This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Removing Novell Granted Entitlements
Removing Novell Granted Entitlements

Version management

Difference between version and

At line 1 added 110 lines
!!! Overview
We had a project that when the sectionCode changed or their jobCode or they were no longer in the targeted IDM deployed group of user, the client wanted to remove all the granted entitlements.
We provide an overview of the [DirXML Entitlements] framework and provide some [DirXML Examples] and [XPATH Examples] of how to work with [DirXML Entitlements]
The [DirXML-EntitlementRef] is sort-of a structured attribute with some XML data in the last component. There was some challenges to be able to access the various parts of the xml-data within the component. The XPATH that worked was:
{{{
<token-xpath expression="$current-node/component[@name='path.xml']/ref/param/text()
}}}
Novell strongly discourages modifying the [DirXML-EntitlementRef] and so we started workflows with no approvals from a driver. Here is the code we used:
{{{
<rule>
<description>Remove from All Groups</description>
<comment xml:space="preserve">When the user is no longer a target user, or there is a change in jobCode or willekesectionCode revoke all group entitlements</comment>
<comment name="author" xml:space="preserve">jim@willeke.com</comment>
<comment name="version" xml:space="preserve">16</comment>
<comment name="lastchanged" xml:space="preserve">2009-12-16</comment>
<conditions>
<or>
<if-op-attr mode="nocase" name="willekeTargetIDMUser" op="changing-to">FALSE</if-op-attr>
<if-op-attr name="jobCode" op="changing"/>
<if-op-attr name="willekeSectionCode" op="changing"/>
</or>
<or>
<if-attr name="DirXML-EntitlementRef" op="available"/>
</or>
</conditions>
<actions>
<do-set-local-variable name="lv-ldap-userDN" scope="policy">
<arg-string>
<token-parse-dn dest-dn-format="ldap">
<token-xpath expression="@qualified-src-dn"/>
</token-parse-dn>
</arg-string>
</do-set-local-variable>
<do-for-each>
<arg-node-set>
<token-src-attr name="DirXML-EntitlementRef"/>
</arg-node-set>
<arg-actions>
<do-set-local-variable name="lv-nameSpace" scope="policy">
<arg-string>
<token-xpath expression="$current-node/component[@name='nameSpace']"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="lv-volume" scope="policy">
<arg-string>
<token-xpath expression="$current-node/component[@name='volume']"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="lv-param" scope="policy">
<arg-string>
<token-xpath expression="$current-node/component[@name='path.xml']/ref/param/text()"/>
</arg-string>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="nocase" name="lv-nameSpace" op="equal">1</if-local-variable>
<if-local-variable mode="nocase" name="lv-volume" op="equal">\willekeIDV-LAB\com\willeke\services\idm\DriverSet\ADwilleke\willekeADGroups</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-start-workflow id="CN=admin,OU=services,dc=willeke,dc=com" url="$idv.workflow.url$" workflow-id="CN=RevokeADGroup,CN=RequestDefs,CN=AppConfig,CN=UserApplication,CN=DriverSet,OU=idm,OU=services,dc=willeke,dc=com">
<arg-password>
<token-named-password name="UAdminPW"/>
</arg-password>
<arg-dn>
<token-local-variable name="lv-ldap-userDN"/>
</arg-dn>
<arg-string name="GroupResourceDN">
<token-local-variable name="lv-param"/>
</arg-string>
</do-start-workflow>
</arg-actions>
<arg-actions/>
</do-if>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="nocase" name="lv-nameSpace" op="equal">1</if-local-variable>
<if-local-variable mode="nocase" name="lv-volume" op="equal">\willekeIDV-LAB\com\willeke\services\idm\DriverSet\RACF\willekeRACFGroup</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-start-workflow id="CN=admin,OU=services,dc=willeke,dc=com" url="$idv.workflow.url$" workflow-id="CN=RevokeRACFGroup,CN=RequestDefs,CN=AppConfig,CN=UserApplication,CN=DriverSet,OU=idm,OU=services,dc=willeke,dc=com">
<arg-password>
<token-named-password name="UAdminPW"/>
</arg-password>
<arg-dn>
<token-local-variable name="lv-ldap-userDN"/>
</arg-dn>
<arg-string name="GroupResourceDN">
<token-local-variable name="lv-param"/>
</arg-string>
</do-start-workflow>
</arg-actions>
<arg-actions/>
</do-if>
</arg-actions>
</do-for-each>
</actions>
</rule>
}}}!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop