Policy join directives configuration
Provisioning policy join directives determine the provisioning parameter values that govern when multiple provisioning policies affect the same account. A join directive defines how to process an attribute when a conflict occurs between provisioning policies. Join directives applicable only to the selected attribute are displayed..
The entitlement target type also plays a role in how policy join directives resolve which entitlement is granted when conflicts arise between policies. When two or more policies grant similar entitlements, the more specific entitlement takes precedence. For example, one provisioning policy might include an entitlement defined to grant access to a type of service (that is, AIX named AIX105). The second policy might include an entitlement defined to grant access to a specific instance of that service (that is, AIX). In this case, the more specific entitlement takes precedence. IBM Security Identity Manager provides several types of join directives. The following table lists and describes each type. The Union and Intersection types are defined only on multivalued attributes.
The following table shows each type of service attribute, the corresponding join directive, and the default join directive.
Join Directive Description Union Combines the attribute values and removes the redundancies. This join directive is the default parameter for multivalued attributes if no other join directive is specified. Intersection Only parameter values common to all policies. Append Appends the textual attribute value defined in one policy to the attribute value defined in another policy. The APPEND join type was designed for single-valued text attributes such as comment on winlocal service. When you join provisioning parameters using the APPEND join type, all individual values are concatenated into a single string value. Concatenation provides with a user-defined delimiter between values. The delimiter can be defined (changed) in enrolepolicies.properties file, where the current line reads:
provisioning.policy.join.Textual.AppendSeparator=<<<>>>And Mathematical AND used on a boolean string that represents a boolean value. TRUE & TRUE = TRUE TRUE & FALSE = FALSE FALSE & FALSE = FALSE Or Specifies the mathematical OR used on a boolean string that represents a boolean value. TRUE || TRUE = TRUE TRUE || FALSE = TRUE FALSE || FALSE = FALSE Highest Uses only the highest numeric attribute value from the conflicting policies. Lowest Uses only the lowest numeric attribute value from the conflicting policies. Average Averages the numeric attribute values from the conflicting policies and uses the average value. Bitwise_Or Mathematical Bitwise OR used on an attribute value that represents a bitstring. Bitwise_And Mathematical Bitwise AND used on an attribute value that represents a bitstring. Precedence_Sequence Uses a user-defined ordering precedence to determine which attribute value to use. Priority Uses the priority of the policy to determine which attribute value to use. If the conflicting policies have the same priority, then the order in which these conflicting policies are evaluated is random. The evaluation is based on which policy the system retrieves first. For example, two policies have the same priority and define the same attribute with different values. If the attribute uses the ‘Priority' join directive type, the attribute value returned by the policy varies based on the system retrieval. Custom join directives can be defined by using Java™. Administrators can use custom join directives to change the built-in join logic completely.
Service attribute type Applicable join directive Default join directive Multivalued string or number attribute UNION, INTERSECTION.PRIORITY, CUSTOM UNION Single-valued string PRECEDENCE_SEQUENCE, PRIORITY, AND, OR, APPEND, BITWISE_AND, BITWISE_OR, HIGHEST, LOWEST, AVERAGE, CUSTOM PRIORITY Single-valued boolean string AND, OR, PRIORITY, CUSTOM OR Single-valued integer HIGHEST, LOWEST, AVERAGE, PRIORITY, PRECEDENCE_SEQUENCE, CUSTOM HIGHEST Singled-valued bitstring BITWISE_AND, BITWISE_OR, PRIORITY, CUSTOM BITWISE_OR
- Customize policy join behavior
We can customize join directive behavior for your provisioning policies for each attribute based on service type.- Account validation logic
Account validation logic provides information about a collection of validation rules that affect a joined set of parameter values after the policy join rules are applied.- Join directives examples
This topic provides examples that show how to use provisioning policy join directives.- Join logic examples
This topic provides examples that show how to use provisioning policy join directives.Parent topic: Configure