Automation Rule

Automation rules make automatic decisions instead of the reviewer on assignments that still need to be reviewed after a given waiting period.

There are distinct types of automation rules:

• A composite role automation rule targets the assigned composite roles corresponding to a given composite role.

  CompositeRoleAutomationRule is equivalent to AutomationRule with its Type set to CompositeRole, and requires specifying the CompositeRole property;

• A single role automation rule targets the assigned single roles corresponding to a given single role.

  SingleRoleAutomationRule is equivalent to AutomationRule with its Type set to SingleRole, and requires specifying the SingleRole property;

• A resource type automation rule targets the assigned resource types corresponding to a given resource type.

  ResourceTypeAutomationRule is equivalent to AutomationRule with its Type set to ResourceType, and requires specifying the ResourceType property;

• A category automation rule targets the assigned roles and resource types corresponding to a given category and a given entity type.

  CategoryAutomationRule is equivalent to AutomationRule with its Type set to Category, and requires specifying the Category and EntityType properties;

• A policy automation rule targets the assigned roles and resource types corresponding to a given policy and a given entity type.

  PolicyAutomationRule is equivalent to AutomationRule with its Type set to Policy, and requires specifying the Policy and EntityType properties.

Remember, Netwrix recommends always using the typed syntax.

For example, you should always use SingleRoleAutomationRule, rather than AutomationRule with Type set to CompositeRole.

All these rules target the assignments which have a specific workflow state which is specified in the rule.

Automation rules can also specify dimensions.

One assignment should be involved in the decision of only one automation rule. However, one assignment can easily be targeted by several automation rules. In this case, the Provisioning Policy algorithm prioritizes the most specific rule.

For example, considering an assigned composite role, Identity Manager's algorithm prioritizes a composite role automation rule, before a category automation rule, before a policy automation rule.

After this prioritization, when an assignment is still targeted by several rules due to dimensions, then Identity Manager prioritizes a rule implying a decline decision.

Examples

In the following example, the two first rules are equivalent (except for the workflow state's value), but the second one shows the preferred syntax.

Code attributes enclosed with <> need to be replaced with a custom value before entering the script in the command line.

    This rule approves all the assignments of the "FCT0070" composite role, which are waiting for the first of two required approvals for more than one hour:
    <AutomationRule Type="CompositeRole" CompositeRole="FCT0070" WorkflowState="PendingApproval1" HoursToWait="1"  Decision="Approve"/>
    This rule approves all the assignments of the "FCT0070" composite role, which are waiting for the second of two required approvals for more than one hour:
    <CompositeRoleAutomationRule CompositeRole="FCT0070" WorkflowState="PendingApproval2" HoursToWait="1" Decision="Approve"/>
    This rule approves all the assignments of the "BO028" single role, which are waiting for their required approval for more than one hour:
    <SingleRoleAutomationRule SingleRole="BO028" WorkflowState="PendingApproval" HoursToWait="1" Decision="Approve"/>
    This rule approves all the assignments of the "SAB_User_NominativeUser" resource type, which are waiting for their required approval for more than one hour:
    <ResourceTypeAutomationRule ResourceType="SAB_User_NominativeUser" WorkflowState="PendingApproval" HoursToWait="1" Decision="Approve"/>
    This rule declines all the assignments to the entity type "Directory_User" concerning the "IT Administration" category, which are waiting for the first of two required approvals for more than one hour:
    <CategoryAutomationRule Category="IT Administration" WorkflowState="PendingApproval1" HoursToWait="1" Decision="Decline" EntityType="Directory_User"/>
    This rule declines all the assignments to the entity type "Directory_User" concerning the "Default" policy, which are found during a synchronization without a linked automatic rule, for more than one hour:
    <PolicyAutomationRule Policy="Default" WorkflowState="Found" HoursToWait="1" Decision="Decline" EntityType="Directory_User"/>
    This rule declines all the assignments to the entity type "Directory_User" concerning the "Default" policy, which are found during the first synchronization without a linked automatic rule, for more than one hour:
    <PolicyAutomationRule Policy="Default" WorkflowState="Historic" HoursToWait="1" Decision="Decline" EntityType="Directory_User"/>

