Fields

Mode

Select whether this actions should be added to the current operation, or written directly to the Identity Vault.

DN

Specify the DN of the target object or leave blank to use the current object.

Association

Specify the value of the association to be added.

Example

Fields

Attribute Name

Specify the name of the attribute.

Class Name

(Optional) Specify the class name of the target object. Leave blank to use the class name from the current object.

Mode

Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store.

Object

Select the target object. This object can be the current object, or be specified by a DN or an association.

Value Type

Select the syntax of the attribute value to be added.

Value

Specify the attribute value to be added.

Example

The example adds the destination attribute value to the OU attribute. It creates the value from the local variables that are created. The rule is from the predefined rules that come with Identity Manager. For more information, see Command Transformation - Create Departmental Container - Part 1 and Part 2.

Fields

Class Name

Specify the class name of the object to be created.

Mode

Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store.

DN

Specify the DN of the object to be created.

Remarks

Any attribute values to be added as part of the object creation must be done in subsequent Section 2.6.2, Add Destination Attribute Value actions using the same DN.

Example

The example creates the department container that is needed. The rule is from the predefined rules that come with Identity Manager. For more information, see Command Transformation - Create Departmental Container - Part 1 and Part 2.

The Organizational Unit object is created. The value for the OU attribute is created from the destination attribute value action that occurs after this action.

Fields

Attribute Name

Specify the name of the attribute.

Class Name

(Optional) Specify the class name of the target object. Leave blank to use the class name from the current object.

Object

Select the target object. This object can be the current object, or be specified by a DN or an association.

Value Type

Select the syntax of the attribute value to be added.

Value

Specify the attribute value to be added.

Example

Fields

Class Name

Specify the class name of the object to be added.

DN

Specify the DN of the object to be added.

Example

Fields

Variable Name

Specify the tag name of the XML element. This name can contain a namespace prefix if the prefix has been previously defined in this policy.

XPath Expression

Specify an XPath 1.0 expression that returns a node set containing the elements to which the new elements should be appended.

Example

Fields

XPath Expression

XPath 1.0 expression that returns a node set containing the elements to which the text should be appended.

String

Specify the text to be appended.

Example

Example

Fields

Attribute Name

Specify the name of the attribute.

Class Name

(Optional) Specify the class name of the target object. Leave blank to use the class name from the current object.

Mode

Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store.

Object

Select the target object. This object can be the current object, or be specified by a DN or an association.

Example

Fields

Property Name

Specify the name of the operation property to clear.

Example

Fields

Attribute Name

Specify the name of the attribute.

Class Name

(Optional) Specify the class name of the target object. Leave blank to use the class name from the current object.

Object

Select the target object. This object can be the current object, or be specified by a DN or an association.

Example

Fields

Credential Store Object DN

Specify the DN of the repository object.

Target User DN

Specify the DN of the target users.

Application Credential ID

Specify the application credential that is stored in the application object.

Login Parameter Strings

Specify each login parameter for the application. The login parameters are the authentication keys stored in the application object.

Example

Fields

Source XPath Expression

Specify the XPath 1.0 expression that returns the node set containing the nodes to be copied.

Destination XPath Expression

Specify the XPath 1.0 expression that returns a node set containing the elements to which the copied nodes are to be appended.

Example

Fields

Source Name

Specify the name of the attribute to be copied from.

Destination Name

Specify the name of the attribute to be copied to.

Example

The example adds a User object to the appropriate group, Employee or Manager, based on Title. It also creates the group, if needed, and sets up security equal to that group. The policy is Govern Groups for User Based on Title Attribute, and it is available for download from Novell’s support Web site. For more information, see Downloadable Identity Manager Policies.

The Clone Operation Attribute is taking the information from the Group Membership attribute and adding that to the Security Equals attribute so the values are the same.

Fields

Mode

Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store.

Object

Select the target object. This object can be the current object, or be specified by a DN or an association.

Example

Fields

Mode

Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store.

Object

Select the target object to delete in the source data store. This object can be the current object, or be specified by a DN or an association.

Example

Fields

Scope

Select the scope of the search. The scope might be an entry, a subordinates, or a subtree.

