Customize policy join behavior

We can customize join directive behavior for your provisioning policies for each attribute based on service type.

IBM Security Identity Manager provides several types of join directives. We can extend existing join directive functions, or we can create our own.

We can define custom join directives by writing a custom Java™ class, adding it to the classpath of your application server. Provide the fully qualified Java class name in the policy configuration interface when you set a join directive for an attribute.

If we are extending or replacing one of the existing join directive classes in addition to the tasks above, we must add the custom property key and value to the enrolepolicies.properties file. For example, if you developed a new class such as com.abc.TextualEx to replace the existing class for textual joins, the registration line is similar to the following example. 

provisioning.policy.join.Textual= com.abc.TextualEx

  1. From the navigation tree, select Configure System > Configure Policy Join Behaviors. The Policy Join Behavior table for configuring provisioning policy join directives is displayed as two panes in the window.

  2. In the Policy Join Behavior window, click Service Type to select from a list of available services, such as ITIM Service.

  3. Select one of the attributes for the type. The right pane displays the name, description, and applicable join directives of the selected attribute.

  4. Click Join Directive in the right pane to configure provisioning policy precedence by selecting one of the listed join directives. The following values can apply, depending on the attribute we select:

    Union
    Attribute values and removes the redundancies. This join directive is the default if no other join directive is specified.

    Intersection
    Specifies only parameter values that are common to all policies.

    Priority
    Uses the priority of the policy to determine which attribute value to use. If the conflicting policies have the same priority, the first policy found by the system is used.

    OR
    Mathematical OR used on a boolean string that represents a boolean value. TRUE || TRUE = TRUE TRUE || FALSE = TRUE FALSE || FALSE = FALSE

    AND
    Mathematical AND used on a boolean string that represents a boolean value. TRUE & TRUE = TRUE TRUE & FALSE = FALSE FALSE & FALSE = FALSE

    Append
    Appends the textual attribute value defined in one policy to the attribute value defined in another policy.

    The APPEND join type is used on single-valued text attributes (such as comment on WinNT service). When joining provisioning parameters with the APPEND join type, all individual values are concatenated into a single string value with a user-defined delimiter between them. The delimiter can be defined (changed) in enrolepolicies.properties file, where the current line reads: 

    provisioning.policy.join.Textual.AppendSeparator=<<<>>>

    Bitwise OR
    Mathematical Bitwise OR used on a bitstring.

    Bitwise AND
    Mathematical Bitwise AND used on a bitstring.

    Highest
    Uses the highest numeric attribute value from the conflicting policies.

    Lowest
    Uses the lowest numeric attribute value from the conflicting policies.

    Average
    Averages the numeric attribute values from the conflicting policies and uses the average value.

    Precedence sequence
    Uses a user-defined ordering precedence to determine which attribute value to use.

    Custom
    Defines a custom join directive with Java. Custom join directives provide administrators with the ability to completely change the built-in join logic. Enter the fully qualified Java class name of the custom join directive class we created for the attribute.

  5. Click Compliance Alert Rule to configure a compliance alert rule that specifies when compliance alerts are sent. To configure a compliance alert rule, select one of the following options:

    Numeric Order (higher value generates alert)
    Select this option if to generate a compliance alert before sending a higher attribute value to the managed resource. Use this option if the attribute value was increased as a result of a provisioning policy evaluation. If the attribute value was decreased as a result of the evaluation, the attribute value is automatically sent to the managed resource. No alert is generated.

    Numeric Order (lower value generates alert)
    Select this option if to generate a compliance alert before sending a lower attribute value to the managed node. Use this option if the attribute value was decreased as a result of a provisioning policy evaluation. If the attribute value was increased as a result of the evaluation, the attribute value is automatically sent to the managed resource and no alert is generated.

    Never generate alert
    Select this option if we do not want to generate a compliance alert when a provisioning policy evaluation leads to a new value for an attribute. Because no compliance alert is generated, the new attribute value is automatically sent to the managed resource.

    Always generate alert
    Select this option if to generate a compliance alert when a provisioning policy evaluation leads to a new value for an attribute. The participant must accept the new attribute value before it is sent to the managed resource. This value is the default for attributes that have a single value.

    Precedence sequence
    Select this option if we want higher values in the list to be considered more privileged than lower values. When a provisioning policy evaluation leads to assignment of a higher attribute value, the attribute value is sent to the managed resource. No compliance alert is generated. If the attribute value is decreased as a result of the evaluation, a compliance alert is generated. Then, the attribute value is sent to the managed resource. When we select this option, we can select Move Up, Move Down, Delete, or Add to organize your precedence sequence.

  6. Click Save to save the changes.

Parent topic: Policy join directives configuration