Rule Set Cookbook: A Collection of Examples

This document provides a collection of examples for creating rule sets.

Find All Users Restored in the Last 14 Days

This rule set identifies all users who have been restored from a deleted state within the last 14 days.

It works by verifying that the user has not been deleted and then searching the user's history for a "Recover" entry created within the last 14 days.

• [OBJECTHISTORIES; EntryType; EntryType; Recover]: This checks the user's history for an entry labeled "Recover".

• [OBJECTHISTORIES; Registered; EntryType; Recover]: This retrieves the registration date for the "Recover" entry.

Find Users Whose Permissions Will Expire in 10 Days

By default, we recommend a one-year duration for manually granted access. This rule set is useful for notifying relevant parties when this access is about to expire.

This rule can be used in a notification template to send an alert when a permission is 10 days away from its expiration date.

Find Employees Whose Contracts End Within the Next 14 Days

Determining an employee's last day of employment can be complicated, as it depends on company policies and the employee's contract type.

• Permanent employees typically have their end date recorded in the "End Date" field of their employment record.

• Temporary employees often have an end date specified for their position, either in the "Last Payroll Date" or "Position End Date" field.

To ensure that all cases are covered, the rule set must check all possible fields using the following logic:

• Is the employment end date within the next 14 days?

• Are all position end dates within the next 14 days, AND is at least one position end date after today?

• Is the last payroll date for all positions within the next 14 days, AND is the end date for at least one position later than today?

Find All Employees in a Department and Its Subdepartments

This rule set retrieves all users who have a position associated with a specific department, including all sub-departments within that department in the organizational hierarchy. This can be generated automatically using the rule set wizard.

Find users whose specific permission was revoked more than 30 days ago

This rule set retrieves all users who had a specific permission revoked more than 30 days ago. Replace “OldValue=12544” with the ID of the permission you want to report on.

Optional:

This additional line changes the ruleset to a message flow trigger.

Find All Employees with a Permission Assigned to a Deleted Department

This rule returns a list of usernames, permission names, the associated department name, and the date the department was deleted.

[FOREACH; ObjectPermission; ManagerOf#[REPLACE; [SELECTION; 51274; Id); ;, ; ObjectId, Object.Display

Find All Users Created in the Last 14 Days

This rule set identifies all user accounts created within the last 14 days.

Find All Employees in a Department, Including the Manager

Often, a department manager's organizational affiliation is at a level above the department they manage. To create a rule set that includes both the employees in a department and its manager, use the ManagerOf attribute.

The first rule identifies all employees in the specified departments. The second rule adds the managers of those departments to the selection.

Find All Department Managers

This rule set identifies all users who are designated as department managers in the organization. The ManagerOf The attribute contains a value if the user is a manager.

Find All Employees Who Are Not Managers

This rule set identifies all active employees who do not hold a managerial position.

Alternative: Invert an Existing Rule Set

Since you already have a rule set for "All Department Managers," you can reuse it to find everyone who is not a manager.

Find All Employees with a 0% Position

This rule set identifies all employees whose primary position has a position percentage of 0.

Alternative: Check All Positions

This rule identifies users for whom none of their assigned positions have a percentage other than 0.

Find All Elected Officials Who Do Not Hold Other Municipal Positions

This rule set identifies everyone whose primary position type is "Elected Official" and who does not hold another position in the municipality. The final line excludes the mayor from the results.

Event-Based Rules (Triggers)

Trigger When an Employee Changes Their Primary Position

This rule set is triggered when an existing user's Department Number the attribute is changed.

• Line 1 (Entry Type = Edit): Triggers only when an existing user is modified.

• Line 2 (AttributeName = Department Number): Triggers only if the change involves the department number.

• Line 3 ([LASTVALUE; ...] is not equal to [DepartmentNumber]): Ensures that the rule does not trigger if a department's name or number is updated without an actual change in the user's assignment.

• Line 4 ([LASTVALUE; ...] (has a value): Ensures that the user was previously assigned to a department.

Trigger for New Users Without a Registered Mobile Number

This rule is triggered when a new user is created without a value in the Mobile field. It can be used to notify a manager or HR that information is missing.

Trigger on Changes to Users with a Specific Permission

This rule is triggered when specified attributes are changed for any user who holds a particular role in an access management system. It can be used to notify a system administrator of changes affecting users with specific access rights.

• Line 1 (Entry Type = Edit): Identifies the event type as an edit.

• Line 2 (AttributeName Is one of...): Specifies which attribute changes will trigger the rule.

• Line 3 ([OBJECTPERMISSION.SYSTEMROLE; ...]): Identifies the specific permission (ID 8735, Name Time Bank) the user must have for the rule to trigger.

License Management Rules

Find Users with More Than One License in the Same Group

This rule is typically used to identify employees who have been assigned multiple licenses for the same product (e.g., Microsoft 365), whether assigned manually or automatically.