HyperSync Panel uses powerful scoping filters to identify when rules should be evaluated. Scoping rules are centrally defined on the first tab of the HyperSync Panel settings interface, below the Hyperverse settings section.
Scoping rules must have a unique name and condition rule expression, and may optionally have a user-friendly description.
The rule expression for a scoping rule always applies to the entire join graph. This means that a filter applied to an export attribute flow for Azure AD may directly consider attribute data present on the HR silo.
Scope filters are powerful because they can be applied to rules in an additive fashion, meaning all the applied scopes must be active for the rule to execute. This allows each scope rule to focus on different characteristics, and the sync rule does not need to reproduce a complicated rule expression.
In the above example, AD - Detect Dormant will only be evaluated for join graphs that meet all of: Corporate People, Active People, and HV Populated.
In one sense, scoping rules may be considered a redundant feature, since all HyperSync Panel rules also have a Condition Rule expression, which can perform the same function of filtering whether a rule should be evaluated.
Scoping rules help by eliminating duplicated logic, and making it easy to glance at a rule and see what kinds of identities it applies to. In some cases if criteria are unique to a certain rule, within the context of certain account types, it makes sense to apply both scoping rules and a condition rule.
In the above example, we declare via the scoping rules that the Provision AD User rule is only considered for Active Corporate People, who have their Hyperverse entry populated.
The Condition Rule then further specifies that there may not already be an AD connector, and that the Hyperverse accountName and upnPrefix must have been generated.
Please sign in to leave a comment.