outline view, from the Policy Flow view, or from a policy set.

Model Outline View

  1. Open a project in Designer.

  2. Click the Outline tab > select the Show Model Outline icon.

  3. Double-click a policy listed in the Model Outline view or right-click and select Edit.

    Outline Tab

Policy Flow View

  1. Open a project in Designer.

  2. Select the Outline tab > select the Show Policy Flow icon.

  3. Right-click a policy (for example, the Matching policy) in the Policy Flow view, then select Edit Policy.

    Policy Flow Icon
  4. You can also double-click the Matching policy in the Policy Flow.

  5. Select the policy, then click Edit.

Policy Set

  1. Right-click the policy in the policy set, then click Edit.

  2. You can also select the policy in the policy set, then click the Edit the policy icon.

To see all of the information in the Policy Builder window, without scrolling double-click the policy tab so the Policy Builder fills the entire window. To minimize the window, double-click the policy tab.

Figure 2-1 Policy Builder Full Screen

2.2.2 Creating a Policy

A policy sends data to the connected systems. A policy is created through the policy set.

Accessing the Policy Set

  1. Select a driver object from the Outline view in an open project.

  2. Select the Policy Set tab.

If the Policy Set tab is not shown:

  1. Click the double arrow.

  2. Select Policy Set.

Using the Policy Set

The policy set contains a toolbar and a list of policies.

The policy list displays all the policies contained in the selected policy set. During a transformation, the policies within the list are executed from top to bottom. The toolbar contains buttons and a drop-down menu that you can use to manage policies displayed in the list, including, editing, adding, deleting, renaming, and changing the processing order of the policies.

Policy Set

Policy Set Toolbar

The policy set displays a copy of the policy. The buttons on the toolbar are enabled or disabled depending upon the item you have selected. The different icons are described below.

Table 2-1 Policy Set Toolbar

Operation

Description

Edit a policy

Launches the Policy Builder.

Create or add a new policy to the Policy Set

Launches the Add Policy Wizard.

Remove and delete the selected policy

Deletes the policy from the project.

Remove the selected policy from the Policy Set, do not delete

Removes the policy from the selected policy set object but doesn’t delete the policy.

Move the policy up the policy chain

Moves the policy up in the processing order.

Move the policy down the policy chain

Moves the policy down in the processing order.

Keyboard Support

You can move through the policy set with keystrokes as well as using the mouse. The supported keystrokes are listed below.

Table 2-2 Keyboard Support

Keystroke

Description

Up-arrow

Moves the selected policy up in the processing order.

Down-arrow

Moves the selected policy down in the processing order.

Delete

Deletes the policy from the project.

Minus

Removes the policy from the selected policy set, but does not delete it.

Plus

Launches the Add Policy Wizard.

Ctrl+Z

Undoes the last operation.

Ctrl+Y

Redoes the last operation.

Using the Add Policy Wizard

The Add Policy Wizard launches when you click the Create or add a new policy to the Policy Set icon in the toolbar. The Add Policy Wizard enables you to do the following:

To launch the Add Policy Wizard:

  1. Select a driver in the Outline view.

  2. Select a policy set item in the policy set, then click the Create or add a new policy to the Policy Set icon in the toolbar.

    Add Icon in the Policy Set
Creating a Policy
  1. In the Add Policy Wizard, select Create a new policy, then click Next.

  2. Provide a policy name.

  3. Accept the default container, or browse to and select the Driver, Publisher, or Subscriber object where you want the policy to be created.

    This decision depends on how you want to organize the policies. By default, policies are placed under the container object that is selected in the Outline tab when the Add Policy Wizard is launched. For example, if you move to a Publisher object in the Outline tab and then add a policy to a policy set, the policy defaults to the Publisher container. You can change this setting if you want to create policies in a different container. For example, you can set up a policy library under a dummy driver, put all of the common policies under this driver, and then simply reference the policies from the other drivers. That way, the policy is common. If you need to change a policy, you need to do it only once. If a policy is not reused by multiple drivers, you typically create that policy under the driver or channel that is using it.

  4. Select the type of policy you want to implement. The policy type defaults to DirXML Script. You can select XSLT or Schema Mapping, if you don’t want to use DirXML® Script.

  5. Click Finish.

If the Schema Mapping policy set is selected, then an additional option is available for Schema Mapping. The new policy appears in the expanded policy set.

You can also add a policy by right-clicking a policy set.

  1. Right-click a policy set (for example, Input Transformation Set).

  2. Select Add Policy.

  3. Select how to implement the policy: DirXML Script, Schema Mapping, XSLT or Copy Existing.

  4. Name the policy.

  5. Click Open Editor after creating policy.

  6. Click OK.

Copying a Policy
  1. In the Add Policy Wizard, select Copy a policy, then click Next.

  2. Name the policy.

  3. Accept the default container, or browse to and select the Driver, Publisher or Subscriber object where you want the policy to be created.

  4. Browse to and select the policy you want to copy, then click OK.

  5. Click Finish to make a copy of the selected policy.

Linking to a Policy
  1. In the Add Policy Wizard, select Link in a policy, then click Next.

  2. Click Browse to launch the model browser.

  3. Browse to and select the Policy object you want to link into the policy set, then click OK.

    Linking a policy into a policy set doesn’t create a new Policy object. Instead, it adds a reference to an existing policy. This reference can be to any existing policy within the current Identity Vault. It doesn’t need to be contained within the current Driver object, but the policy type must be valid for the policy set that it is being linked to. For example, you can’t link a Schema Mapping policy into an Input policy set.

    Linking a policy into a policy set is not permitted when viewing all policies.

  4. Click Finish to link to the selected policy.

2.2.3 Creating a Rule

A rule is defined as a set of conditions that must be met before a defined action occurs. Rules are created from condition groups, conditions, and actions.

Rules can be created in four different ways:

Creating a New Rule

When you create a rule, you create condition groups, conditions, and actions. Each rule is composed of conditions, actions, and arguments. For more information, click the Help icon when creating each item. The help files contain a definition and an example of the item being used.

Creating a Rule
  1. From the Policy Builder toolbar, select Rule.

    Add a New Rule Icon

    You can also right-click and click New > Rule.

    Creating a New Rule

    Either option launches the Create Rule Wizard.

  2. Specify the name of the rule, then click Next.

    Create Rule Wizard
  3. Select the condition structure ( OR Conditions, AND Groups or AND Conditions, OR Groups) then click Next.

    Condition Structure
  4. Select the condition you want, specify the appropriate information, then click Next.

    Define the Condition

    Click the Help icon Define the Condition for information about each condition you can create.

  5. You can define an additional condition or condition group at this point. For this example, there is only one condition. Select Continue, then click Next.

    Defining Additional Conditions
  6. Select the action that you want, then click Next.

    Click the Help icon for information about each action you can create.

  7. You can define additional actions at this point. For this example, there is only one action. Select Continue, then click Next.

    Defining Additional Actions
  8. The summary page displays the rule that was created. Click Finish to complete the creation of the rule.

    Summary

You can expand or collapse the view of the rule by clicking the plus or minus sign.

Expanding or Collapsing the Rule
Creating a Conditional Group
  1. Right-click the Conditions tab or right-click the name of the Conditional Group, then click New > Append Condition Group.

    Append Condition Group
Creating a Condition
  1. Right-click the condition, then click New > Insert Condition Before or Insert Condition After.

    Insert Condition
Creating an Action
  1. Right-click the action, then click New > Insert Action Before or Insert Action After.

    Insert Action

Using Predefined Rules

Designer includes a list of predefined rules. You can import and use these rules as well as create your own rules.

  1. Right-click in the Policy Builder and select New > Predefine Rules > Insert Predefined Rule Before or Insert Predefined Rule After.

    See Section 2.2.6, Using Predefined Rules for more information.

    Inset Predefined Rule

Including an Existing Rule

Designer allows you to include the rules from another policy.

  1. Right-click in the Policy Builder and click New > Include > Insert Include Before or Insert Include After.

  2. Click the Browse icon.

  3. Browse to the policy you want to include, then click OK.

  4. The field is now populated with the path to the policy. Click OK.

    The rule is a link to the original rule. You cannot edit the rule in this location. Access the original rule to make changes.

Importing a Policy From an XML File

Rules and policies can be saved as XML files. If you have a file that contains a rule or a policy you want to use, the Policy Builder allows you to import the file.

  1. In the Policy Builder, right-click and select Import Policy.

    You can also select the Import Policy icon from the drop-down list in the toolbar.

  2. Select one of the two options: Append the rules from the imported policy or Replace the rules from the imported policy.

  3. Click the browse icon and select the file that contains the DirXML Script, then click Open.

  4. Click OK.

2.2.4 Creating an Argument

The Argument Builder provides a dynamic graphical interface that enables you to construct complex argument expressions for use within the Policy Builder. To access the Argument Builder, see Argument Builder.

Arguments are dynamically used by actions and are derived from tokens that are expanded at run time.

Tokens are broken up into two classifications: nouns and verbs. Noun tokens expand to values that are derived from the current operation, the source or destination data stores, or some external source. Verb tokens modify the concatenated results of other tokens that are subordinate to them.

To define an expression, select one or more nouns tokens (values, objects, variables, etc.), and combine then with verb tokens (substring, escape, uppercase, and lowercase) to construct arguments. Multiple tokens are combined to construct complex arguments.

For example, if you want the argument set to an attribute value, you select the attribute noun, then select the attribute name:

Figure 2-2 Argument Builder

If you only want a portion of an attribute, you can combine the attribute noun with the substring verb:

Figure 2-3 Expression

After you add a noun or verb, you can provide values in the editor, then immediately add another noun or verb. You do not need to refresh the Expression pane to apply your changes; they appear when the next operation is performed.

See Noun Tokens and Verb Tokens for a detailed reference on tokens available in the Argument Builder.

Although you define most arguments using the Argument Builder, there are several more builders that are used by the Condition Editor and Action Editor in the Policy Builder. Each builder can recursively call anyone of the builders in the following list:

The information below describes how to access each Builder.

Actions Builder

To launch the Actions Builder, select one of following two actions, then click the Edit the arguments icon .

In the following example the add destination attribute value action is performed for each Group entitlement that is being added in the current operation.

Figure 2-4 For Each Action

To define the action of the add destination attribute value, click the icon that launches the Actions Builder. In the Actions Builder, you define the desired action. In the following example, the member attribute is added to the destination object for each added Group entitlement.

Figure 2-5 Argument Action Builder

Argument Builder

To launch the Argument Builder, select one of the following actions, then click the Edit the Arguments icon .

  1. Create the argument using the nouns and verbs.

    The noun and verbs can be combined to create the desired argument.

  2. Click Finish.

Match Attribute Builder

The Match Attribute Builder enables you to select attributes and values used by the Find Matching Object action to determine if a matching object exists in a data store.

For example, if you wanted to match users based on a common name and a location:

  1. Select the action of find matching object.

  2. Select the scope of the search for the matching objects. Select from entry, subordinates, or subtree.

  3. Specify the DN of the starting point for the search.

  4. Click the Edit match attributes icon to launch the Match Attribute Builder.

  5. Click the Browse attributes icon to launch the Schema Browser.

  6. Click the Attributes tab, then browse to and select the desired attribute.

  7. Click OK.

    If you want to add more than one attribute, click the Append new item icon to add another line.

  8. Click Finish.

Action Argument Component Builder

To launch the Action Argument Component Builder, select one of the following actions when the Enter value type selection is structured, then click the Edits components icon .

Figure 2-6 Add Destination Attribute Value Action

  1. Click the Edit the components icon when the value type is set to structured.

  2. Create the value of the action component.

    You can enter in the value, or click on the Edit the arguments icon to create the value in the Argument Builder.

  3. Click Finish.

Argument Value List Builder

To launch the Argument Value List Builder, select the following action, then click the Edit the arguments icon .

Figure 2-7 Set Default Attribute Value

  1. Select the type of the value: counter, dn, int, interval, octet, state, string, structured, teleNumber, time.

  2. Click the Edit the value lists icon .

  3. Click the Edit the arguments icon .

  4. Create the value of the action component.

    You can enter in the value, or click on the Edit the arguments icon to create the value in the Argument Builder.

  5. Click Finish.

Named String Builder

To launch the Named String Builder, select one of the following actions, then click the Edit the strings icon .

  1. Select the name of the string from the drop-down list.

  2. Create the value for the string by clicking the Edit the arguments icon to launch the Argument Builder.

  3. Click Finish.

For a Send Email action, the named strings correspond to the elements of the e-mail:

Figure 2-8 E-mail Elements in the Send Mail Action

A complete list of possible values is contained in the help file corresponding to the action that launches the Named String Builder.

Condition Argument Component Builder

To launch the Condition Argument Component Builder, select one of the following conditions, then you must select the structured selection for Mode in order to see the Launch ArgComponent Builder icon .

  1. Specify the name and value of the condition component.

  2. Click Finish.

Pattern String Builder

You can launch the Pattern String Builder from the Argument Builder editor when the Unique Name token is selected. The Argument Builder editor pane shows a Pattern field where you can click to launch the Pattern String Builder.

Figure 2-9 Unique Name Token in the Argument Builder

  1. Click the Edit patterns icon to launch the Pattern Builder.

  2. Specify the pattern or click the Edit the arguments icon to use the Argument Builder to create the pattern.

  3. Click Finish.

2.2.5 Editing a Policy

The Policy Builder allows you to create and edit policies. You can drag and drop rules, conditions and actions. For additional operations, access the Policy Builder toolbar. To display a context menu, right-click an item.

Figure 2-10 Policy Builder Context Menu and Toolbar

Actions and Menu Items in the Policy Builder

The table contains a list of the different actions and menu items in the Policy Builder.

Table 2-3 Policy Builder Actions and Menu Items

Operation

Description

Collapse All

Collapses all expanded rules.

Copy

Copies the selected item to the Clipboard.

Copy and drop

Select the item, press Ctrl, then drag the item.

Cut

Cuts the selected item and copies it to the Clipboard.

Delete

Deletes the selected item.

Disable

Disables a rule, condition, or action. Click the icon.

Drag and drop

Enables you to select an item, then relocate it. Select the item, then drag it to the new location.

Edit

Enables you to edit the selected item. To open the Rule Builder, select a rule, then click Edit.

Enable

Enables a rule, condition, or action. Click the icon.

Expand All

Expands all the rules so that you can view the conditions and actions of each rule.

Import Policy

Imports a policy from the file system and appends it to the policy, or replaces all the rules of the policy.

Launch Simulator

Launches the Policy Simulator.

Move and drop

Enables you to select and move an item. Select the item, then drag it.

Move the selected item down

Moves the item down in the list of policies.

Move the selected item up

Moves the item up in the list of policies.

New > Condition Group

Creates a new condition group after a selected item.

New > Include

Creates a new Include after a selected item.

New > Predefined Rule

Inserts a predefined rule.

New > Rule

Creates a new rule after a selected item.

Paste

Pastes the contents of the Clipboard after the selected item.

Preferences

Enables you to change how the information is displayed.

Select

Click any item to select it.

KeyBoard Support

You can move through the Policy Builder with keystrokes as well as using the mouse. The supported keystrokes are listed below.

Table 2-4 Keyboard Support in the Policy Builder

Keystroke

Description

Ctrl+C

Copies the selected item into the Clipboard.

Ctrl+X

Cuts the selected item and adds it to the Clipboard.

Ctrl+V

Pastes the contents of the Clipboard after the selected item.

Delete

Deletes the selected Item.

Left-Arrow

Collapses a rule node.

Right-Arrow

Expands a rule node.

Up-Arrow

Navigates up.

Down-Arrow

Navigates down.

Ctrl+Z

Undo

Ctrl+Y

Redo

Renaming a Policy

  1. In the Outline view, select the policy you want to rename.

  2. Right-click and select Properties.

  3. Change the name of the policy in the Policy Name field.

  4. Click OK.

Saving Your Work

Do one of the following:

  • From the Main menu, click File > Save (or Save All).

