Start a WorkFlow to grant an Entitlement#

We often use a "Business Logic" (loopBack) driver to perform a lot of the organization specific logic. Here we start a workflow to place a request for a resource for a specific user entry. This allows us to issue entitlements to a user entry regardless of which driver executes the entitlement.

The workflow could be a no-approval workflow where the timeout action is to approve which we use to perform programatic Entitlement assignments based on the entry's position or perhaps jobCode.

A DirXML Examples using do-start-workflow:

<do-start-workflow id="$idv.workflow.user$" url="$idv.workflow.user.userapp.url$" workflow-id="cn=AUTHAccount,cn=RequestDefs,cn=AppConfig,cn=UserApplication,cn=DriverSet,ou=IDM,ou=Services,o=ANF">
	<arg-password>
		<token-named-password name="idv.workflow.user.password"/>
	</arg-password>
	<arg-dn>
		<token-parse-dn dest-dn-format="ldap">
			<token-src-dn/>
		</token-parse-dn>
	</arg-dn>
</do-start-workflow>

Executing Entitlements#

When an entitlement is granted or revoked on a user the driver for the specific Entitlement must execute the logic to "execute" the desired action of the entitlement. The driver must be notified of modification of the DirXML-EntitlementRef to be able to see modifications to the entitlement.

In this particular case, groupMemberships are not synchronized to the vault, but we do synchronize some attribute of the groups for reference purposes. The value of the group in the destination (AD in this case) is in an custom attribute stored on the group in the referred to here as willekeADValue.

The rule uses the value of the willekeADValue to set the member value of the user which has the DirXML-EntitlementRef in the destination.

So something like this rule works:

<actions>
	<do-for-each>
		<arg-node-set>
			<token-removed-entitlement name="willekeADGroups"/>
		</arg-node-set>
		<arg-actions>
			<do-remove-dest-attr-value class-name="Group" name="member" when="after">
				<arg-dn>
					<token-src-attr class-name="Group" name="willekeADValue">
						<arg-dn>
							<token-parse-dn dest-dn-format="src-dn" src-dn-format="ldap">
								<token-local-variable name="current-node"/>
							</token-parse-dn>
						</arg-dn>
					</token-src-attr>
				</arg-dn>
				<arg-value>
					<token-src-attr name="DirXML-ADContext">
						<arg-association>
							<token-association/>
						</arg-association>
					</token-src-attr>
				</arg-value>
			</do-remove-dest-attr-value>
			<do-set-xml-attr disabled="true" expression="../modify[last()]/modify-attr[last()]/remove-value[last()]/value[last()]" name="association-ref">
				<arg-string>
					<token-association/>
				</arg-string>
			</do-set-xml-attr>
		</arg-actions>
	</do-for-each>
	<do-for-each>
		<arg-node-set>
			<token-added-entitlement name="willekeADGroups"/>
		</arg-node-set>
		<arg-actions>
			<do-add-dest-attr-value class-name="Group" name="member" when="after">
				<arg-dn>
					<token-src-attr class-name="Group" name="willekeADValue">
						<arg-dn>
							<token-parse-dn dest-dn-format="src-dn" src-dn-format="ldap">
								<token-local-variable name="current-node"/>
							</token-parse-dn>
						</arg-dn>
					</token-src-attr>
				</arg-dn>
				<arg-value>
					<token-src-attr name="DirXML-ADContext">
						<arg-association>
							<token-association/>
						</arg-association>
					</token-src-attr>
				</arg-value>
			</do-add-dest-attr-value>
			<do-set-xml-attr disabled="true" expression="../modify[last()]/modify-attr[last()]/add-value[last()]/value[last()]" name="association-ref">
				<arg-string>
					<token-association/>
				</arg-string>
			</do-set-xml-attr>
		</arg-actions>
	</do-for-each>
</actions>

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-6) was last changed on 31-Jul-2014 12:36 by jim