Working with rules

 

Updated: August 1, 2013

Applies To: Forefront Identity Manager

In the BHOLD Analytics module of Microsoft BHOLD Suite Service Pack 1 (SP1), a rule is the mechanism that allows you to test whether your BHOLD role model conforms to the policy and legal requirements of your business. For example, if your internal policy limits the number of permissions that a temporary employee can be assigned, you can craft a rule that identifies those temporary employees who have more permissions than are allowed. You can then use the BHOLD Core portal to correct the discrepancy.

You can define a global filter that affects the analysis of all rules in all rulesets. For more information, see Working with the global filter elsewhere in this guide.

A rule consists of seven parts:

  • Metadata that includes the rule’s title, owner, creator, category, description, and status.

  • The element that the rule analyzes, such as users, organizational units (orgunits), and accounts.

  • A subset filter that excludes one or more classes of the element from the analysis.

  • A set of policy rules that represent your organization’s requirements.

  • The format of the report that the rule will generate.

  • Selections to extend the report with additional information.

  • A selection to include in the report the causes for policy violations.

It is important to understand the difference between the subset filter and the policy rules. The subset filter uses expressions to exclude a set of role-model items from the analysis. For example, the filter expression EmployeeType = FTE would exclude all users who are not full-time employees. The policy rules, on the other hand, express the desired condition. For example, the policy-rule expression Number of Permissions < 15 would represent a policy that requires an element (such as a user or role) to be linked to fewer than 15 permissions. With this policy rule in place, when a report is generated by a rule, the report would show the number of users or roles that have fewer than 15 permissions and, more importantly, the specific users or roles that are noncompliant, that is, that have 15 or more permissions.

By default, multiple filters or policy rules are joined by an implicit logical AND operator. You can specify that they are to be joined by a logical OR operator when they are evaluated, however.

For each rule, you can specify the format of the report that the rule generates, either a text (CSV) file, or a Microsoft Excel file in .XLS format. Because the report format is specific to each rule, a batch report can produce a mixture of CSV and Excel reports. For information about batch reports, see Creating a batch report in Working with rulesets elsewhere in this guide.

System_CAPS_ICON_important.jpg Important

The column separator of the CSV format is a semicolon (;), not a comma (,). If a rule uses CSV format to generate its report, you must use the Region and Language dialog box in Control Panel to set the list separator character to a semicolon (;) if you want to use Excel to open the report file by clicking on the link in the BHOLD Analytics portal.

This topic contains the following procedures:

All of the procedures in this topic are performed by using the BHOLD Analytics portal. To open the BHOLD Analytics portal, log on the computer where BHOLD Analytics is installed by using the root account or another account with the necessary BHOLD permissions, and then double-click the Microsoft BHOLD Suite—Analytics shortcut on the desktop. If the shortcut is not available, open a web browser and then type the following URL into the address bar:

http:// <server> : <port> /BHOLD/Analytics

where <server> is the name or IP address of the server running BHOLD Core and BHOLD Analytics, and <port> is the port number that was specified when BHOLD Core was installed.

A rule is created in the context of a ruleset. Before creating a rule, you should create a ruleset to contain it. For more information about rulesets, see Working with rulesets elsewhere in this guide.

To create a rule

  1. In the BHOLD Analytics portal, under Current Ruleset:<ruleset>, click New Rule.

  2. In the Rule Properties dialog box, in Title, type a name for the rule.

  3. In Element, click the type of role-model object that you want the rule to evaluate.

  4. To create a subset filter, expand Subset, and then do the following as needed to add filter expressions to the subset filter:

    1. Click Add Filter.

    2. In the Filter Properties dialog box, in the Type list, click the expression type, select or type the parts of the filter expression, and then click Save.

      System_CAPS_ICON_note.jpg Note

      The parts of the filter expression vary depending on the expression type. Also, certain operators allow you to enter more than one value.

  5. To create one or more policy rules, expand Rules, and then do the following as needed to add policy rules:

    1. Click Add Filter.

    2. In the Filter Properties dialog box, in the Type list, click the expression type, select or type the parts of the policy rule expression, and then click Save.

  6. In the Report Generation Mode list, click the format you want the rule report to be saved in.

  7. To include additional information in the rule report, next to Extend Results With, select the check boxes of the elements that you want to include in the report.

  8. To include information about the reasons an element does not conform to the policy rules, select Show violation causes.

  9. To view a summary of the results of the evaluation of the rule, click Impact.

  10. Click Save.

You can view a rule’s impact (that is, the results of the analysis of the rule) without generating a rule report. The impact display contains the same information as the rule report, but the results are not saved to a file.

To view the impact of a rule

  1. In the BHOLD Analytics portal, point to the rule.

  2. When the buttons appear to the right of the rule, click Impact.

  3. To view a detailed listing of the resulting subset, compliant records, or noncompliant records, click Show.

You can edit a rule to change any of the parameters that you specified when you created the rule.

To edit a rule

  1. In the BHOLD Analytics portal, point to the rule.

  2. When the buttons appear to the right of the rule, click Edit.

  3. In the Rule Properties dialog box, make the desired changes, and then click Save.

You can copy an existing rule to use as a template that you can modify to create a new rule.

To copy a rule

  1. In the BHOLD Analytics portal, point to the rule.

  2. When the buttons appear to the right of the rule, click Copy.

The copy appears in the ruleset list as Copy of<rule>.

You can permanently remove a rule from a ruleset.

To delete a rule

  1. In the BHOLD Analytics portal, point to the rule.

  2. When the buttons appear to the right of the rule, click Delete, and then click OK.

You can produce a file that contains the results of the analysis of a rule.

To create a report for rule

  1. In the BHOLD Analytics portal, point to the rule.

  2. When the buttons appear to the right of the rule, click Report.

After creating the report, you can open the report by clicking the link under the Report heading in the ruleset list. You can also open previously created reports.

In addition to creating a report for a single rule, you can create a batch report that contains the results of the analysis of more than one rule in a ruleset. For more information, see Creating a batch report in Working with rulesets elsewhere in this guide.

Show: