Rule checking rule modifications
A processing task for rule checking is generated the moment an active rule is modified or deleted. All identities are checked to see if they fulfill the affected rule.
When specific changes are made to entitlements, you can immediately queue or schedule the calculation tasks to check the rules. Specify the desired behavior in the QER | ComplianceCheck | CalculateImmediately configuration parameter. If the parameter is set, the processing task for recalculating rule violation for an identity are immediately queued. If the parameter is not set, the calculation task is started the next time the schedule is planned to run.
To trigger rule checks immediate after relevant changes have been made
-
In the Designer, set the QER | ComplianceCheck | CalculateImmediately configuration parameter.
The processing task for recalculating rule violations for an identity is immediately started when relevant changes occur.
NOTE: This configuration parameter only applies if data changes are relevant. These include:
-
Changes to identity main data
-
Changes to identity assignments (for example, the PersonHasQERResource table)
-
Changes to identities' role memberships
-
Changes to membership in system entitlements (for example, the ADSAccountInADSGroup table)
-
Changes to SAP function matches (the SAPUserInSAPFunction table)
Ad-hoc rule checking
There are several tasks available for a rule that immediately perform a rule check.
Table 23: Additional tasks for rules
Recalculate rule |
All identities are checked to see if they comply to the current rule. |
Recalculate for current user |
All identities are checked to see if they comply to all rules. |
Recalculate all |
All identities are checked to see if they comply to all rules. |
Speeding up rule checking
Scheduled rule checking can take a long time under certain circumstances. For example, this may happen if a lot of rules exist in which the identities affected are not limited ("This rule is broken by all identities"). One Identity Manager supplies two consistency checks for optimizing the performance of calculating affected identities. This reduces the amount of data in the auxiliary tables.
To optimize rule checking, start these consistency checks and repair the rules which are found.
To run a consistency check
-
In the Manager, select the Database > Check data consistency menu item.
-
Click in the Consistency Editor's toolbar.
-
Click in the "Test options" dialog's toolbar.
-
Set the Content > Compliance > ComplianceRule change IsPersonStoreInverted to 1 and Content > Compliance > ComplianceRule change IsPersonStoreInverted to 0 checks.
- Click OK.
-
Run the consistency check for the Database object.
-
Verify the analysis results.
TIP: For details about an error message
-
Select the error message.
-
Click in the toolbar.
-
To optimize the rule condition for an affected rule
-
Select the error message.
-
Click on Repair both for the original rule and the working copy.
For more information about consistency checking, see the One Identity Manager Operational Guide.
Related topics
Rule check analysis
Each rule references its own object for rule violations (NonCompliance table). Identities that violate rules are assigned to this objects (PersonInNonCompliance table). There are two forms available for rule checking that are supposed to answer the following questions: