A dynamic role condition is defined as a valid Where clause for database queries and must relate to the selected object class.
You can enter the conditions directly as a SQL query or use the Where clause wizard. Alternatively, you can enter conditions for employee objects with the filter designer.
IMPORTANT: If the condition includes a large number of objects to assign, calculating memberships can place a heavy load on the DBQueue Processor and consequently on the database server.
NOTE: If you select the For the account with the target system type or For the entitlement with target system type condition type in the filter designer, only columns that are mapped in Unified Namespace and for which the Display in the filter designer column property is enabled can be selected.
NOTE: If you add comments to the condition using the comment characters --, // or %, the DBQueue Processor cannot correctly calculate the dynamic role. The calculation will be aborted. Always use the comment characters /* ... */ to enclose comments.
Related topics
You should test which objects fulfill the given condition before you save a dynamic role.
NOTE: This task is only visible when the dynamic role condition is displayed as an SQL query.
To test the SQL condition
- Select the role for which the dynamic role was created.
- Open the role's overview form.
- Select the form element "dynamic roles" and click on the dynamic role.
- Select the Change master data task.
- Click
(Edit SQL) on the form.
This displays the condition as SQL query.
- Select the Test condition task.
On the master data form, in the Test result field, all objects determined by the condition are displayed.
Table 25: Configuration parameters for calculating dynamic roles
|
QER | Structures | DynamicGroupCheck |
This configuration parameter controls the generation of calculation tasks for dynamic roles. If the configuration parameter is not set, the subparameters do not apply. |
|
QER | Structures | DynamicGroupCheck |
CalculateImmediatelyPerson |
If the parameter is set, a calculation task for modifications to employees or employee level objects is queued immediately in the DBQueue Processor. If the parameter is not set, the calculation tasks are queued the next time the schedule is planned to run. |
|
QER | Structures | DynamicGroupCheck |
CalculateImmediatelyHardware |
If the parameter is set, a calculation task for modifications to employees or employee level objects is queued immediately in the DBQueue Processor. If the parameter is not set, the calculation tasks are queued the next time the schedule is planned to run. |
|
QER | Structures | DynamicGroupCheck |
CalculateImmediatelyWorkdesk |
If the parameter is set, a calculation task for modifications to workdesks or workdesk level objects is queued immediately in the DBQueue Processor. If the parameter is not set, the calculation tasks are queued the next time the schedule is planned to run. |
In order to calculate role memberships, the One Identity Manager tests every dynamic role to ensure that:
- There is at least one object that satisfies the condition but is not assigned to the role
- There is at least one object that does not satisfy the condition but is assigned to the role
If one of the conditions is fulfilled, a request to add or delete memberships is sent to the DBQueue Processor. When the dynamic roles are tested, employee objects that are marked for deletion are:
- Not added to roles through dynamic roles even if the miscellaneous condition is fulfilled.
- Removed from the role even if the miscellaneous condition should be fulfilled
Tasks for recalculating memberships are set up depending on the configuration parameter settings by:
- Cyclical checking using a schedule
In the standard installation of One Identity Manager, the schedule Dynamic roles check is already defined. All dynamic role memberships are checked using this schedule and recalculation requests are sent to the DBQueue Processor if necessary. Checks are made at predefined intervals. Use the Designer to customize schedules or set up new ones to meet your requirements. For more detailed information, see the One Identity Manager Operational Guide.
- Immediately an object has changed
Memberships are immediately checked by the DBQueue Processor and changed is necessary when object properties are changed. To use this function, in the Designer, set the QER | Structures | DynamicGroupCheck | CalculateImmediatelyPerson, QER | Structures | DynamicGroupCheck | CalculateImmediatelyHardware, and QER | Structures | DynamicGroupCheck | CalculateImmediatelyWorkdesk configuration parameters.
Related topics
After you have entered the master data, you can run the following tasks.
