Environment
NetIQ Access Governance Suite
Situation
How to skip accounts in aggregation when application enables merge feature
Resolution
Define a "ResourceObjectCustomization" rule to return null when wanting to skip over an account during aggregation.
Additional Information
Background:
The application-defined "BuildMap" rule supports a behavior of returning NULL to get Access Governance Suite to skip further processing
of the current entry. This approach offers a way to implement rule-based filtering of application accounts.
However, this behavior fails if the application uses the merging option. The application-defined merge feature joins data from multiple entries in the resultset when iterating thru the application accounts.
The connector logic applies the "BuildMap" rule on each entry. With merging enabled, a NULL return value skips over that (partial) entry, yet Access Governance Suite processes any other entries for the account. Additionally, the "BuildMap" rule does not provide the fully populated map values. This invalidates the desired fitlering conditions, making compound, complex filtering unreliable.
After the "BuildMap" rule, the logic checks/runs the (cfg-ed) "MergeMaps" rule. This rule combines the new (buildmap-returned) map into the current (resource object) map. After the last "MergeMaps" rule runs, then the logic runs the "ResourceObjectCustomization" rule.
This rule provides a fully populated map of account values and follows the same "return NULL" behavior as the "BuildMap" rule.
The application-defined "BuildMap" rule supports a behavior of returning NULL to get Access Governance Suite to skip further processing
of the current entry. This approach offers a way to implement rule-based filtering of application accounts.
However, this behavior fails if the application uses the merging option. The application-defined merge feature joins data from multiple entries in the resultset when iterating thru the application accounts.
The connector logic applies the "BuildMap" rule on each entry. With merging enabled, a NULL return value skips over that (partial) entry, yet Access Governance Suite processes any other entries for the account. Additionally, the "BuildMap" rule does not provide the fully populated map values. This invalidates the desired fitlering conditions, making compound, complex filtering unreliable.
After the "BuildMap" rule, the logic checks/runs the (cfg-ed) "MergeMaps" rule. This rule combines the new (buildmap-returned) map into the current (resource object) map. After the last "MergeMaps" rule runs, then the logic runs the "ResourceObjectCustomization" rule.
This rule provides a fully populated map of account values and follows the same "return NULL" behavior as the "BuildMap" rule.