Previous Topic: Explicit Global User Attribute Rules

Next Topic: Provisioning Role Performance

Built-in Rule Functions

You may use built-in rule functions in your rule expressions to perform various transformations on the values. The general form of built-in rule function invocation is

%[*]$$function(arg[,…])[:offset,length]%

where the multivalued indicator asterisk (*) and the offset and length substring specifications are once again optional.

The recognized built-in functions are as follows:

Built-in Rule Function

Description

ALLOF

Merges all the parameters into a multivalued attribute. Order is preserved and duplicates are removed. For example, if user attributes are set to the following:

eTCustomField01: { A, B }
eTCustomField02: { A, C }

Then, the rule:

%*ALLOF(%*UCU01%,%*UCU02%)%

evaluates to three values { A, B, C }.

DATE

Evaluates to the current date in dd/mm/yyyy format. The rule expression %D% is equivalent to one of the following:

%$$DATE()%
%$$DATE%

FIRSTOF

Returns the first value of any of the parameters. Used to insert a default value if an attribute is not set:

%$$FIRSTOF(%UCU01%,'unknown')%
%$$FIRSTOF(%LN%,%UCU01%,%U%)%

If none of the values is set, the result is no values. To enter a constant string in an argument, enclose it in single quotes.

INDEX

Returns one value of a multivalued attribute. Index 1 is the first value. If the index is greater than the number of values, the result is the unset (empty) value. The following rules are equivalent to the following:

%$$INDEX(%*UCU01%,1)%

%$$FIRSTOF(%*UCU01%)%

NOTEMPTY

Returns the single value of its one argument, but reports a failure if this attribute value is not set.

Example 1:

Fail the account creation or update if the user does not have an assigned UID attribute:

%$$NOTEMPTY(%UID%)%

Example 2:

Use the first name, unless it is not set, in which case use the last name. If neither is set, fail the account creation or update.

%$$NOTEMPTY(

%$$FIRSTOF(

%UF%,

%UL%

)%

)%

PRIMARYEMAIL

Returns the primary email address extracted from the multiple email addresses. The expression %UE% is equivalent to the following:

%$$PRIMARYEMAIL(%UEP%)%

RDNVALUE

Treats the attribute value as an LDAP distinguished name and extracts the common name of the object from that DN:

%*$$RDNVALUE(%#eTRoleDN%)%

This returns the common names of all assigned provisioning roles. If the user belongs to two provisioning roles with the same common name, that role name is listed once.

TOLOWER

Converts uppercase text to lowercase:

%$$TOLOWER(%AC%)%

TOUPPER

Converts lowercase text to uppercase:

%$$TOUPPER(%U%)%

TRIM

Removes leading and trailing blank characters from an attribute value.

For example, “%UF %UL%” would generally create a value with a first and last name separated by a blank character. However, if the user had an empty first name attribute, this rule would generate a value ending with a trailing blank. However, using

“%$$TRIM(%UF% %UL%)%

ensures that no leading or trailing blank exists in the account attribute value even if one or the other of First Name and Last Name was unset.