DN

Specify the DN that is the base of the search.

Match Attributes

Specify the attribute values to search for.

Remarks

Find Matching Object is only valid when the current operation is an add.

The DN argument is required when scope is “entry”, and is optional otherwise. At least one match attribute is required when scope is “subtree” or “subordinates”.The results are undefined if scope is entry and there are match attributes specified. If the destination data store is the connected application, then an association is added to the current operation for each successful match that is returned. No query is performed if the current operation already has a non-empty association, thus allowing multiple find matching object actions to be strung together in the same rule.

If the destination data store is the Identity Vault, then the destination DN attribute for the current operation is set. No query is performed if the current operation already has a non-empty destination DN attribute, thus allowing multiple find matching object actions to be strung together in the same rule. If only a single result is returned and it is not already associated, then the destination DN of the current operation is set to the source DN of the matching object. If only a single result is returned and it is already associated, then the destination DN of the current operation is set to the single character . If multiple results are returned, then the destination DN of the current operation is set to the single character �.

Example

The example matches on Users objects using the attributes CN and L. The location where the rule is searching starts at the Users container and adds the information stored in the OU attribute to the DN. The rule is from the predefined rules that come with Identity Manager. For more information, see Matching - By Attribute Value.

When you click the Argument Builder icon, the Match Attribute Builder comes up. You specify the attribute you want to match in the builder. This examples uses the CN and L attributes.

Fields

Node Set

Specify the node set.

Action

Specify the actions to perform on each node in the node set.

Remarks

The current node is a different value for each iteration of the actions, if a local variable is used.

If a node in the node set is an entitlement, then the for each implicitly performs an Implement Entitlement action.

Example

The following is an example of the Argument Actions Builder being used to provide the action argument:

Fields

ID

Specify the ID of the event. The ID must be an integer in the range of 1000-1999.

Level

Select the level of the event.

Level	Description
log-emergency	Events that cause the Metadirectory engine or driver to shut down.
log-alert	Events that require immediate attention.
log-critical	Events that can cause parts of the Metadirectory engine or driver to malfunction.
log-error	Events describing errors that can be handled by the Metadirectory engine or driver.
log-warning	Negative events not representing a problem.
log-notice	Events (positive or negative) an administrator can use to understand or improve use and operation.
log-info	Positive events of any importance.
log-debug	Events of relevance for support or engineers to debug the operation of the Metadirectory engine or driver.

Strings

Specify User-defined string, integer, and binary values to include with the event. These values are provided using the Named String Builder.

String Name	Description
target	The object being acted upon.
target-type	Integer specifying a predefined format for the target. Predefined values for target-type are currently: 0 = None 1 = Slash Notation 2 = Dot Notation 3 = LDAP Notation
subTarget	The subcomponent of the target being acted upon.
text1	Text entered here is stored in the text1 event field.
text2	Text entered here is stored in the text2 event field.
text3	Text entered here is stored in the text3 event field.
value	Any number entered here is stored in the value event field.
value3	Any number entered here is stored in the value3 event field.
data	Data entered here is stored in the blob event field.

Remarks

The Novell Audit event structure contains a target, a subTarget, three strings (text1, text2, text3), two integers (value, value3), and a generic field (data). The text fields are limited to 256 bytes, and the data field can contain up to 3 KB of information, unless a larger data field is enabled in your environment.

Example

The example has four rules that implement a placement policy for User objects based on the first character of the Surname attribute. It generates both a trace message and a custom Novell Audit event. The Generate Event action is used to send an event Novell Audit. The policy name is Policy to Place by Surname, and it is available for download from Novell’s support Web site. For more information Downloadable Identity Manager Policies.

The following is an example of the Named String Builder being used to provide the strings argument.

Generate Event is creating an event with the ID 1000 and displaying the text that is generated by the local variable of LVUser1. The local variable LVUser1 is the string of User:Operation Attribute “cn” +” added to the “+”Training\Users\Active\Users1”+” container”. The event reads User:jsmith added to the Training\Users\Active\Users1 container.

Fields

Node Set

Node set containing the entitlements being implemented by the specified actions.

