Differences in rule based and default (tier) logical applications

  • 7011072
  • 13-Feb-2012
  • 02-Nov-2012

Environment

NetIQ Access Governance Suite

Situation

In Access Governance Suite 5.2, the "Rule Based Logical" and "Default Logical" application share settings yet also present significant differences that Access Governance Suite admins must understand (especially when detecting application account links).

The "Logical Account Rule" contains the script to build the account links for the given identity.  In addition to the "std" rule args (log, context), "identity" and "application" objects appear.  The rule returns either null or a single link or list of links.

The "Logical Provisioning Rule" contains the script to customize a provisioning plan (if cfg-ed) for remediation and/or creation.  In addition to the "std" rule args (log, context), "identity" and (provisioning plan) "plan" objects appear.  The rule returns a provisioning plan object (eg, "plan" arg).

The "Identity Refresh" task offers the "Refresh composite application links" option.  Enabling the option gets Access Governance Suite to run "Logical Account Rule" rules (from all logical applications) on each identity.

The "Account Aggregration" task shows an important difference btwn "Rule Based Logical" and "Default Logical" applications.  On "Default Logical" applications,Access Governance Suite uses the "Tier" settings to search for new,qualified identities.  On "Rule Based Logical" applications,Access Governance Suite searches identities only for existing application links.  While an aggregation task handles both update and deletion of any logical application links, yet the task does NOT create any new "Rule Based Logical" application links.