JavaScript examples for writing adoption policies

An administrator of IBM Security Identity Manager, and can use JavaScript examples to write adoption policies.


Example 1

The following example shows a simple script that matches the account user ID to the alias field of the person.. 

var ps = new PersonSearch();
return ps.searchByFilter("","(eraliases="+subject.eruid[0]+")",2);


Example 2

This example is a more complicated sample you can use for orphan adoption. This script uses the following three strategies to deduce an owner for an account:
  1. Locate a single person with an eraliases entry that matches the account eruid field.
  2. If this action yields multiple matches and the new entry has a cn field, check the matching list for one with a cn field that matches the account cn field.
  3. If no matches are obtained in the first step, check for a matching account (the same eruid) in the master service, such as a Windows Active Directory Service. If this account has an owner, use that person. If all three strategies fail, return null, which causes an orphan. Log messages are written to the message log with the script category. 
var entryUid = subject.eruid[0];
Enrole.log("script", "Starting script for eruid=" + entryUid);
/* change the following value to the name of the master service: */
/* var masterServiceName = "Master AD Service";
*/
var masterServiceName = "NT4 (local)";
/* change the following value to the service profile name of the master service: 
    This change is required only if the profile of master service and profile of the
    service for which the adoption policy is defined are different */
/* var serviceProfileNameOfMasterService = "ADProfile";
*/
var scriptResult = null;
var personsearch = new PersonSearch();
var filter = "(eraliases=" + entryUid + ")";
var psResult = personsearch.searchByFilter("", filter,2);
if (psResult.length == 1) {
	/* found one person with matching alias */
	Enrole.log("script", "single match for eraliases=" + entryUid);
	scriptResult = psResult;
}else if (psResult.length > 1) {
	/* more than one person matched alias.
	 * if the account has a "cn" attribute value, see if this matches 
the "cn" of one of them
	 */
	Enrole.log("script", "multiple matchs for eraliases=" + entryUid);
	var entryCn = subject.cn;
	if (typeof entryCn != "undefined") {
		Enrole.log("script", "checking cn=" + entryCn[0]);
		for (idx=0; idx<psResult.length; ++idx) {
			var cn1 = psResult[idx].getProperty("cn");
			if (cn1.length != 0 && cn1[0] == entryCn[0]) {
				/* we found a match for the cn */
				scriptResult = psResult[idx];
				break;
			}		}	}	else {
		Enrole.log("script", "cn field not defined for eruid=" + entryUid);
	}}else {
	/* no person matched specified alias.
	    See if there is a matching account uid in the company Active Directory */
	var acctSearch = new AccountSearch();
	 /* Method acctSearch.searchByUidAndService(entryUid, masterServiceName) is used
       if the profile of the master service is same as the profile of the service 
       for which the adoption policy is defined.
       If the profile of master service and the profile of the service for which the
       adoption policy is defined are different then the profile name of the master 
       service is passed to the searchByUidAndService() method as follows–
       var asResult = acctSearch.searchByUidAndService(entryUid, masterServiceName,
       serviceProfileNameOfMasterService); */
   var asResult = acctSearch.searchByUidAndService(entryUid, masterServiceName);
   if (asResult != null && asResult.length == 1) {
		/* found a matching AD account -- use this accounts owner, 
if it is not an orphan */
		var owner = asResult[0].getProperty("owner");
		if (owner.length == 1) {
			var owner_dn = owner[0];
			Enrole.log("script", "single match for service " + masterServiceName + " uid=" 
       + entryUid + ", returning person with dn=" + owner_dn);
			scriptResult = new Person(owner_dn);
		}		else {
			Enrole.log("script", "service " + masterServiceName + " uid=" 
       + entryUid + " is an orphan");
		}	}	else {
		Enrole.log("script", "No match or more than one match for uid=" + entryUid 
     + " on master service " + masterServiceName);
	}}return scriptResult;
/* end of script */


Example 3

The following example checks to see whether the name of a person, the gecos field in Linux , matches their full name in ISIM, , and . 
/*
 * OrphanAdoption JavaScript
 */

if (subject["gecos"] == null) {
    return null;
} else {
    var buf = "(|";
 
    for (i = 0; i < subject["gecos"].length; i++) {
        buf += "(cn=" + subject["gecos"][i] + ")";
    }    buf += ")";

    var ps = new PersonSearch();
    /* Have to use sub-tree search type (2) */
    return ps.searchByFilter("Person", buf, 2);
}


Example 4

This example uses the new JavaScript API ExtendedPerson to adopt a "root" account as a "System" account and adopt other accounts as "Individual" accounts. 
/*
 * OrphanAdoption JavaScript
 */

if ((subject[ "eruid"]==null)){
    return null;
} else if (subject["eruid"]!=null){
    var buff='(|'; 
    for (i=0;i<subject["eruid"].length;i++){
        buff+='(uid='+subject["eruid"][i]+')';
    }    buff+=')';

    var ps = new PersonSearch(); 
    var searchResult = ps.searchByFilter("",buff, 2);
    if (searchResult!=null && searchResult.length==1) {
        var person = searchResult[0];

        // If it is a "root" account, adopt it as a "System" account;
        // otherwise, adopt it as an "Individual" account by default.
        if (subject.eruid[0] == "root") {
            return new ExtendedPerson(person, "System"); 
        } else {
            return person;
        }    } else if (searchResult!=null && searchResult.length>1) {
        return searchResult;
    } else {
        return null;
    }}

Parent topic: Adoption policies