Action

Actions that implement the specified entitlements.

Example

The following is an example of the Argument Actions Builder, used to provide the action argument:

Fields

Mode

Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store.

Class Name

(Optional) Specify the class name of the object to be moved. Leave blank to use the class name from the current object.

Object to Move

Select the object to be moved. This object can be the current object, or can be specified by a DN or an association.

Container to Move to

Select the target container. This container is specified by a DN or an association.

Example

The example contains a single rule that disables a user’s account and moves it to a disabled container when the Description attribute indicates the user is terminated. The policy is named Disable User Account and Move When Terminated, and it is available for download from Novell’s support Web site. For more information, see Downloadable Identity Manager Policies.

The policy checks to see if it is a modify event on a User object and if the attribute Description contains the value of terminated. If that is the case, then it sets the attribute of Login Disabled to true and moves the object to the User\Disabled container.

Fields

Object to Move

Select the object to be moved. This object can be the current object, or can be specified by a DN or an association.

Container to Move to

Select the target container. This container is specified by a DN or an association.

Example

Fields

Name

Specify the name of the attribute.

Value Type

Specify the syntax of the new attribute values.

Value

Specify a value to use as a pattern for the new format of the attribute values. If the original value is needed to constructed the new value, it must be obtained by referencing the local variable current-value.

Example

The example reformats the telephone number. It changes it from (nnn)-nnn-nnnn to nnn-nnn-nnnn. The rule is from the predefined rules that come with Identity Manager. For more information, see Input or Output Transformation - Reformat Telephone Number from (nnn) nnn-nnnn to nnn-nnn-nnnn.

The action reformat operation attribute changes the format of the telephone number. The rule uses the Argument Builder and regular expressions to change how the information is displayed.

Fields

Mode

Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store.

Association

Specify the value of the association to be removed.

Example

The example takes a delete operation and disables the User object instead. It transforms the event. The rule is from the predefined rules that come with Identity Manager. For more information, see Command Transformation - Publisher Delete to Disable.

When a delete operation occurs for a User object, the value of the attribute Login Disabled is set to true and the association is removed from the object. The association is removed because the associated object in the connected application no longer exists.

Fields

Attribute Name

Specify the name of the attribute.

Class Name

(Optional) Specify the class name of the target object. Leave blank to use the class name from the current object.

Mode

Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store.

Object

Select the target object. This object can be the current object, or can be specified by a DN or an association.

Value Type

Specify the syntax of the attribute value to be removed.

Value

Specify the value of the new attribute.

Example

Fields

Attribute Name

Specify the name of the attribute.

Class Name

(Optional) Specify the class name of the target object. Leave blank to use the class name from the current object.

Object

Select the target object. This object can be the current object, or can be specified by a DN or an association.

Value Type

Specify the syntax of the attribute value to be removed

Value

Specify the attribute value to be removed.

Example

Fields

Mode

Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store.

Object

Select the target object. This object can be the current object, or can be specified by a DN or an association.

String

Specify the new name of the object.

Example

Fields

Source Name

Specify the original attribute name.

Destination Name

Specify the new attribute name.

Example

Fields

Object

Select the target object. This object can be the current object, or specified by a DN or an association.

String

Specify the new name of the object.

Example

Fields

ID

(Optional) Specify the User ID in the SMTP system sending the message.

Server

Specify the SMTP server name.

Password

(Optional) Specify the SMTP server account password.

IMPORTANT:The value of the password attribute is stored in clear text.

Type

Select the e-mail message type.

Strings

Specify the values containing the various e-mail addresses, subject, and message. The following table lists valid named string arguments:

String Name	Description
to	Adds the address to the list of e-mail recipients; multiple instances are allowed.
cc	Adds the address to the list of CC e-mail recipients; multiple instances are allowed.
bcc	Adds the address to the list of BCC e-mail recipients; multiple instances are allowed.
from	Specifies the address to be used as the originating e-mail address.
reply-to	Specifies the address to be used as the e-mail message reply address.
subject	Specifies the e-mail subject.
message	Specifies the content of the e-mail message.
encoding	Specifies the character encoding to use for the e-mail message.

Example

The following is an example of the Named String Builder being used to provide the strings arguments:

Fields

Notification DN

Specify the slash form DN of the SMTP notification configuration object.

Template DN

Specify the slash form DN of the e-mail template object.

Password

(Optional) Specify the SMTP server account password.

IMPORTANT:The value of the password attribute is stored in clear text.

Strings

Specify additional fields for the e-mail message. The following table contains reserved field names, which specify the various e-mail addresses:

String Name	Description
to	Adds the address to the list of e-mail recipients; multiple instances are allowed.
cc	Adds the address to the list of CC e-mail recipients; multiple instances are allowed.
bcc	Adds the address to the list of BCC e-mail recipients; multiple instances are allowed.
reply-to	Specifies the address to be used as the e-mail message reply address.
encoding	Specifies the character encoding to use for the e-mail message.

Each template might also define fields that can be replaced in the subject and body of the email message.

Example

The following is an example of the Named String Builder being used to provide the strings argument:

Fields

Attribute Name

Specify the name of the default attribute.

Write Back

Select whether or not to also write back the default values to source data store.

Values

Specify the default values of the attribute.

Example

The example sets the default value for the attribute company. You can set the value for an attribute of your choice. The rule is from the predefined rules that come with Identity Manager. For more information, see Creation - Set Default Attribute Value.

To build the value, the Argument Value List Builder is launched. See Argument Value List Builder for more information on the builder. You can set the value to what is needed. In this case, the Argument Builder is used and the text is set to be the name of the company.

Fields

Attribute Name

Specify the name of the attribute.

Class Name

(Optional) Specify the class name of the target object in the destination data store. Leave blank to use the class name from the current object.

Mode

Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store.

Object

Select the target object. This object can be the current object, or be specified by a DN or an association.

Value Type

Select the syntax of the attribute value to set.

Value

Specify the attribute values to set.

Example

The example takes a delete operation and disables the User object instead. The rule is from the predefined rules that come with Identity Manager. For more information, see Command Transformation - Publisher Delete to Disable.

The rule sets the value for the attribute of Login Disabled to true. The rule uses the Argument Builder to add the text of true for the value of the attribute. See Argument Builder for more information about the builder.

Fields

Mode

Select whether this action should be added to, before, or after the current operation, or written directly to the destination data store.

Object

Select the target object. This object can be the current object, or be specified by a DN or an association.

String

Specify the password to be set.

Example

The example sets a default password for a User object that is created. The rule is from the predefined rules that come with Identity Manager. For more information, see Creation - Set Default Password.

When a User object is created, the password is set to the Given Name attribute plus the Surname attribute.

Fields

Variable Name

Specify the name of the local variable.

Variable Type

Select the type of local variable. This can be a string, an XPath 1.0 Node Set, or a Java object.

Value

Specify the value of the local variable.

Example

The example adds a User object to the appropriate group, Employee or Manager, based on Title. It also creates the group, if needed, and sets up security equal to that group. The policy name is Govern Groups for User Based on Title, and it is available for download from Novell’s support Web site. For more information, see Downloadable Identity Manager Policies.

The local variable is set to the value that is in the User object’s destination attribute of Object Class plus the Local Variable of manager-group-info. The Argument Builder is used to construct the local variable. See Argument Builder for more information.

Fields

Association

Provide the new association value.

Example

Fields

String

Provide the new class name.

Example

Fields

DN

Specify the new destination DN.

Example

The example places the objects in the Identity Vault using the structure that is mirrored from the connected system. You need to define at what point the mirroring begins in the source and destination data stores. The rule is from the predefined rules that come with Identity Manager. For more information, see Creation - Set Default Attribute Value.

The rule sets the operation destination DN to be the local variable of the destination base location plus the source DN.

Fields

Property Name

Specify the name of the operation property.

String

Specify the name of the operation property.

Example

Fields

DN

Specify the new source DN.

Example

Fields

DN

Specify the template DN.

Example

The example applies the Manager template if the Title attribute contains the word Manager. The name of the policy is Policy: Assign Template to User Based on Title, and it is available for download from Novell’s support Web site. For more information, see Downloadable Identity Manager Policies.

