.png)
Object Matching Condition
Definition
An Object Matching Condition allows to configure whether an object matches a condition or not, according to the object kind (IDENTITY), type(s) ("employee"), and a matching strategy.
At most one matching strategy may be configured, among the 2 possible strategies. No strategy may be configured at all, but in that case at least one object type must be configured.
This is a "re-usable" generic condition, that may be used in conjunction with other configuration elements.
Configuration
Properties
Property Name | Type | Mandatory | Description |
|---|---|---|---|
objectKind |
| YES | The IDM object kind it applies to (Identity, Organization, etc.). |
objectTypes |
| NO | An optional list of object types, such as "employee", "partner", etc. If several types are configured they are "ORed" together: type = "employee" or type = "partner". This object type list, if not empty, is then "ANDed" with the configured strategy. For a "simple" strategy matching an email this would give: Configuring a strategy is optional, in some cases configuring object type(s) may be enough. If a strategy is |
simpleObjectMatchingStrategyDefinition |
| NO | Object matching strategy based on attribute regex matching. Mutually exclusive with other MatchingStrategyDefinition. |
customObjectMatchingStrategyDefinition |
| NO | Object matching strategy based on the execution of a custom Groovy script that must return a Boolean value. Mutually exclusive with other MatchingStrategyDefinition. |
rightMatchingCondition |
| NO | Condition focused on the rights that an IDM Identity possesses. |
If several criteria are configured, a AND is applied. For example, the matching condition can be configured so that the object type must be "employee" or "partner", and the IDM object must have the right "XXX" on target "YYY".
simpleObjectMatchingStrategyDefinition properties
Object matching strategy based on regex matching. The value of an account attribute must match a configured regex.
Property Name | Type | Mandatory | Description |
|---|---|---|---|
inputAttributeId |
| YES | The input account attribute name (e.g. "uid" for a LDAP account) whose value must match a regex. If the attribute is multi-valued and any value matches the regex, then the Object Type is assigned. |
regex |
| YES | The regex criterion |
normalizeRule |
| NO | An optional Normalize Rule used to transform the input value before testing it with the regex |
customObjectMatchingStrategyDefinition properties
Object Type assignment strategy based on the execution of a custom Groovy script that must return a Boolean value.
Property Name | Type | Mandatory | Description |
|---|---|---|---|
conditionRule |
| YES | The Condition Rule returning a Boolean. |
rightMatchingCondition properties
Configure whether an object holding Right Grants matches a right condition or not. If any right condition among those configured below matches then the object matches.
Property Name | Type | Mandatory | Description |
|---|---|---|---|
rightNames |
| NO | The condition matches if the object has a Right Grant whose name is among this list. |
rightTargets |
| NO | The condition matches if the object has a Right Grant whose target is among this list. |
rightNameAndTargets |
| NO | The condition matches if the object has a Right Grant whose name and target are among this list. |
names properties
Each name will have the following configuration:
Property Name | Type | Mandatory | Description |
|---|---|---|---|
name |
| NO | The right name. |
nameAndTargets properties
Each name will have the following configuration:
Property Name | Type | Mandatory | Description |
|---|---|---|---|
name |
| NO | The right name. |
target |
| NO | The target name. |
Example
<objectMatchingCondition>
<objectKind>IDENTITY</objectKind>
<objectTypes>
<objectType>internal</objectType>
<objectType>contractor</objectType>
</objectTypes>
<rightMatchingCondition>
<names>
<name>right1</name>
<name>right2</name>
</names>
</rightMatchingCondition>
</objectMatchingCondition>