14.4.2 Creating Rules

To create IDA rules:

1. In Identity Self Service, click the Compliance tab.

2. Click the Identity Audit box, and select Rules. The Rules page is displayed.

3. From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Rule page is displayed.

4. In the Name box, enter a name of the rule. This is a mandatory field.

5. In the Description box, enter a description for the rule.

6. Click the search icon adjacent to the Owner box, and search and select a user.

7. Verify that Enabled is selected in the Status list so that the rule you create is in enabled state. By default, rules are in enabled state. To disable the rule, you can select Disabled from the Status list.

8. In the Condition Builder section, click the icon to the right of the Condition field to open the Condition Builder dialog box to start building your condition. The Condition Builder dialog box enables you to search and navigate through all the attributes so that you can select them to include in your rule condition.

9. Search for an entity type based on which you want to specify the condition, for example User.

10. Click User. The user attributes are displayed.

11. Search for the user attribute that you want to include in the rule condition, for example, Manager Display Name. Alternatively, you can navigate through the user attributes by clicking the page number icons, and then select the attribute.

    Click OK. The following expression is added in the Condition field:

    user.Manager Display Name
    

12. From the list of operators, select an operator, such as EQUAL.

13. In the right hand side field, enter the Manager Display Name, for example, Sony Palmentieri. Alternatively, you can click the icon adjacent to the field to open the Condition Builder dialog box. To specify the Manager Display Name, select any one of the following:

    • Value: Selecting this option enables you to select a specific value for the attribute.

      
      

      Note: If you select value, based on the left hand side, only the values for that field are displayed. However, the values are not displayed for all attributes. For some attributes, the value must be entered.

      
      

    • Expression: Selecting this option enables you to specify an expression based on the selected attribute, for example $(user.Country).

    Search and select the desired value, and click OK. The value is added to the right hand side field, and adding the first line of the rule condition is complete.

    
    

    Tip: You can enter an expression in the rule condition fields instead of searching and selecting the values.

    
    

14. To add another line to the rule condition, click Add Condition.

    To remove a line from the rule condition, you can select the checkbox to the left of the line, and then click Remove. You can select multiple checkboxes to remove those lines at a time.

15. From the operators list to the right of the first line, select AND. This is to specify that both the first and second lines must be true.

16. In the left hand side field, enter the expression or search and select the attribute. For the purpose of this example, specify user.Job Title. Select the EQUAL operator, and specify a value for the Job Title attribute in the right hand side field, for example, Administrator.

17. Add another line and specify the following:

    user.Organization Name EQUAL Avitek
    

18. To group the first two lines together, select the checkboxes adjacent to the first two lines, and click Group.

    You can ungroup the lines by selecting the checkboxes adjacent to the lines and clicking Ungroup.

    
    

    Note: You can group only two conditions at a time. If you select more than two conditions, then the Group button is disabled. Alternatively, the Ungroup button is enabled only when you select one of the conditions that is grouped, but it is disabled when you select more than one group.

    
    

19. Add the fourth line, and click the icon to the right of the condition field to open the Condition Builder dialog box.

20. To add an entitlement, make the following selections:

    1. Select Application. The application types are displayed.

    2. Then select the resource, for example eBusiness Suite User. click appinstance.

    3. Select Vision Purchasing as the application instance.

    4. Select account as you are selecting an entitlement, and select wildcard character * to specify all accounts.

       Click the arrow in the first row to go back, and then select UD_EBS_RESP as the entitlement, and select wildcard character * to specify all responsibilities.

       
       

       Note: For application instances, there is no mechanism to filter out the attributes. All the attributes for application instances are displayed in the Condition Builder with which a rule can be written. For roles, select the role name to display the list of attributes for the role entities. You can select the asterisk (*) wildcard character to display the list of attributes.

       
       

    5. Select Responsibility Name.

       Note that the selection is displayed at the top of the dialog box, as follows:

       Home > appType[eBusiness Suite User].appinstance[Vision Purchasing].account[*].UD_EBS_RESP[*].Responsibility Name
       

    6. Click OK. The expression is added in the condition field.

    7. Select EQUAL and specify a value for the Responsibility Name, such as 9~170~52448.

21. Add another line, and add an expression for the entitlement of the AD User resource in the condition field. The expression can look similar to the following:

    appType[AD User].appinstance[VisionEmployeesDomain].account[*].UD_ADUSRC[*].catalog.Display Name
    

22. Select EQUAL and specify a value for the Display Name, such as CN=Account Operators,CN=Builtin,DC=adlrg,DC=us,DC=mydomain,DC=com.

23. Group the fourth and fifth lines and specify OR operator between them. If you do not specify an operator, then it is taken to be AND by default.

24. Join the first and second groups with an AND operator.

    
    

    Note: A maximum of two conditions can be grouped together. Therefore, if you create a rule with four conditions that are grouped together with the AND operator, then the conditions are grouped into two sets. But if one of the conditions are grouped with the OR operator, then rule is updated correctly.

    
    

25. Click Create. The rule is created and the Rules page is displayed. To display the rule you created in the search result of the Rules page, you can click Refresh.

    
    

    Note: When Risk attributes are used to define the conditions in a rule, for the rule to be evaluated correctly, the Risk Aggregation Job scheduled job must be run before the request is made.