Creation Policy Set


The Creation Policy Set is applied to <add> events and serves to disallow (veto) the creation of a new object if an already existing object was not found using the Matching Policy. The Create Policy is within both the: and each channel will usually have different Create Policies.

The Creation Policy Set is often used to examine the attributes available for the new object from the source event and may veto the creation of the new object is one or more required attributes is missing.

The Creation Policy Set may also used to supply default values for attributes to be used in the creation of the new object.

The Creation Policy Set is executed, assuming no Matches were found, after the Matching Policy Set and before the Placement Policy Set.

Note that the Creation Policy Set will not be executed if the Matching Policy Set found a matching object in the channel destination.

The XDS Document only reaches Creation Policy Set if the Engine has determined that the entry does NOT exist in EDirectory or the Connected Application. This implies, no matches were found and no Association exists.

The Creation Policy Set define the conditions that must be met to create a new object. The absence of a Creation policy implies that the object can be created.

For example, you create a new user in the Identity Vault, but you give the new User object only a name and ID. This creation is mirrored in the eDirectory tree, but the addition is not immediately reflected in applications connected to the Identity Vault because you have a Creation Policy Set specifying that only User objects with a more complete definition are allowed.

A Creation Policy Set can be the same for both the Subscriber Channel and the Publisher Channel, or it can be different.

Template Objects can be specified for use in the creation process when the object is being created in eDirectory.

Creation Policy Set are commonly used to:

  • Veto creation of objects that don’t qualify, possibly because of to a missing attribute.
  • Provide default attribute values.
  • Provide a default password.

More Information#

There might be more information for this subject on one of the following: