Policy enforcement extension

The policy enforcement extension assesses the accounts that are associated with a Person or BPPerson and enforces the policies in place for that person..

Overview

A policy enforcement extension is code that can be called directly from a workflow. Workflows that change a person object typically use this extension..

The extension is implemented in com.ibm.itim.workflowextensions.PersonExtensions..

The following extensions are provided.

• enforcePolicyForPerson(Person, skipNonEntitledAccountsEvaluation)
• enforcePolicyForPerson(BPPerson, skipNonEntitledAccountsEvaluation)

The extensions work identically on the specified Person or BPPersion..

skipNonEntitledAccountsEvaluation is a string, either true or false..

• If false, then all accounts applicable to the person are evaluated. All accounts that the person owns are considered when the extension enforces provisioning polices.

• If true, then policy enforcement proceeds as follows:
  1. Identify all services applicable for the person store them in a collection.
  2. Check for removed roles in the change list of the specified person.
  3. Merge the list of services that are identified in step 1 and step 2. This process specifies that only accounts calculated from the person's role change are considered for policy enforcement. No other accounts are considered.

     Therefore, some accounts are not considered: accounts where the person's role is removed, and accounts that are already provisioned for those roles..

For examples of how the extensions are used, see the Add, Modify, and Transfer operations in Operations management.

Parent topic: Workflow extensions