  • Close the editor by clicking the X in the editor’s tab.

  • Select Close from the Main Menu’s file menu.

  • Press Ctrl+S.

Policy Description

The Description field provides a place to add notes about the functionality of the policy.

Figure 2-11 Policy Description

2.2.6 Using Predefined Rules

Designer includes twenty predefined rules. You can import and use these rules as well as create your own rules. These rules include common tasks that administrators use. You need to provide information specific to your environment to customize the rules.

To access the predefined rules:

  1. In the Policy Builder, right-click and select New > Predefined Rules > Insert Predefined Rule Before or Insert Predefined Rule After.

    The Predefined Rules dialog box displays a list of the available rules.

Command Transformation - Create Departmental Container - Part 1 and Part 2

Creates a department container in the destination data store, if one does not exist. Implement the rule on the Command Transformation policy in the driver. You can implement the rule on either the Subscriber or the Publisher channel or on both channels.

There are two steps involved in using the predefined rules: creating a policy in the Command Transformation policy set and importing the predefined rule. If you already have a Command Transformation policy that you want to add this rule to, skip to Importing the Predefined Rule.

Creating a Policy
  1. From the Outline view or the Policy Flow view, select the Publisher or Subscriber channel.

  2. Select the Command Transformation policy set in the Policy Set view, then click Create or add a new policy to the Policy Set icon Create or Add a New Policy Icon to create a new policy.

  3. Click Create a new policy, then click Next.

  4. Name the policy.

  5. Use the location that is populated to place the policy in the driver.

    Create Policy Wizard
  6. Select Open Editor after creating policy, then click Next.

  7. Select DirXML Script for the type of policy, then click Finish.

  8. A file conflict window appears with the message “ Before editing this item you need to save. Do you wish to save the editor’s changes and continue?” Click Yes. The Policy Builder is launched and the new Command Transformation policy is saved.

Importing the Predefined Rule
  1. Right-click in the Policy Builder, then click New > Predefined Rule > Insert Predefined Rule Before or Insert Predefined Rule After.

  2. Select Command Transformation - Create Department Container - Part 1, then click OK.

  3. Right-click in Policy Builder and click New > Predefined Rule > Insert Predefined Rule Before or Insert Predefined Rule After.

  4. Select Command Transformation - Create Department Container - Part 2, then click OK.

  5. Save the rule by clicking File > Save.

    Command Transformation - Create Department Container Part 1
    Command Transformation - Create Department Container Part 2

There is no information to change in the rules that are specific to your environment.

IMPORTANT:Make sure that the rules are listed in order. Part 1 must be executed before Part 2.

How the Rule Works

The rule is used when the destination location for an object does not exist. Instead of getting a veto because the object cannot be placed, this rule creates the container and places the object in the container.

Part 1 looks for any Add event. When the Add event occurs, two local variables are set. The first local variable is named target-container. The value of target-container is set to the destination DN. The second local variable is named does-target-exist. The value of does-target-exist is set to the destination attribute value of objectclass. The class is set to OrganizationalUnit. The DN of the OrganizationalUnit is set to the local variable of target-container.

Local Variable

Part 2 checks to see if the local variable does-target-exist is available. It also checks to see if the value of the local variable does-target-exist is set to a blank value. If the value is blank, then an Organizational Unit object is created. The DN of the organizational unit is set to the value of the local variable target-container. It also adds the value for the OU attribute. The value of the OU attribute is set to the local variable of target-container. It uses the source format as the destination DN and the destination format is dot format.

Command Transformation - Publisher Delete to Disable

Transforms the Delete event for a user object into disabling the user object. Implement the rule on the Command Transformation policy in the driver. The rule needs to be implemented on the Publisher channel.

There are two steps involved in using the predefined rules: creating a policy in the Command Transformation policy set and importing the predefined rule. If you already have a Command Transformation policy that you want to add this rule to, skip to Importing the Predefined Rule.

Creating a Policy
  1. From the Outline view or the Policy Flow view, select the Publisher channel.

  2. Select the Command Transformation policy set in the Policy Set view, then click Create or add a new policy to the Policy Set icon Create or Add a New Policy Icon to create a new policy.

  3. Click Create a new policy, then click Next.

  4. Name the policy.

  5. Use the location that is populated to place the policy in the driver.

    Create Policy Wizard
  6. Select Open Editor after creating policy, then click Next.

  7. Select DirXML Script for the type of policy, then click Finish.

  8. A file conflict window appears with the message “ Before editing this item you need to save. Do you wish to save the editor’s changes and continue?” Click Yes. The Policy Builder is launched and the new Command Transformation policy is saved.

Importing the Predefined Rule
  1. Right-click in the Policy Builder, then click New > Predefined Rule > Insert Predefined Rule Before or Insert Predefined Rule After.

  2. Select Command Transformation - Publisher Delete to Disable, then click OK.

  3. Save the rule by clicking File > Save.

    Command Transformation - Publisher Delete to Disable

There is no information to change in the rule that is specific to your environment.

How the Rule Works

The rule is used when a Delete event occurs in the connected data store. Instead of the user object being deleted in the Identity Vault, the User object is disabled. Anytime a Delete event occurs for a User object, the destination attribute value of Login Disabled is set to True and the association is removed from the User object. The User object can no longer log in into the Novell eDirectory tree, but the User object was not deleted.

Creation - Require Attributes

The rule does not allow user objects to be created unless the required attributes are populated. Implement the rule on the Creation policy in the driver. You can implement the rule on either the Subscriber or the Publisher channel or on both channels.

There are two steps involved in using the predefined rules: creating a policy in the Creation policy set and importing the predefined rule. If you already have a Creation policy that you want to add this rule to, skip to Importing the Predefined Rule.

Creating a Policy
  1. From the Outline view or the Policy Flow view, select the Publisher or Subscriber channel.

  2. Select the Creation policy set in the Policy Set view, then click Create or add a new policy to the Policy Set icon Create or Add a New Policy Icon to create a new policy.

  3. Click Create a new policy, then click Next.

  4. Name the policy.

  5. Use the location that is populated to place the policy in the driver.

    Create Policy Wizard
  6. Select Open Editor after creating policy, then click Next.

  7. Select DirXML Script for the type of policy, then click Finish.

  8. A file conflict window appears with the message “ Before editing this item you need to save. Do you wish to save the editor’s changes and continue?” Click Yes. The Policy Builder is launched and the new Creation policy is saved.

Importing the Predefined Rule
  1. Right-click in the Policy Builder and click New > Predefined Rule > Insert Predefined Rule Before or Insert Predefined Rule After.

  2. Select Creation - Require attributes, then click OK.

  3. Edit the action by double-clicking the Actions tab.

  4. Delete [Enter name of required attribute] from the Enter Name field.

  5. Browse to the attributes you require for a User object to be created, then click OK.

  6. Click OK.

  7. Save the rule by selecting File > Save.

    Creation - Require Attribute
How the Rule Works

The rule is used when your business processes require a user to have specific attributes populated when the user object is created. When a user object is created, the rule vetoes the creation of the object unless the required attributes are provided. You can have one or more required attributes.

If you want more than one required attribute, right-click the action and select New > Append Action. Select veto if operation attribute not available, then browse to the attribute you want to require.

Creation - Publisher - Use Template

Allows the use of a Novell eDirectory template object during the creation of a User object. Implement the rule on the Publisher Creation policy in the driver. You can implement the rule only on the Publisher channel.

There are two steps involved in using the predefined rules: creating a policy in the Creation policy set and importing the predefined rule. If you already have a Creation policy that you want to add this rule to, skip to Importing the Predefined Rule.

Creating a Policy
  1. From the Outline view or the Policy Flow view, select the Publisher channel.

  2. Select the Creation policy set in the Policy Set view, then click Create or add a new policy to the Policy Set icon Create or Add a New Policy Icon to create a new policy.

  3. Click Create a new policy, then click Next.

  4. Name the policy.

  5. Use the location that is populated to place the policy in the driver.

    Create Policy Wizard
  6. Select Open Editor after creating policy, then click Next.

  7. Select DirXML Script for the type of policy, then click Finish.

  8. A file conflict window appears with the message “ Before editing this item you need to save. Do you wish to save the editor’s changes and continue?” Click Yes. The Policy Builder is launched and the new Creation policy is saved.

Importing the Predefined Rule
  1. Right-click in the Policy Builder, then click New > Predefined Rule > Insert Predefined Rule Before or Insert Predefined Rule After.

  2. Select Creation - Publisher - Use Template, then click OK.

  3. Edit the action by double-clicking the Actions tab.

  4. Delete [Enter DN of Template object] from the Enter DN field.

  5. Click the Edit Arguments icon Edit Arguments Icon to launch the Argument Builder.

  6. Select Text in the Noun list.

  7. Double-click Text to add it to the argument.

  8. In the Editor, click the browse icon, browse to and select the template object, then click OK.

  9. Click OK.

  10. Save the rule by clicking File > Save.

    Creation - Publisher - Use Template
How the Rule Works

The rule is used when you want to use a template object to create a user in the Identity Vault. If you have attributes that are the same for different users, using the template saves time. You fill in the information in the template object, and when the User object is created, Identity Manager calls the template and uses that to create the User object.

During the creation of User objects, the rule performs the action of the set operation template DN. The action calls the template object and creates the User object with the information in the template.

Creation - Set Default Attribute Value

Allows you to set default values for attributes that are assigned during the creation of User objects. Implement the rule on the Subscriber Creation policy or Publisher Creation policy in the driver.

There are two steps involved in using the predefined rules: creating a policy in the Creation policy set and importing the predefined rule. If you already have a Creation policy that you want to add this rule to, skip to Importing the Predefined Rule.

Creating a Policy
  1. From the Outline view or the Policy Flow view, select the Publisher or Subscriber channel.

  2. Select the Creation policy set in the Policy Set view, then click the Create or add a new policy to the Policy Set icon Create or Add a New Policy Icon to create a new policy.

  3. Click Create a new policy, then click Next.

  4. Name the policy.

  5. Use the location that is populated to place the policy in the driver.

    Create Policy Wizard
  6. Select Open Editor after creating policy, then click Next.

  7. Select DirXML Script for the type of policy, then click Finish.

  8. A file conflict window appears with the message “ Before editing this item you need to save. Do you wish to save the editor’s changes and continue?” Click Yes. The Policy Builder is launched and the new Creation policy is saved.

Importing the Predefined Rule
  1. Right-click in the Policy Builder, then click New > Predefined Rule > Insert Predefined Rule Before or Insert Predefined Rule After.

  2. Select Creation - Set Default Attribute Value, then click OK.

  3. Edit the action by double-clicking the Actions tab.

  4. Delete [Enter attribute name] from the Enter attribute name field.

  5. Click the browse icon, then browse to and select the attribute you want to create.

  6. Delete [Enter default attribute value] from the Enter arguments values field.

  7. Click the Edit Arguments icon Edit Arguments Icon to launch the Argument Values List Builder.

  8. Select the type of data you want the value to be.

  9. Click the Edit Arguments icon Edit Argument Icon to launch the Argument Builder.

  10. Create the value for the attribute in the Argument Builder, then click OK.

  11. Click OK.

  12. Save the rule by clicking File > Save.

    Creation - Set Default Attribute Value
How the Rule Works

The rule is used when you want to create a User object with default attributes and values. When a User object is created, the rule sets the attribute and the value for that attribute.

If you want more than one attribute value defined, right-click the action and click New > Append Action. Select the action, set the default attribute value, and follow Step 1 through Step 12to assign the value to the attribute.

Creation - Set Default Password

During the creation of user objects, it sets a default password for user objects. Implement the rule on the Creation policy in the driver. You can implement the rule on either the Subscriber or the Publisher channel or on both channels.

There are two steps involved in using the predefined rules: creating a policy in the Creation policy set and importing the predefined rule. If you already have a Creation policy that you want to add this rule to, skip to Importing the Predefined Rule.

Creating a Policy
  1. From the Outline view or the Policy Flow view, select the Publisher or Subscriber channel.

  2. Select the Creation policy set in Policy Set view, then click Create or add a new policy to the Policy Set icon Create or Add a New Policy Icon to create a new policy.

  3. Click Create a new policy, then click Next.

  4. Name the policy.

  5. Use the location that is populated to place the policy in the driver.

    Create Policy Wizard
  6. Select Open Editor after creating policy, then click Next.

  7. Select DirXML Script for the type of policy, then click Finish.

  8. A file conflict window appears with the message “ Before editing this item you need to save. Do you wish to save the editor’s changes and continue?” Click Yes. The Policy Builder is launched and the new Creation policy is saved.

Importing the Predefined Rule
  1. Right-click in the Policy Builder, then click New > Predefined Rule > Insert Predefined Rule Before or Insert Predefined Rule After.

  2. Select Creation - Set Default Password, then click OK.

  3. Save the rule by clicking File > Save.

    Creation - Set Default Password

There is no information to change in the rule that is specific to your environment.

How the Rule Works

The rule is used when you want User objects to be created with a default password. During the creation of a User object, the password that is set for the User object is the Given Name attribute plus the Surname attribute of the User object.

You can change the value of the default password by editing the argument. You can set the password to any other value you want through the Argument Builder.

Event Transformation - Scope Filtering - Include Subtrees

Excludes all events that occur except for the specific subtree. Implement the rule on the Event Transformation policy in the driver. You can implement the rule on either the Subscriber or the Publisher channel or on both channels.

There are two steps involved in using the predefined rules: creating a policy in the Event Transformation policy set and importing the predefined rule. If you already have an Event Transformation policy that you want to add this rule to, skip to Importing the Predefined Rule.

Creating a Policy
  1. From the Outline view or the Policy Flow view, select the Publisher or Subscriber channel.

  2. Select the Event Transformation policy set in the Policy Set view, then click Create or add a new policy to the Policy Set icon Create or Add a New Policy Icon to create a new policy.

  3. Click Create a new policy, then click Next.

  4. Name the policy.

  5. Use the location that is populated to place the policy in the driver.

    Create Policy Wizard
  6. Select Open Editor after creating policy, then click Next.

  7. Select DirXML Script for the type of policy, then click Finish.

  8. A file conflict window appears with the message “ Before editing this item you need to save. Do you wish to save the editor’s changes and continue?” Click Yes. The Policy Builder is launched and the new Event Transformation policy is saved.

Importing the Predefined Rule
  1. Right-click in the Policy Builder, then select New > Predefined Rule > Insert Predefined Rule Before or Insert Predefined Rule After.

  2. Select Event Transformation - Scope Filtering - Include subtrees, then click OK.

  3. Edit the condition by double-clicking the Conditions tab.

  4. Delete [Enter a subtree to include] in the Value field.

  5. Click the browse button to browse the Identity Vault for the part of the tree you were you want events to synchronize, then click OK.

  6. Click OK.

  7. Save the rule by clicking File > Save.

    Event Transformation - Scope Filtering - Include Subtree
How the Rule Works

The rule is used when you want to exclude part of the Identity Vault from synchronizing. It allows you synchronize some objects and not other objects, without using the Filter. When an event occurs anywhere but in that specific part of the Identity Vault, it is vetoed.

Event Transformation - Scope Filtering - Exclude Subtrees

Excludes all events that occur in a specific subtree. Implement the rule on the Event Transformation policy in the driver. You can implement the rule on either the Subscriber or the Publisher channel or on both channels.

There are two steps involved in using the predefined rules: creating a policy in the Event Transformation policy set and importing the predefined rule. If you already have an Event Transformation policy that you want to add this rule to, skip to Importing the Predefined Rule.

Creating a Policy
  1. From the Outline view or the Policy Flow view, select the Publisher or Subscriber channel.

  2. Select the Event Transformation policy set in Policy Set view, then click Create or add a new policy to the Policy Set icon Create or Add a New Policy Icon to create a new policy.

  3. Click Create a new policy, then click Next.

  4. Name the policy.

  5. Use the location that is populated to place the policy in the driver.

    Create Policy Wizard
  6. Select Open Editor after creating policy, then click Next.

