Adoption policies

During reconciliation, an adoption policy determines the owner of an account. An account without any owner is an orphan account.

An adoption policy can apply to more than one service of the same service type. An adoption policy applies only to service types that represent adapters and manual services, not service types that represent identity feeds.

An adoption policy matches the attributes for an account on a managed resource to the attributes for a Security Identity Manager user.. An adoption policy applies to the following circumstances:

• To either the entire system, as a global adoption policy, or to a specific type of managed resource, as a service-specific adoption policy. The service-specific adoption policy takes precedence over the global adoption policy.

• To more than one service.

• Only to service types that represent adapters and manual services, not service types that represent identity feeds.

We cannot define service instances of different types on the same adoption policy. Account ownership assigned by adoption policies is always of the INDIVIDUAL account ownership type.

JavaScript can define adoption policies. These policies use all standard JavaScript functions and programming constructs, such as loops and conditional branches. The policies also use functions that are designed specifically for creating adoption policies. Specific JavaScript functions that return a person can retrieve personal attribute values to evaluate account owners.

Global adoption policies are defined for a service type or all service types. Global adoption policies apply to all service instances if no adoption policy is defined for the specific service. The default global adoption policy assigns an account to a user if the account user ID attribute matches the ISIM user UID attribute.

• Create an adoption policy
  An administrator can create an adoption policy to use when reconciling accounts for one or more services. For example, you might create a policy that determines account ownership by attempting to match the family name of a user with the account user ID.
• JavaScript examples for writing adoption policies
  An administrator of IBM Security Identity Manager, and can use JavaScript examples to write adoption policies.
• Change an adoption policy
  An administrator can change an adoption policy for specific services. For example, you might change an adoption policy to associate the policy with additional instances of a service type.
• Deleting an adoption policy
  An administrator can delete an adoption policy for specific services.
• Attribute matching
  An adoption policy matches the attributes for an account on a managed resource to the attributes for an IBM Security Identity Manager user. If the match occurs, the account is assigned to the user so that the user owns the account. For example, the user can change ISIM account password. Otherwise, the account is identified as an orphan.
• Account reconciliation and orphan accounts
  Reconciliation uses an adoption policy to determine the owner of an account, or to identify the account as an orphan.

Parent topic: Policy administration