The template Manager Template is applied to any User object that has the attribute of Title available and it contains the word manager somewhere in the title. The policy uses regular expressions to find all possible matches.

Fields

Attribute Name

Specify the name of the attribute.

Class Name

(Optional) Specify the class name of the target object in the source data store. Leave blank to use the class name from the current object.

Object

Select the target object. This object can be the current object, or be specified by a DN or an association.

Value Type

Select the syntax of the attribute value.

Value

Specify the attribute value to be set.

Example

The example detects when an e-mail address is changed and sets it back to what it was. The policy name is Policy: Reset Value of the E-mail Attribute, and it is available for download from Novell’s support Web site. For more information, see Downloadable Identity Manager Policies.

The action takes the value of the destination attribute Internet EMail Address and sets the source attribute of Email to this same value.

Fields

String

Specify the password to be set.

Example

Fields

Credential Store Object DN

Specify the DN of the repository object.

Target User DN

Specify the DN of the target users.

Application Credential ID

Specify the application credential that is stored in the application object.

Login Parameter Strings

Specify each login parameter for the application. The login parameters are the authentication keys stored in the application object.

Example

Fields

Credential Store Object DN

Specify the DN of the repository object.

Target User DN

Specify the DN of the target users.

Question and Answer Strings

Specify the SecureLogin passphrase question and answer.

Example

The SecureLogin passphrase question and answer are stored as strings in the policy. Click the Edit the strings icon to launch the string builder. Specify the passphrase question and answer.

Fields

Name

Specify the name of the XML attribute. This name can contain a namespace prefix if the prefix has been previously defined in this policy.

XPath Expression

XPath 1.0 expression that returns a node set containing the elements on which the XML attribute should be set.

String

Specify the value of the XML attribute.

Example

Fields

Level

Specify the status level of the notification.

Message

Provide the status message by using the Argument Builder.

Remarks

If level is retry, then the policy immediately halts processing of the input document and schedules a retry of the event currently being processed.

If level is fatal, then the policy immediately halts processing of the input document and initiates a shutdown of the driver.

If the current operation has an event-id, then that event-id is used for the status notification, otherwise there is no event-id reported.

Example

Fields

Name

Specify the name of the attribute to be stripped.

Example

The example detects when an e-mail address is changed and sets it back to what it was. The policy name is Policy: Reset Value of the E-mail Attribute, and it is available for download from Novell’s support Web site. For more information, see Downloadable Identity Manager Policies.

The action strips the attribute of Email. The value that is kept is what was in the destination Email attribute.

Fields

XPath Expression

Specify the XPath 1.0 expression that returns the node set containing the nodes to be stripped.

Example

Fields

Level

Specify the trace level of the message. The default level is 0. The message only appears if the specified trace level is less than or equal to the trace level configured in the driver.

For information on how to set the trace level on the driver, see Viewing Identity Manager Processes in the Novell Identity Manager 3.0.1 Administration Guide .

Color

Select the color of the trace message.

String

Specify the value of the trace message.

Example

The example has four rules that implement a Placement policy for User objects based on the first character of the Surname attribute. It generates both a trace message and a custom Novell Audit event. The Trace Message action is used to send a trace message into DSTRACE. The policy name is Policy to Place by Surname, and it is available for download from Novell’s support Web site. For more information Downloadable Identity Manager Policies.

The action sends a trace message to DSTRACE. The contents of the local variable is LVUsers1 and it shows up in yellow in DSTRACE.

Example

The example excludes all events that come from the specified subtree. The rule is from the predefined rules that come with Identity Manager. For more information, see Event Transformation - Scope Filtering - Exclude Subtrees.

The action vetoes all events that come from the specified subtree.

Fields

Name

Specify the name of the attribute.

Example

The example does not allow all User objects to be created unless the attributes Given Name, Surname, Title, Description, and Internet EMail Address are available. The policy name is Policy to Enforce the Presences of Attributes and it is available for download from Novell’s support Web site. For more information, see Downloadable Identity Manager Policies.

The actions vetoes the operation if the attributes of Given Name, Surname, Title, Description, and Internet Email Address are not available.