  7. Select DirXML Script for the type of policy, then click Finish.

  8. A file conflict window appears with the message “ Before editing this item you need to save. Do you wish to save the editor’s changes and continue?” Click Yes. The Policy Builder is launched and the new Event Transformation policy is saved.

Importing the Predefined Rule
  1. Right-click in the Policy Builder, then click New > Predefined Rule.

  2. Select Event Transformation - Scope Filtering - Exclude subtrees, then click OK.

  3. Edit the condition by double-clicking the Conditions tab.

  4. Delete [Enter a subtree to exclude] in the Value field.

  5. Click the browse button to browse the Identity Vault for the part of the tree where you want to exclude events from synchronizing, then click OK.

  6. Click OK.

  7. Save the rule by clicking File > Save.

    Event Transformation - Scope Filtering - Exclude Subtrees
How the Rule Works

The rule is used when you want to exclude part of the Identity Vault from synchronizing. It allows you synchronize some objects and not other objects, without using the Filter. Anytime an event occurs in that specific part of the Identity Vault, it is vetoed.

Input or Output Transformation - Reformat Telephone Number from (nnn) nnn-nnnn to nnn-nnn-nnnn

Transforms the format of the telephone number when a desired condition is met. Implement the rule on the Input or Output Transformation policy in the driver. You can implement the rule on either the Subscriber or the Publisher channel or on both channels.

There are two steps involved in using the predefined rules: creating a policy in the Input or Output Transformation policy set and importing the predefined rule. If you already have an Input or Output Transformation policy that you want to add this rule to, skip to Importing the Predefined Rule.

Creating a Policy
  1. From the Outline view or the Policy Flow view, select the Publisher or Subscriber channel.

  2. Select the Input or Output Transformation policy set in the Policy Set view, then click Create or add a new policy to the Policy Set icon Create or Add a New Policy Icon to create a new policy.

  3. Click Create a new policy, then click Next.

  4. Name the policy.

  5. Use the location that is populated to place the policy in the driver.

    Create Policy Wizard
  6. Select Open Editor after creating policy, then click Next.

  7. Select DirXML Script for the type of policy, then click Finish.

  8. A file conflict window appears with the message “ Before editing this item you need to save. Do you wish to save the editor’s changes and continue?” Click Yes. Policy Builder is launched and the new Input or Output Transformation policy is saved.

Importing the Predefined Rule
  1. Right-click in the Policy Builder, then click New > Predefined Rule > Insert Predefined Rule Before or Insert Predefined Rule After.

  2. Select Input or Output Transformation - Reformat Telephone Number from (nnn) nnn-nnnn to nnn-nnn-nnnn, then click OK.

  3. Edit the condition by double-clicking the Conditions tab.

  4. Define the condition you want to have occur when the telephone number is reformatted.

  5. Click OK.

  6. Save the rule by clicking File > Save.

    Input or Output Transformation - Reformat Telephone Number
How the Rule Works

The rule is used when you want to reformat the telephone number. You define the condition that is to be met when the telephone number is reformatted.

Input or Output Transformation - Reformat Telephone Number from nnn-nnn-nnnn to (nnn) nnn-nnnn

Transforms the format of the telephone number when a desired condition is met. Implement the rule on the Input or Output Transformation policy. You can implement the rule on either the Subscriber or the Publisher channel or on both channels.

There are two steps involved in using the predefined rules; creating a policy in the Input or Output Transformation policy set and importing the predefined rule. If you already have an Input or Output Transformation policy that you want to add this rule to, skip to Importing the Predefined Rule.

Creating a Policy
  1. From the Outline view or the Policy Flow view, select the Publisher or Subscriber channel.

  2. Select the Input or Output Transformation policy set in the Policy Set view, then click Create or add a new policy to the Policy Set icon Create or Add a New Policy Icon to create a new policy.

  3. Click Create a new policy, then click Next.

  4. Name the policy.

  5. Use the location that is populated to place the policy in the driver.

    Create Policy Wizard
  6. Select Open Editor after creating policy, then click Next.

  7. Select DirXML Script for the type of policy, then click Finish.

  8. A file conflict window appears with the message “ Before editing this item you need to save. Do you wish to save the editor’s changes and continue?” Click Yes. Policy Builder is launched and the new Input or Output Transformation policy is saved.

Importing the Predefined Rule
  1. Right-click in the Policy Builder and click New > Predefined Rule > Insert Predefined Rule Before or Insert Predefined Rule After.

  2. Click I nput or Output Transformation - Reformat Telephone Number from nnn-nnn-nnnn to (nnn) nnn-nnnn, then click OK.

  3. Edit the condition by double-clicking the Conditions tab.

  4. Define the condition you want to have occur when the telephone number is reformatted.

  5. Click OK.

  6. Save the rule by clicking File > Save.

    Input or Output Transformation - Reformat Telephone Number
How the Rule Works

The rule is used when you want to reformat the telephone number. You define the condition that is to be met when the telephone number is reformatted.

Matching - Publisher Mirrored

Matches for objects in the Identity Vault by using the mirrored structure in the data store from a specified point. Implement the rule on the Matching policy in the driver. You can implement the rule only on the Publisher channel.

There are two steps involved in using the predefined rules: creating a policy in the Matching policy set and importing the predefined rule. If you already have a Matching policy that you want to add this rule to, skip to Importing the Predefined Rule.

Creating a Policy
  1. From the Outline view or the Policy Flow view, select the Publisher channel.

  2. Select the Matching policy set in the Policy Set view, then click Create or add a new policy to the Policy Set icon Create or Add a New Policy Icon to create a new policy.

  3. Click Create a new policy, then click Next.

  4. Name the policy.

  5. Use the location that is populated to place the policy in the driver.

    Create Policy Wizard
  6. Select Open Editor after creating policy, then click Next.

  7. Select DirXML Script for the type of policy, then click Finish.

  8. A file conflict window appears with the message “ Before editing this item you need to save. Do you wish to save the editor’s changes and continue?” Click Yes. The Policy Builder is launched and the new Matching policy is saved.

Importing the Predefined Rule
  1. Right-click in the Policy Builder, then click New > Predefined Rule > Insert Predefined Rule Before or Insert Predefined Rule After.

  2. Select Matching - Publisher Mirrored, then click OK.

  3. Edit the condition by double-clicking the Conditions tab.

  4. Delete [Enter base of source hierarchy] from the Value field.

  5. Browse to and select the container in the source hierarchy where you want the matching to start, then click OK.

  6. Click OK.

  7. Edit the action by double-clicking the Actions tab.

  8. Delete [Enter base of destination hierarchy] from the Enter string field.

  9. Click the Edit Arguments icon Edit Arguments Icon to launch the Argument Builder.

  10. Select Text in the Noun list.

  11. Double-click Text to add it to the argument.

  12. In the Editor, click the browse icon and browse to the container in the destination hierarchy where you want the source structure to be matched, then click OK.

  13. Click OK.

  14. Save the rule by clicking File > Save.

    Matching - Publisher Mirrored
How the Rule Works

Matches for objects in the Identity Vault by using the mirrored structure in the data store from a specified point. When an Add event occurs and the driver checks to see if the object exists, it starts checking at the specific DN in the data store. The driver then sets a local variable of dest-base to be the starting point in the Identity Vault that the structure is mirrored to in the data store. The driver then creates the context it is searching by adding the local variable of dest-base plus a \ and the source DN of the object. It creates the path it is looking for in the slash format.

Matching - Subscriber Mirrored - LDAP Format

Matches for objects in the data store by using the mirrored structure in the Identity Vault from a specified point. Implement the rule on the Matching policy in the driver. You can implement the rule only on the Subscriber channel.

There are two steps involved in using the predefined rules: creating a policy in the Matching policy set and importing the predefined rule. If you already have a Matching policy that you want to add this rule to, skip to Importing the Predefined Rule.

Creating a Policy
  1. From the Outline view or the Policy Flow view, select the Publisher channel.

  2. Select the Matching policy set in the Policy Set view, then click Create or add a new policy to the Policy Set icon Create or Add a New Policy Icon to create a new policy.

  3. Click Create a new policy, then click Next.

  4. Name the policy.

  5. Use the location that is populated to place the policy in the driver.

    Create Policy Wizard
  6. Select Open Editor after creating policy, then click Next.

  7. Select DirXML Script for the type of policy, then click Finish.

  8. A file conflict window appears with the message “ Before editing this item you need to save. Do you wish to save the editor’s changes and continue?” Click Yes. The Policy Builder is launched and the new Matching policy is saved.

Importing the Predefined Rule
  1. Right-click in the Policy Builder, then click New > Predefined Rule > Insert Predefined Rule Before or Insert Predefined Rule After.

  2. Select Matching - Subscriber Mirrored - LDAP format, then click OK.

  3. Edit the condition by double-clicking the Conditions tab.

  4. Delete [Enter base of source hierarchy] from the Value field.

  5. Browse to and select the container in the source hierarchy where you want the matching to start, then click OK.

  6. Click OK.

  7. Edit the action by double-clicking the Actions tab.

  8. Delete [Enter base of destination hierarchy] from the Enter String field.

  9. Click the Edit Arguments icon Edit Arguments Icon to launch the Argument Builder.

  10. Select Text in the Noun list.

  11. Double-click Text to add it to the argument.

  12. In the Editor, click the browse icon, browse to and select the container in the destination hierarchy where you want the source structure to be matched, then click OK.

  13. Click OK.

  14. Save the rule by clicking File > Save.

    Matching - Subscriber Mirrored - LDAP Format
How the Rule Works

Matches for objects in the data store by using the mirrored structure in the Identity Vault from a specified point. When an Add event occurs and the driver checks to see if the object exists, it starts checking at the specific DN in the Identity Vault. The driver then sets a local variable of dest-base to be the starting point in the data store that the structure is mirrored to in the Identity Vault. The driver then creates the context it is searching by adding the source DN of the object plus a, and the local variable of dest-base. It creates the path it is looking for in LDAP format.

Matching - By Attribute Value

Matches for objects by specific attribute values. Implement the rule on the Matching policy in the driver. You can implement the rule on either the Subscriber or the Publisher channel or on both channels.

There are two steps involved in using the predefined rules; creating a policy in the Matching policy set and importing the predefined rule. If you already have a Matching policy that you would like to add this rule to, skip to Importing the Predefined Rule.

Creating a Policy
  1. From the Outline view or the Policy Flow view, select the Publisher channel.

  2. Select the Matching policy set in the Policy Set view, then click Create or add a new policy to the Policy Set icon Create or Add a New Policy Icon to create a new policy.

  3. Click Create a new policy, then click Next.

  4. Name the policy.

  5. Use the location that is populated to place the policy in the driver.

    Create Policy Wizard
  6. Select Open Editor after creating policy, then click Next.

  7. Select DirXML Script for the type of policy, then click Finish.

  8. A file conflict window appears with the message “ Before editing this item you need to save. Do you wish to save the editor’s changes and continue?” Click Yes. The Policy Builder is launched and the new Matching policy is saved.

Importing the Predefined Rule
  1. Right-click in the Policy Builder, then click New > Predefined Rule > Insert Predefined Rule Before or Insert Predefined Rule After.

  2. Select Matching - by attribute value, then click OK.

  3. Edit the action by double-clicking the Actions tab.

  4. Delete [Enter base DN to start search] from the Enter DN field.

  5. Click the Edit Arguments icon Edit Argument Icon to launch the Argument Builder.

  6. Select Text in the Noun list.

  7. Double-click Text to add it to the argument.

  8. In the Editor, click the browse icon, then browse to and select the container where you want the search to start, then click OK.

  9. Delete [Enter name of attribute to match on] from the Enter Match Attributes field.

  10. Click the Edit Arguments icon Edit Argument Icon to launch the Match Attributes Builder.

  11. Click the browse icon and select the attributes you want to match. You can select one or more attributes to match against, then click OK.

  12. Click OK.

  13. Save the rule by clicking File > Save.

    Matching - By Attribute Value
How the Rule Works

Matches for User objects by attributes. When a User object is synchronized, the driver uses the rule to check and see if the specified attributes exist. If they attributes do not exist, a new User object is created.

Placement - Publisher Mirrored

Places objects in the Identity Vault by using the mirrored structure in the data store from a specified point. Implement the rule on the Placement policy in the driver. You can implement the rule only on the Publisher channel.

There are two steps involved in using the predefined rules: creating a policy in the Placement policy set and importing the predefined rule. If you already have a Placement policy that you want to add this rule to, skip to Importing the Predefined Rule.

Creating a Policy
  1. From the Outline view or the Policy Flow view, select the Publisher channel.

  2. Select the Placement policy set in the policy set, then click Create or add a new policy to the Policy Set icon Create or Add a New Policy Icon to create a new policy.

  3. Click Create a new policy, then click Next.

  4. Name the policy.

  5. Use the location that is populated to place the policy in the driver.

    Create Policy Wizard
  6. Select Open Editor after creating policy, then click Next.

  7. Select DirXML Script for the type of policy, then click Finish.

  8. A file conflict window appears with the message “ Before editing this item you need to save. Do you wish to save the editor’s changes and continue?” Click Yes. The Policy Builder is launched and the new Placement policy is saved.

Importing the Predefined Rule
  1. Right-click in the Policy Builder, then click New > Predefined Rule > Insert Predefined Rule Before or Insert Predefined Rule After.

  2. Select Placement - Publisher Mirrored, then click OK.

  3. Edit the condition by double-clicking the Conditions tab.

  4. Delete [Enter base of source hierarchy] from the Value field.

  5. Browse to and select the container in the source hierarchy where you want the object to be acted upon, then click OK.

  6. Edit the action by double-clicking the Actions tab.

  7. Delete [Enter base of destination hierarchy] from the Enter String field.

  8. Click the Edit Arguments icon Edit Argument Icon to launch the Argument Builder.

  9. Select Text in the Noun list.

  10. Double-click Text to add it to the argument.

  11. In the Editor, click the browse icon, browse to and select the container in the destination hierarchy where you want the object to be placed, then click OK.

  12. Click OK.

  13. Save the rule by clicking File > Save.

    Placement - Publisher Mirrored
How the Rule Works

If the User object resides in the source hierarchy, the object is placed in the mirrored structure from the data store. The placement starts at the point that the local variable dest-base is defined. It places the User object in the location of dest-base\unmatched source DN. The rule uses the slash format.

Placement - Subscriber Mirrored - LDAP Format

Places objects in the data store by using the mirrored structure in the Identity Vault from a specified point. Implement the rule on the Placement policy in the driver. You can implement the rule only on the Subscriber channel.

There are two steps involved in using the predefined rules: creating a policy in the Placement policy set and importing the predefined rule. If you already have a Placement policy that you want to add this rule to, skip to Importing the Predefined Rule.

Creating a Policy
  1. From the Outline view or the Policy Flow view, select the Publisher channel.

  2. Select the Placement policy set in the Policy Set view, then click Create or add a new policy to the Policy Set icon Create or Add a New Policy Icon to create a new policy.

  3. Click Create a new policy, then click Next.

  4. Name the policy.

  5. Use the location that is populated to place the policy in the driver.

    Create Policy Wizard
  6. Select Open Editor after creating policy, then click Next.

  7. Select DirXML Script for the type of policy, then click Finish.

  8. A file conflict window appears with the message “ Before editing this item you need to save. Do you wish to save the editor’s changes and continue?” Click Yes. The Policy Builder is launched and the new Placement policy is saved.

Importing the Predefined Rule
  1. Right-click in the Policy Builder, then click New > Predefined Rule > Insert Predefined Rule Before or Insert Predefined Rule After.

