# Policy map
One major step in configuring provisioning is creating a policy map. Without a policy map, provisioning cannot occur because the system does not know which attributes to calculate and send to the connector. The policy map also defines how each attribute value is calculated.
A **policy map** is part of the **Managed System** configuration. It defines the list of attributes you want to manage in the target application. It also contains the rules used to calculate each value.
A policy map can be configured in several ways:
* from scratch;
* by cloning;
* from a connector.
Each approach is covered below. This example uses an **Active Directory** managed system.
## Configuring a policy map from scratch
Creating your own policy map lets you select the fields and attributes you need.
To create one, follow these steps:
{% stepper %}
{% step %}
### Open Managed System
In **Webconsole** → **Provisioning** → **Managed System**, select the required managed system. You can also create a new one if needed.
{% endstep %}
{% step %}
### Open Policy Map
In the left menu, select **Policy Map** and click *Add*. The *Policy map type* window opens.
{% endstep %}
{% step %}
### Select Policy Map type
Select the policy map type.
{% hint style="info" %}
The "Computer policy" map type is legacy and is no longer used.
{% endhint %}
OpenIAM can provision two object types: groups and users. That is why two policy map types are available.
{% hint style="info" %}
"Group" here refers to the group object itself. The relationship between a user and a group is provisioned from a "User" policy map type. Use the group provisioning type when you want to create a group in OpenIAM and provision it to a target system.
{% endhint %}
{% endstep %}
{% step %}
### Fill in policy map details
This example uses a **User policy map**.
Start filling in the fields in *Edit Policy Map for your Managed System*.
Enter a name for your policy map. Then add the attributes you want to map between OpenIAM and the target system. Click *Add* — the blue plus icon in the *Actions* column — to add a new row. If the target system is **Active Directory**, you must include `PRINCIPAL` and `PASSWORD`. All other fields use the `USER` object type.
{% hint style="info" %}
The **Mark this policy map as primary** flag is legacy. In most cases, you only need one policy map of each type — one for users and one for groups — so this flag does not apply.
{% endhint %}
{% endstep %}
{% step %}
### Policy map fields
| Field | Description |
| --------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Object type | Use `PRINCIPAL` and `PASSWORD` where required, and `USER` for other attributes. |
| Attribute name | Attribute name as in the target system. |
| Type | The source from which OpenIAM reads the attribute. It can be a Groovy script, IDM value, or static value. If you select **Groovy script**, identify the Groovy script location in the **Attribute value** field for that system. **IDM value** copies a value from an OpenIAM attribute. **Static** requires a manually entered value. |
| Attribute Value | The value of the attribute that will be copied to the target system. |
| Status | Shows if the field is active or inactive in the policy map. |
| {% endstep %} | |
{% step %}
### Dynamic password generation
{% hint style="info" %}
If you need to copy a dynamically generated password to the target system, use a Groovy script. An example for random password generation is shown below.
{% endhint %}
{% code overflow="wrap" expandable="true" %}
```groovy
package org.openiam
import org.apache.commons.logging.Log
import org.apache.commons.logging.LogFactory
import org.openiam.api.connector.groovy.AbstractIPolicyMapGroovy
import org.openiam.api.connector.model.ConnectorAttribute
import org.openiam.api.connector.model.StringOperationalConnectorValue
import org.openiam.base.AttributeOperationEnum
import org.openiam.base.response.list.PolicyListResponse
import org.openiam.common.beans.mq.PolicyRabbitMQService
import org.openiam.idm.provisioning.diff.model.user.ProvisionUserObjectDiff
import org.openiam.idm.searchbeans.PolicySearchBean
import org.openiam.idm.srvc.pswd.service.PasswordGenerator
import org.springframework.beans.factory.annotation.Autowired
/**
* Script generates random password using password policy
*/
class UserPassword extends AbstractIPolicyMapGroovy {
private static final String DEFAULT_POLICY_ID = "4000"
@Autowired
private PolicyRabbitMQService policyRabbitMQService
@Override
boolean isPerform(ProvisionUserObjectDiff diffObject) {
return AttributeOperationEnum.ADD.equals(diffObject.getStatus())
}
@Override
void perform(ConnectorAttribute attribute, ProvisionUserObjectDiff diffObject) {
PolicySearchBean psb = new PolicySearchBean()
psb.addKey(DEFAULT_POLICY_ID)
PolicyListResponse response = policyRabbitMQService.findBeans(psb, 0, 1)
String password = PasswordGenerator.generatePassword(response.getList().get(0))
attribute.addValue(new StringOperationalConnectorValue(password, diffObject.getStatus()))
}
}
```
{% endcode %}
If the attribute value is a user attribute, make sure the attribute is added as a custom field and included in a page template. You cannot add the attribute unless it exists in a page template as a custom field.
{% endstep %}
{% step %}
### Save
Add as many attribute fields as needed and click **Save**. The policy map is now ready.
{% endstep %}
{% endstepper %}
## Cloning a policy map
Another way to create a policy map is to clone one from a default system. This is usually preferred over creating one from scratch because it includes the required target system attributes by default.
To clone a policy map:
{% stepper %}
{% step %}
### Open Managed System
Go to **Webconsole** → **Provisioning** → **Managed System** and find the managed system you want to create a policy map for. This example uses **AD PowerShell**. Click **Edit**.
{% endstep %}
{% step %}
### Clone Managed System
At the bottom of the window, click **Clone Managed System**.
{% endstep %}
{% step %}
### Select clone options
Select what you want to clone and enter a new name.
This copies the default policy map from the **AD PowerShell** managed system.
When you open the cloned policy map, the *Type* field is set to **Groovy** by default. Adjust the cloned policy map as needed.
{% endstep %}
{% endstepper %}
## Creating a policy map from a connector policy template
This option is useful when you need to create many managed systems. Instead of creating a policy map for every new managed system, you can either clone managed systems, as described above, or create a policy map while configuring a connector. To create a template:
{% stepper %}
{% step %}
### Open connectors
Go to **Webconsole** → **Provisioning** → **Connectors** and find your connector.
{% endstep %}
{% step %}
### Edit connector
Click *Edit*.
{% endstep %}
{% step %}
### Select Policy Map Template
In the left menu, select *Policy Map Template*.
{% endstep %}
{% step %}
### Create template
Create a custom policy map as described above.
After the connector has a policy map template, every new managed system created from that connector gets a copy of the policy map automatically.
{% endstep %}
{% endstepper %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs-beta.openiam.com/automated-user-provisioning/policy-map.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.