Properties

Property	Type	Description
Category optional	Int64	Identifier of the category targeted by the rule.
CompositeRole optional	Int64	Identifier of the composite role targeted by the rule.
D0 optional	Int64	Value of the dimension 0 (up to 127) that filters the assignments targeted by the rule.
Decision default value: 0	AutomationRuleDecision	Decision to apply on the targeted assignments. 0 - Approve. 1 - Decline.
EntityType required	Int64	Identifier of the entity type targeted by the rule. This property should not be specified when writing an automation rule among the following: composite role automation rule; single role automation rule; resource type automation rule. These rules imply the entity type.
HoursToWait default value: -1	Int32	Waiting period (in hours) from the most recent change in the workflow state of the assignments, before the decision can be applied.
L0 default value: false	Boolean	True to indicate that the rules targets the assignments with not only the dimension 0 (up to 127), but also this dimension's child elements.
Policy optional	Int64	Identifier of the policy that the rule is part of.
ResourceType optional	Int64	Identifier of the resource type targeted by the rule.
SingleRole optional	Int64	Identifier of the single role targeted by the rule.
Type required	AutomationRuleType	Object type targeted by the rule. 0 - CompositeRole. 1 - SingleRole. 2 - ResourceType. 4 - Category. 5 - Policy.
WorkflowState default value: 0	WorkflowState	Workflow state of the assignments targeted by the rule. 0 - None: used for Identity Manager's internal computation. 1 - Non-conforming: the assignment is not supported by a rule. 3 - Pre-existing: the assignment is not supported by a rule, and it existed before the production launch. 4 - Requested: the assignment is requested via a workflow, but not yet added. NOTE: Usually displayed in workflows' summaries. 5 - Calculated - Missing Parameters: the assignment was done by a rule which does not specify at least one required parameter for the role. 8 - Pending Approval: the assignment must be reviewed manually by a knowledgeable user. 9 - Pending Approval 1 of 2: the assignment is pending the first approval on a two-step workflow. 10 - Pending Approval 2 of 2: the assignment is pending the second approval on a two-step workflow. 11 - Pending Approval 1 of 3: the assignment is pending the first approval on a three-step workflow. 12 - Pending Approval 2 of 3: the assignment is pending the second approval on a three-step workflow. 13 - Pending Approval 3 of 3: the assignment is pending the third approval on a three-step workflow. 16 - Approved: the assignment has completed all approval steps. 17 - Declined: the assignment is explicitly declined during one of the approval steps. 18 - Calculated: the assignment is given by one of Identity Manager's rules. 19 - Inactive: the assignment has expired and is not yet removed. Does not appear in the UI. 20 - Cancellation: the assignment is inferred by a role that was declined. See the Reconcile a Property topic for additional information. 21 - Suggested: the assignment comes from a rule of type Suggested and appears among suggested permissions in the owner's permission basket. See the Single Role Rule topic for additional information. 22 - Suggested: the assignment comes from a rule of type Automatic but with Validation and appears among suggested permissions for a pre-existing user. See the Single Role Rule topic for additional information. Remember, the states 21 and 22 are both displayed in the UI as Suggested but they do not mean the exact same thing. 23 - Automatic but with Validation: the assignment comes from a rule of type Automatic but with Validation and appears in a new user's permission basket. See the Single Role Rule topic for additional information. 24 - Approved - Questioned: the assignment was approved manually, then a change has been made in the assignment's source data via one of Identity Manager's workflows that should change the assignment but the manual approval is authoritative. See the Resource Type topic for additional information. 25 - Pending Approval - Risk: the assignment must be reviewed due to a risk. 26 - Blocked: the assignment is blocked due to a risk of type Blocking. Does not appear in the UI. 27 - Prolonged: the assignment has expired but it was set with a grace period. See the Single Role Rule topic for additional information. 116 - Approved - Risk: the assignment is approved despite a risk. 118 - Given by a Role: the assignment comes from the assignment of a role. For example, when a user is assigned a SAP entitlement without having a SAP account, the account is created automatically with this state. Found - Will match assignments not supported by a rule. Historic - Will match assignments not supported by a rule, which existed before the production launch.