  2. Select Placement - Subscriber Mirrored - LDAP format, then click OK.

  3. Edit the condition by double-clicking the Conditions tab.

  4. Delete [Enter base of source hierarchy] from the Value field.

  5. Browse to the container in the source hierarchy where you want the object to be acted upon, then click OK.

  6. Edit the action by double-clicking the Actions tab.

  7. Delete [Enter base of destination hierarchy] from the Enter String field.

  8. Click the Edit Arguments icon Edit Argument Icon to launch the Argument Builder.

  9. Select Text in the Noun list.

  10. Double-click Text to add it to the argument.

  11. In the Editor, click the browse icon and browse to the container in the destination hierarchy where you want the object to be placed, then click OK.

  12. Click OK.

  13. Save the rule by clicking File > Save.

    Placement - Subscriber Mirrored - LDAP Format
How the Rule Works

If the User object resides in the source hierarchy, then the object is placed in the mirrored structure from the Identity Vault. The placement starts at the point that the local variable dest-base is defined. It places the User object in the location of unmatched source DN, dest-base. The rule uses LDAP format.

Placement - Publisher Flat

Places objects from the data store into one container in the Identity Vault. Implement the rule on the Placement policy in the driver. You can implement the rule only on the Publisher channel.

There are two steps involved in using the predefined rules: creating a policy in the Placement policy set and importing the predefined rule. If you already have a Placement policy that you want to add this rule to, skip to Importing the Predefined Rule.

Creating a Policy
  1. From the Outline view or the Policy Flow view, select the Publisher channel.

  2. Select the Placement policy set in the Policy Set view, then click Create or add a new policy to the Policy Set icon Create or Add a New Policy Icon to create a new policy.

  3. Click Create a new policy, then click Next.

  4. Name the policy.

  5. Use the location that is populated to place the policy in the driver.

    Create Policy Wizard
  6. Select Open Editor after creating policy, then click Next.

  7. Select DirXML Script for the type of policy, then click Finish.

  8. A file conflict window appears with the message “ Before editing this item you need to save. Do you wish to save the editor’s changes and continue?” Click Yes. The Policy Builder is launched and the new Placement policy is saved.

Importing the Predefined Rule
  1. Right-click in the Policy Builder, then click New > Predefined Rule > Insert Predefined Rule Before or Insert Predefined Rule After.

  2. Select Placement - Publisher Flat, then click OK.

  3. Edit the action by double-clicking the Actions tab.

  4. Delete [Enter DN of destination container] from the Enter String field.

  5. Click the Edit Arguments icon Edit Arguments Icon to launch the Argument Builder.

  6. Select Text in the Noun list.

  7. Double-click Text to add it to the argument.

  8. In the Editor, click the browse icon, then browse to and select the destination container where you want all of the User objects to be placed, then click OK.

  9. Click OK.

  10. Save the rule by clicking File > Save.

    Placement - Publisher Flat
How the Rule Works

The rule places all User objects in the destination DN. The rule sets the DN of the destination container as the local variable dest-base. The rule then sets the destination DN to be the dest-base\CN attribute. The CN attribute of the User object is the first two letters of the Given Name attribute plus the Surname attribute as lowercase. The rule uses slash format.

Placement - Subscriber Flat - LDAP Format

Places objects from the Identity Vault into one container in the data store. Implement the rule on the Subscriber Placement policy in the driver.

There are two steps involved in using the predefined rules: creating a policy in the Placement policy set and importing the predefined rule. If you already have a Placement policy that you want to add this rule to, skip to Importing the Predefined Rule.

Creating a Policy
  1. From the Outline view or the Policy Flow view, select the Publisher channel.

  2. Select the Placement policy set in Policy Set view, then click Create or add a new policy to the Policy Set icon Create or Add a New Policy Icon to create a new policy.

  3. Click Create a new policy, then click Next.

  4. Name the policy.

  5. Use the location that is populated to place the policy in the driver.

    Create Policy Wizard
  6. Select Open Editor after creating policy, then click Next.

  7. Select DirXML Script for the type of policy, then click Finish.

  8. A file conflict window appears with the message “ Before editing this item you need to save. Do you wish to save the editor’s changes and continue?” Click Yes. The Policy Builder is launched and the new Placement policy is saved.

Importing the Predefined Rule
  1. Right-click in the Policy Builder, then click New > Predefined Rule > Insert Predefined Rule Before or Insert Predefined Rule After.

  2. Select Placement - Subscriber Flat - LDAP format, then click OK.

  3. Edit the action by double-clicking the Actions tab.

  4. Delete [Enter DN of destination container] from the Enter String field.

  5. Click the Edit Arguments icon Edit Argument Icon to launch the Argument Builder.

  6. Select Text in the Noun list.

  7. Double-click Text to add it to the argument.

  8. In the Editor, add the destination container where you want all of the User objects to be placed. Make sure the container is specified in LDAP format, then click OK.

  9. Click OK.

  10. Save the rule by clicking File > Save.

    Placement Subscriber Flat - LDAP Format
How the Rule Works

The rule places all User objects in the destination DN. The rule sets the DN of the destination container as the local variable dest-base. The rule then sets the destination DN to be uid=unique name,dest-base. The uid attribute of the User object is the first two letters of the Given Name attribute plus the Surname attribute in lowercase. The rule uses LDAP format.

Placement - Publisher By Dept

Places objects from one container in the data store into multiple containers in the Identity Vault. Implement the rule on the Placement policy in the driver. You can implement the rule only on the Publisher channel.

There are two steps involved in using the predefined rules: creating a policy in the Placement policy set and importing the predefined rule. If you already have a Placement policy that you want to add this rule to, skip to Importing the Predefined Rule.

Creating a Policy
  1. From the Outline view or the Policy Flow view, select the Publisher channel.

  2. Select the Placement policy set in the Policy Set view, then click Create or add a new policy to the Policy Set icon Create or Add a New Policy Icon to create a new policy.

  3. Click Create a new policy, then click Next.

  4. Name the policy.

  5. Use the location that is populated to place the policy in the driver.

    Create Policy Wizard
  6. Select Open Editor after creating policy, then click Next.

  7. Select DirXML Script for the type of policy, then click Finish.

  8. A file conflict window appears with the message “ Before editing this item you need to save. Do you wish to save the editor’s changes and continue?” Click Yes. The Policy Builder is launched and the new Placement policy is saved.

Importing the Predefined Rule
  1. Right-click in Policy Builder, then click New > Predefined Rule > Insert Predefined Rule Before or Insert Predefined Rule After.

  2. Select Placement - Publisher By Dept, then click OK.

  3. Edit the action by double-clicking the Actions tab.

  4. Delete [Enter DN of destination Organization] from the Enter String field.

  5. Click the Edit Arguments icon Edit Argument Icon to launch the Argument Builder.

  6. Select Text in the Noun list.

  7. Double-click Text to add it to the argument.

  8. In the Editor, click the browse icon, then browse to and select the parent container in the Identity Vault. Make sure all of the department containers are child containers of this DN, then click OK.

  9. Click OK.

  10. Save the rule by clicking File > Save.

    Placement - Publisher by Department
How the Rule Works

The rule places User objects in proper department containers depending upon what value is stored in the OU attribute. If a User object needs to be placed and has the OU attribute available, then the User object is placed in the dest-base\value of OU attribute\CN attribute.

The dest-base is a local variable. The DN must be the relative root path of the department containers. It can be an organization or an organizational unit. The value stored in the OU attribute must be the name of a child container of the dest-base local variable.

The child containers must be associated for the user objects to be placed. The value of the OU attribute must be the name of the child container. If the OU attribute is not present, this rule is not executed.

The CN attribute of the User object is the first two letters of the Given Name attribute plus the Surname attribute in lowercase. The rule uses slash format.

Placement - Subscriber By Dept - LDAP Format

Places objects from one container in the Identity Vault into multiple containers in the data store based on the OU attribute. Implement the rule on the Placement policy in the driver. You can implement the rule only on the Subscriber channel.

There are two steps involved in using the predefined rules: creating a policy in the Placement policy set and importing the predefined rule. If you already have a Placement policy that you want to add this rule to, skip to Importing the Predefined Rule.

Creating a Policy
  1. From the Outline view or the Policy Flow view, select the Publisher channel.

  2. Select the Placement policy set in the Policy Set view, then click Create or add a new policy to the Policy Set icon Create or Add a New Policy Icon to create a new policy.

