2.6 Validating Provisioning Objects

The Validation feature allows you to validate provisioning objects on the local file system before you deploy. The validation runs Designer’s project checker and displays the results in the Project Checker view.

You can validate provisioning objects individually, by node (such as the directory abstraction layer, a provisioning team, or a separation of duty constraint), or at the User Application driver level. Each node (individual, container-level, or driver-level) has a right-click menu item called Validate. In addition, when you open an object in the editor, you can access the Validate option, for that item, from Designer’s main menu and toolbar. For example, if you have a provisioning request definition open in the editor, the main menu and toolbar provides a PRD > Validate menu option.

NOTE:Validation does not check the Identity Vault for the existence of any object.

Each object type has unique validation rules. They are described in each of the following sections:

2.6.1 Directory Abstraction Layer Objects

Designer does the following:

  • Verifies that the XML is well-formed and complies with the schema that defines the elements needed for entities, attributes, lists, relationships, and so on.

  • Checks every entity to ensure that references to other entities and global lists are valid.

    For example, when validating an entity and its attributes, the validator checks that all references to other entities via the Edit Entity, DNLookup, and Detail Entity references exist.

  • Ensures that every entity has at least one attribute defined.

  • Ensures that every local and global list contains at least one item.

2.6.2 Provisioning Request Definitions

Designer does the following:

  • Validates that every Provisioning Request Definition has at least one request form and one approval form.

  • Ensures that the Condition Activity has both an outbound true flow path and an outbound false flow path.

  • Ensures that the Entitlement Activity Data Item Mapping for DirXML-Entitlement-DN is valid.

  • Ensures that the Final Timeout Action property (for User Activities) has a matching flow path link leading from the activity. For example, if Final Timeout Action=denied, there must be a denied link.

  • For Branch and Merge activities, ensures that a workflow has an equal number of Branch and Merge activities. It also ensures that all paths descending from a Branch activity merge into one Merge activity, that all merge activities have a branch activity, and that all Merge activities have a branch-activity-id attribute.

  • Ensures that static list keys contain the correct data for the decimal data type.

2.6.3 Provisioning Teams

Designer does the following:

  • Validates that managers and members have been defined for the team.

  • Validates that team requests are specified for the team.

  • If the request scope is Categories, it validates that the team request actually references a category.

2.6.4 Role Configuration Objects

Designer does the following:

  • Ensures that the Quorum value should be a number between 0 and 100. Validation rules take into consideration that a percentage can be entered.

  • Ensures that the Removal Grace Period is a positive number.

  • Ensures that Display Names and Descriptions use supported locales.

  • Ensures that the Provisioning Request Definitions defined for the Role Approval and SoD Conflict Approvals are valid, are not templates, and whose process types match properly.

  • Separation of Duties (SoD) approvers must exist and be valid.

2.6.5 Roles

Before deployment, Designer validates that:

  • The category exists.

  • The description is provided for all supported languages.

  • The Quorum is a valid expression.

  • Approvers are present when the approval type is set to standard serial or parallel.

On deploy, Designer validates that the following objects exist in the Identity Vault:

  • The entitlement

  • The owner

  • The Role Trustees

  • The lower-level roles

  • Groups

  • Containers

  • Approvers

  • Provisioning request definition

2.6.6 Resources

Before deployment, Designer validates that:

  • The category exists.

  • The description is provided for all supported languages.

  • The Quorum is a valid expression.

  • Approvers are present when the approval type is set to standard serial or parallel.

On deploy, Designer validates that the following objects exist in the Identity Vault:

  • The owner

  • The Resource Trustees

  • Approvers

  • Provisioning request definition

2.6.7 User Application Driver Locales

For the User Application driver locales, Designer ensures that the locales contain descriptions and display names. You can turn off the validation of display names for each locale by setting a preference. For more information, see Section 2.3, Setting Provisioning View Preferences.