Service tagging

A service tag is used for grouping services. Security Identity Manager, starting with Version 6.0, provides an ertag attribute to the service objects. With this attribute, we can group services of the same type by tagging them together. Because the ertag attribute is a multi-value attribute, a service can have one or more service tags. Services with the same service tag belong to the same group of services.

The provisioning policies are enhanced to support the service tag entitlement. A service tag entitlement is a service type entitlement with one or more tags. It applies to all services of the specified type with at least one matching tag. For example, if a service tag entitlement might be defined for a Linux service type with the service tag mytag1 and mytag2. Only services of the Linux type that are tagged with either mytag1 or mytag2 are subject to the provisioning policy entitlement. Or, if two service tag entitlements are defined as mytag1 and mytag2, then a service with both tags is subject to both entitlements..

A service type entitlement is different from a service tag entitlement in a way that it applies to all services of the specified type. For example, when managing a provisioning policy, we might select POSIX AIX profile as the service type without adding any service tags. All AIX services that we create are governed by this provisioning policy, regardless of whether they have tags or not.

When the service tag attribute is modified, accounts can become noncompliant. We must use Enforce policy on a service task to reevaluate all policies that govern the service. The policy enforcement gathers all policies that affect the selected service, reevaluates the existing accounts, and provisions new accounts.

It is important to understand that the Change service operation does not automatically start policy enforcement. We must manually enforce policies on the service.

Parent topic: Services administration