  3. Click Create a new policy, then click Next.

  4. Name the policy.

  5. Use the location that is populated to place the policy in the driver.

    Create Policy Wizard
  6. Select Open Editor after creating policy, then click Next.

  7. Select DirXML Script for the type of policy, then click Finish.

  8. A file conflict window appears with the message “ Before editing this item you need to save. Do you wish to save the editor’s changes and continue?” Click Yes. The Policy Builder is launched and the new Placement policy is saved.

Importing the Predefined Rule
  1. Right-click in the Policy Builder, then click New > Predefined Rule > Insert Predefined Rule Before or Insert Predefined Rule After.

  2. Select Placement - Subscriber By Dept - LDAP format, then click OK.

  3. Edit the action by double-clicking the Actions tab.

  4. Delete [Enter DN of destination Organization] from the Enter string field.

  5. Click the Edit Arguments icon Edit Argument Icon to launch the Argument Builder.

  6. Select Text in the Noun list.

  7. Double-click Text to add it to the argument.

  8. In the Editor, add the parent container in the data store. The parent container must be specified in LDAP format. Make sure all of the department containers are child containers of this DN, then click OK.

  9. Click OK.

  10. Save the rule by clicking File > Save.

    Placement - Subscriber By Department - LDAP Format
How the Rule Works

The rule places User objects in proper department containers depending upon what value is stored in the OU attribute. If a User object needs to be placed and has the OU attribute available, then the User object is placed in the uid=unique name,ou=value of OU attribute,dest-base.

The dest-base is a local variable. The DN must be the relative root path of the department containers. It can be an organization or an organizational unit. The value stored in the OU attribute must be the name of a child container of the dest-base local variable.

The child containers must be associated for the User objects to be placed. The value of the OU attribute must be the name of the child container. If the OU attribute is not present, then this rule is not executed.

The uid attribute of the User object is the first two letters of the Given Name attribute plus the Surname attribute as lowercase. The rule uses LDAP format.

2.2.7 Testing Policies with the Policy Simulator

The Policy Simulator allows you to execute a policy at any point in the flow of the driver and see the results without implementing the policy in the Identity Vault. You can test the policies without affecting the production environment or the connected system.

For more information about common tasks with the Policy Simulator, see the following sections:

The Policy Simulator uses XML. The eDirectory document type definition file ( nds.dtd) defines the schema of the XML documents that the Metadirectory engine can process. XML documents that do not conform to this schema generate errors. To verify whether the document conforms to the nds.dtd and find information about why errors are occurring, see eDirectory DTD Commands and Events.

The Policy Simulator cannot simulate the initial policy sets from application drivers such as SOAP and Delimited text. These drivers use comma-separated files or text files as input, and the XML or XDS is derived from policies in the policy chain. Currently, the Policy Simulator only accepts valid XML or XDS as input. Additional functionality is being considered for future releases.

Accessing the Policy Simulator

The Policy Simulator can be accessed in three different ways:

Outline View
  1. Click the Show Model Outline icon Model Outline Icon .

  2. Right-click the driver, publisher, subscriber, mapping rule, filter, or any policy you want to simulate, then click Simulate.

    Simulate Icon
Policy Flow
  1. Click the Show Policy Flow icon Policy Flow Icon .

  2. Right-click the input, output, schemaMapping, filter, and any policy set icons you want to simulate, then click Simulate.

    Simulate Icon
Editors

You can access the Policy Simulator through the Policy Builder, the Schema Mapping editor, or the Filter editor by selecting the Policy Simulator icon Policy Simulator Icon in the toolbar of each editor.

Using the Policy Simulator

The Policy Simulator allows you to select a point in the driver flow to test the policy with a specific operation. It allows you to edit the input and output documents while you are testing. If you want to keep the changes, select the Save As icon to save the document as an XML file.

To use the Policy Simulator:

  1. From the Simulation Point drop-down list, select the place in the driver flow that you want to test the policy. You can select the any of the following items: Publisher Channel, Subscriber Channel, Input, Schema Mapping, Event, Sync Filter, Matching, Creation, Placement, Command and Notify Filter.

    If you select a specific policy or rule to test, the Simulation Point option only shows To NDS or From NDS.

    Policy Simulator
  2. Select Import, then browse to and select a file to test.

    Designer comes with sample event files you can use. The files are located in the plug-in com.novell.designer.idm.policy\simulation. The event are Add, Association, Delete Instance, Modify, Move, Query, Rename and Status.

    Policy Simulator Events
  3. Double-click a folder and to display the available events. Each event has different files you can select. For example, if you select Add, you have three options: Organization.xml, OrganizationalUnit.xml, and User.xml. The file indicates the event. If you select User.xml, it is an Add event for a user object.

    Add User Object Event
  4. Select a file, then click Open to display the input document in the window.

  5. Click Next.

    Input Document
  6. Select the Trace tab to see the results of the event as the policy was processed. The information in this window is the same information that you see in DSTRACE.

    View Transformation Log
  7. Select the Output tab to see the output document that was generated.

    Output Document
  8. Select the Compare tab to compare the output document to the input document.

  9. When you are finished looking at the results, click Repeat to test another event against the policy.

  10. When you are finished testing, click Finish to close the Policy Simulator.

Simulating Policies with Java Extensions

Policies that contain references to external Java extensions can now be simulated by specifying the directory where the jar file is located.

To determine or change the extension directory:

  1. Select Windows > Preferences from the tool bar.

  2. Navigate to the Designer for IDM > Simulation page.

  3. Copy the jar file containing the Java class to the specified directory and simulate the policy.

NOTE:The Enable unsupported and experimental pre-release functionality option enables the Policy Simulator to test the policies against a live Identity Vault or the connected systems. This option is not supported in Designer 1.2 and is not documented.

2.2.8 Editing the DirXML Script

Designer enables you to view, edit, and validate the XML by using an XML editor or text editor.

Viewing the XML Source

You can view the XML Source in XML or in the XML tree format.

To open the XML Source view:

  1. Click XML Source at the bottom of the Policy Builder's workspace.

    The XML editor displays line numbers.

  2. To see the line number, right-click in the left margin, then select Show Line Numbers.

    The XML editor expands or collapses the XML by function. If there are functions that contain a large amount of XML, you can collapse the XML by clicking the minus icon in the top left corner.

  3. To expand all of the XML functions, click the plus icon in the left corner.

    Each element has its own plus or minus icon in the left margin.

To view the XML in the tree format:

  1. Click XML Tree at the bottom of the Policy Builder's workspace.

To see the entire tree view, expand each item listed.

Editing the XML Source

You can edit the XML through the XML editor. You can make changes here as well as through the GUI interface.

Figure 2-12 Editing the XML Source

The default editor that is loaded is associated to .xml file types. If a default editor can't be found, the system text editor is loaded. The functionality of the XML Source view is based on the editor that loads.

Right-click to display the list of the functions the XML editor contains.

Table 2-5 XML Editor Options

Function

Description

Undo

Undoes the last action.

Revert File

Reverts the file to the last version that was saved.

Saves

Saves the file.

Cut

Cuts the selected information.

Paste

Pastes the information into the document.

Shift Right

Indents the line to the right.

Shift Left

Indents the line to the left.

Attach DTD or XML Schema

Attaches a DTD or XML schema file for validation of the policy.

Validate

Validates the XML code.

Preferences

Sets the preferences for the XML editor.

To select a different XML editor for your Source view:

  1. From the Main menu, select Window > Preferences.

  2. Select General > Editors > File Associations.

  3. Select *.xml from the list under File Types.

  4. Select the editor you want (for example, Novell XML Editor) in the Associated editors pane. (If the editor you want isn't in the list, you can click Add, then add it to the list.)

  5. Click OK.

  6. Close and reopen the Policy Builder.

Validating the XML Source

The XML editor validates the XML code. Right-click, then select Validate. If there are errors, a red x is displayed on the line where the error occurs. An explanation at the bottom of the window gives more information about the problem.

Figure 2-13 Validating the XML Source

In this example, the end tag for if-operation has no matching start tag.