When I originally wrote this article, IDM 3.5 was still in beta, and I did not know of a couple of extra features that would really help out in this case. If you want to see them in action and only have 3.01 IDM servers, you can still do it in Designer.
Setting the Version Value
With the latest Designer builds (2.0 series) there is a feature to set the version value on Identity Vault objects. To use this feature,
1. Right-click the Identity Vault object and choose Properties.
2. Choose item 3 (the server list) and select a server.
3. Click Edit.
The window that pops up has an Identity Manager Version box.
4. Click the Live icon on the right end of the line to do a live query of what the version is. Or, you can override it youself.
5. Using a test project, select an Identity Vault and some other driver (like Notes) and don’t bother configuring them.
6. Click Finish.
7. Set the vault to be IDM 3.5. Now if you work on a policy in that vault, you will see the 3.5 policy builder.
There are two main constructs that will help our example: Map objects and the IF action.
IDM 3.5 adds a new action IF-THEN-ELSE. In 3.01 and below, you can set a condition (sort of implicitly an IF), but once you get into the Actions section you cannot do another IF. Typically you set a local variable and test it in a second rule if you need a second IF test.
With 3.5 you can directly perform an IF test, and of course an ELSE as well. (Alas, no CASE statement is in sight yet.)
For our example, you could test some value of a user object, like L (Location), or perhaps some custom attribute that stores a value you base your decisions on. Then you could do a test like this one: “IF the location is Bahamas, set the server to the appropriate server for the Bahamas, the correct certifier, the correct naming standard for ID files, and the correct naming for the Mailfile.”
Once you get beyond one or two of these options it will get quite cumbersome. In fact, the only reason to mention it that is prior to Map objects, we typically would have done the logic in a series of rules using the condition testing in each rule.
Now that we have map objects, things get easier.
First, you need to create a Map object to store the two values. It is available once you set the Identity Vault to be IDM 3.5.
1. Right-click on any container in the policy set and select New, Mapping Table.
2. Create columns for the data and fill in data in the rows.
3. Use the Map verb inside a policy to map attributes when you need them.
In the case of multiple certifiers, you can easily list a series of locations and the correct string to use as a replacement for the Certifier name. Perhaps another column can be used for the mail server, and another for the directory on the mail server.
This moves the logic out of the rule set and into an eDirectory object. Next, you need to figure out whether to restart the driver for a change to the Map object to take effect. If not, you have a very nice method of updating the rules for when a new office or location is opened up.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.