.png)
Object Lifecycle Policies
Definition
An Object Lifecycle Policy allows to configure rules, on all Object Types, that will alter an Object attribute directly when certain lifecycle events occur.
This can be:
when creating an Object
when assigning Roles or Rights on Identities
when deactivating an Object
when updating the status of Object
when freezing a Role Assignment (it cannot be changed by automatic processes, the Role Assignment end date is ignored, as well as Role Assignment Policies that might remove it).
Those changes must be performed in the same operation as the one that triggered the lifecycle event.
There is a Lifecycle control that is split into stages. The Object Lifecycle Policies can introduce behavior between those stages.
Those Lifecycle Policies are similar to Object Policies, however the Groovy script allows to directly manipulate the Attributes of the Object.
Usage
We want to configure an Object Lifecycle Policy that will freeze Role Assignment by setting a freeze ending date on it.
In this case, the Role Assignment is frozen when the security organization of the Identity is updating.
When the Role Assignment is frozen, it is not possible to perform modification or to delete it.
To unfreeze the Role Assignment, you must update the date of the frozen until Attribute (by API or by configuring in the Groovy script).
Steps | Preview | |
|---|---|---|
| 1 | Configure an Object Lifecycle Policy that will freeze a Role Assignment. | |
| 2 | Assign a Role to an Identity. | |
| 3 | Update the security organization of the Identity. |  |
Configuration
You can access the Object Lifecycle Policy configuration :
by clicking on "Policies" → “Object Lifecycle Policy”
by clicking on "System" → "Configurations" → "Data Model" and perform an import/export.
Properties
Object Lifecycle Policy
Properties name | Type | Mandatory | Description | Values (default value in bold) |
|---|---|---|---|---|
id |
| YES | The identifier is the unique identifier of the Object Lifecycle Policy. It is case sensitive and no special characters (except - or _) are allowed. | - |
name |
| YES | The Object Lifecycle Policy name. The name may be different from the identifier.Specifying the name first allows to define automatically the identifier. | - |
active |
| NO | Allows to define if the Object Lifecycle Policy is activated or not. | ON, OFF |
description |
| NO | Allows to describe the purpose of the Object Lifecycle Policy. | - |
objectKind |
| YES | Allows to link the Object Lifecycle Policy to an Object kind. | Identity, Organization, Resource, Role, Role Publication |
objectTypes |
| NO | Allows to choose on which Objects the Object Lifecycle Policy will be applied. | List of created Object Types |
stage |
| YES | Allows to choose stage according to the configured Object kind. | Before common stage, After common stage, Before assignments stage, After assignments stage, Before authentication methods stage, After authentication methods stage, Before inheritance stage, After inheritance stage, Before finalize stage, After finalize stage |
rules |
| YES | Allows to configure Transform rules by Groovy script. | - |
Stage
Stage | Object kind | Description |
|---|---|---|
Before common stage |
| Allows to manage the Object Lifecycle:
|
Before assignments stage |
| Allows to manage the Roles and Rights hierarchy update:
|
Before refresh orders stage |
| Allows to manage the generation of refresh orders for Roles and Role Assignment Policy changes, when necessary. |
Before inheritance stage |
| Allows to manage the mechanisms related to inheritance in Objects that are organized as a hierarchy:
|
Before authentication methods stage |
| Allows to manage the mechanisms related to Authentication Methods:
|
Before finalize stage |
| Allows to manage the last minute operations. |