Overview #

We had a project that when the sectionCode changed or their jobCode or they were no longer in the targeted IDM deployed group of user, the client wanted to remove all the granted entitlements.

We provide an overview of the DirXML Entitlements framework and provide some DirXML Examples and XPATH Examples of how to work with DirXML Entitlements

The DirXML-EntitlementRef is sort-of a structured attribute with some XML data in the last component. There was some challenges to be able to access the various parts of the xml-data within the component. The XPATH that worked was:

<token-xpath expression="$current-node/component[@name='path.xml']/ref/param/text()

Novell strongly discourages modifying the DirXML-EntitlementRef and so we started workflows with no approvals from a driver. Here is the code we used:


<rule>
	<description>Remove from All Groups</description>
	<comment xml:space="preserve">When the user is no longer a target user, or there is a change in jobCode or willekesectionCode revoke all group entitlements</comment>
	<comment name="author" xml:space="preserve">jim@willeke.com</comment>
	<comment name="version" xml:space="preserve">16</comment>
	<comment name="lastchanged" xml:space="preserve">2009-12-16</comment>
	<conditions>
		<or>
			<if-op-attr mode="nocase" name="willekeTargetIDMUser" op="changing-to">FALSE</if-op-attr>
			<if-op-attr name="jobCode" op="changing"/>
			<if-op-attr name="willekeSectionCode" op="changing"/>
		</or>
		<or>
			<if-attr name="DirXML-EntitlementRef" op="available"/>
		</or>
	</conditions>
	<actions>
		<do-set-local-variable name="lv-ldap-userDN" scope="policy">
			<arg-string>
				<token-parse-dn dest-dn-format="ldap">
					<token-xpath expression="@qualified-src-dn"/>
				</token-parse-dn>
			</arg-string>
		</do-set-local-variable>
		<do-for-each>
			<arg-node-set>
				<token-src-attr name="DirXML-EntitlementRef"/>
			</arg-node-set>
			<arg-actions>
				<do-set-local-variable name="lv-nameSpace" scope="policy">
					<arg-string>
						<token-xpath expression="$current-node/component[@name='nameSpace']"/>
					</arg-string>
				</do-set-local-variable>
				<do-set-local-variable name="lv-volume" scope="policy">
					<arg-string>
						<token-xpath expression="$current-node/component[@name='volume']"/>
					</arg-string>
				</do-set-local-variable>
				<do-set-local-variable name="lv-param" scope="policy">
					<arg-string>
						<token-xpath expression="$current-node/component[@name='path.xml']/ref/param/text()"/>
					</arg-string>
				</do-set-local-variable>
				<do-if>
					<arg-conditions>
						<and>
							<if-local-variable mode="nocase" name="lv-nameSpace" op="equal">1</if-local-variable>
							<if-local-variable mode="nocase" name="lv-volume" op="equal">\willekeIDV-LAB\com\willeke\services\idm\DriverSet\ADwilleke\willekeADGroups</if-local-variable>
						</and>
					</arg-conditions>
					<arg-actions>
						<do-start-workflow id="CN=admin,OU=services,dc=willeke,dc=com" url="$idv.workflow.url$" workflow-id="CN=RevokeADGroup,CN=RequestDefs,CN=AppConfig,CN=UserApplication,CN=DriverSet,OU=idm,OU=services,dc=willeke,dc=com">
							<arg-password>
								<token-named-password name="UAdminPW"/>
							</arg-password>
							<arg-dn>
								<token-local-variable name="lv-ldap-userDN"/>
							</arg-dn>
							<arg-string name="GroupResourceDN">
								<token-local-variable name="lv-param"/>
							</arg-string>
						</do-start-workflow>
					</arg-actions>
					<arg-actions/>
				</do-if>
				<do-if>
					<arg-conditions>
						<and>
							<if-local-variable mode="nocase" name="lv-nameSpace" op="equal">1</if-local-variable>
							<if-local-variable mode="nocase" name="lv-volume" op="equal">\willekeIDV-LAB\com\willeke\services\idm\DriverSet\RACF\willekeRACFGroup</if-local-variable>
						</and>
					</arg-conditions>
					<arg-actions>
						<do-start-workflow id="CN=admin,OU=services,dc=willeke,dc=com" url="$idv.workflow.url$" workflow-id="CN=RevokeRACFGroup,CN=RequestDefs,CN=AppConfig,CN=UserApplication,CN=DriverSet,OU=idm,OU=services,dc=willeke,dc=com">
							<arg-password>
								<token-named-password name="UAdminPW"/>
							</arg-password>
							<arg-dn>
								<token-local-variable name="lv-ldap-userDN"/>
							</arg-dn>
							<arg-string name="GroupResourceDN">
								<token-local-variable name="lv-param"/>
							</arg-string>
						</do-start-workflow>
					</arg-actions>
					<arg-actions/>
				</do-if>
			</arg-actions>
		</do-for-each>
	</actions>
</rule>

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-7) was last changed on 19-Aug-2014 11:03 by jim