Chat now with support
Chat with Support

Identity Manager 8.0 - Compliance Rules Administration Guide

Compliance Rules and Identity Audit
One Identity Manager Users for the Identity Audit Base Data for Setting up Rules Setting up a Rule Base Rule check Creating Custom Mail Templates for Notifications
Mitigating Controls Configuration Parameters for Identity Audit

Creating Rule Conditions

Creating Rule Conditions

Table 24: General Configuration Parameters for Rule Compliance
Configuration parameter Meaning if Set
QER\ComplianceCheck\SimpleMode Preprocessor relevant configuration parameter for controlling the definition of rule conditions for compliance rules. Changes to the parameter require recompiling the database.

If this parameter is set, you can set up rule conditions with a simplified definition.

In the rule condition, combine all the entitlements that lead to a rule violation. The affected employee group and entitlements are restricted separately in the rule condition. Employees and identities that the rule condition will be applied to, are determined by the employee group. The properties that result in a rule violation for the affected employees, are defined by the affected entitlements. The entitlements are determined through the object relations of the affected employees (table PersonHasObject).

NOTE: If the configuration parameter "QER\ComplianceCheck\SimpleMode\NonSimpleAllowed" is set, rule conditions can be created in advanced mode as well as in the simplified definition.

To use the simplified definition

  • Enable the option Rule for cyclical testing and risk analysis in IT Shop on the rule's master data form.

For more information, see Rule Conditions in Advanced Mode.

Basics for Using the Rule Editor

Basics for Using the Rule Editor

Table 25: Configuration Parameters for Entering Extended Rule Conditions
Configuration parameter Meaning if Set
QER\ComplianceCheck\SimpleMode\ShowDescriptions Displays additional input fields for describing the compliance rules in the Rule Editor.

The Rule Editor is there to help you formulate rule conditions. You can use predefined condition type and operator for this. The complete database query is composed internally. If the configuration parameter "QER\ComplianceCheck\SimpleMode\ShowDescriptions" is set, additional input fields are displayed in the simplified definition, providing a more detailed description of each rule block.

Figure 2: Rule Editor for Simple Definition of Rules

The Rule Editor control elements supply operators and properties that you need for formulating partial conditions. You can only select one entry from the drop-down menu. You can select more entries from extended drop-down menus, where the properties are displayed hierarchically and then added to the condition using an "or" operator. You may enter text directly into input fields. Pop-up menus and input fields are shown and hidden dynamically.

A rule condition is made up of several rule blocks. A rule violation is detected when an employee, with properties and assignments, can be matched to all the rule blocks.

There are two types of rule blocks:

  • Affected groups of employees

    Each rule must obtain exactly one rule block that specifies the employee group that the rule should be applied to. By default, all employees with all identities are taken into account. You can, however, restrict the employee groups more.

  • Entitlements affected

    You need to define at least one rule block that finds affected entitlements. The properties that result in a rule violation in the employee group affected are defined here. You can check the following entitlements in the rule block: roles, target system groups, system entitlements, system roles, applications, resources.

You can add any number of partial conditions within one rule block and link them with each other using the Rule Editor. Use the options All and At least one to specify whether one or all partial conditions in the block have to be fulfilled.

Table 26: Meaning of Icons in the Rule Editor
Icon Meaning
Add another partial condition or another rule block. A new line is displayed for entering the condition.
Delete the partial condition or rule block. The line is removed.
Opens the preview window. Affected objects are shown.
The list of affected objects is shown in the preview window.

To display a preview of affected objects

  1. Click the condition or partial condition in the Rule Editor.
  2. Click in the preview window to display the list of affected objects.

Specifying the Affected Employee Group

Specifying the Affected Employee Group

Each rule has to contain exactly one rule block which specifies the employee group.

Figure 3: Rule Block for the Employee Group Affected

Use the following to options to limit the affected employee groups.

  • From all employees

    All employees are taken into account.

  • Only from employees that fulfill all/at least one of the following conditions

    You can limit the employee group with a condition, for example, "All employees in group A" or "All external employees". To determine the affected employee group, formulate the appropriate partial conditions.

    You can specify a condition type in the first pop-up menu of the partial condition which restricts the affected employee group.

    Table 27: Permitted Condition Types in the Rule Editor
    Condition Type Meaning
    Property Employees' properties. The drop-down menu with permitted properties is already restricted to the most important employee properties.
    For the user account with the target system type User account properties of the employees with the selected target system type.
    SQL Query SQL query (WHERE clause) input.
  • A single identity
    Table 28: Results of the Rule Check
    The rule is ... Condition
    violated An employee's sub or main identity fulfills the rule condition.
    not violated The main identity only fulfills the rule condition due to its subidentity.
  • The combination of all identities

    The rule is violated:

    • if an employee's subidentity or the main identity fulfills the rule condition

      - OR -

    • the main identity only fulfills the rule condition due to its subidentity.
Related Topics

Specifying Affected Entitlements

Specifying Affected Entitlements

In order to take entitlements into account in the rule, you must define at least one rule block that determines the affected entitlements for employee groups. Each rule block can contain more than one partial condition. The partial conditions are linked through the options all or at least one.

Figure 4: Rule Block for Affected Entitlements

Use the following to options to limit the affected entitlements.

  • at least one entitlement

    Define one entitlement per rule block.

    Table 29: Specifying Affected Entitlements


    Partial condition


    <target system types>

    (System entitlements)



    System entitlement property from the selected target system, for example, "Distinguished name" or "Container".

    Permissions control

    Permissions element defined for this target system.

    NOTE: Permissions elements are only created for custom target systems.

    has extended property

    Extended property assigned to the system entitlements.

    has extended property in range

    Extended property assigned to the system entitlements with a defined range of values. The rule verifies the correct value.




    Properties of resources/application, such as "application name" or "resource type".


    Memberships of resources/applications in hierarchical roles and structuresIT Shop.

    Account definitions


    Properties of account definitions, such as "resource type".

    System roles


    Properties of system roles, such as "display name".


    Memberships of system roles in hierarchical roles and assignments to employee or workdesks.

    Rules can be created for all the system entitlements displayed in the Unified Namespace. The rule conditions access the Unified Namespace database layers to do this. You can select target system types as entitlement type.

  • At least one role or organization assignment

    Define one role class assignment per rule block (One Identity Manager application roles, departments, locations, cost centers, business roles).

    Table 30: Specifying affected Role Memberships


    Partial condition


    Application Roles



    Business roles

    Cost centers


    Properties of the role, such as "full name" or "parent role".

    Assignment in other objects

    Assignments of role to other objects, such as primary departments to different employees.


    Memberships of company resource in roles, such as DepartmentHasADSGroup.

  • at least on function

    Enter at least one SAP function to replace the rule.

    NOTE: This option can only be selected if the module SAP R/3 Compliance Add-on Module is installed.
  • Number of entitlements

    You specify how many entitlements the employee must have to violate the rule.

    By default, a rule violation is identified, if one of the employee of the employee group affected, is assigned an object that fulfills the condition of the rule block. You can increase this number. The value "0" is not valid.

Related Topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating