We provide an overview of the DirXML Entitlements framework and provide some DirXML Examples and XPATH Examples of how to work with DirXML Entitlements
The DirXML-EntitlementRef is sort-of a structured attribute with some XML data in the last component. There was some challenges to be able to access the various parts of the xml-data within the component. The XPATH that worked was:
<token-xpath expression="$current-node/component[@name='path.xml']/ref/param/text()
Novell strongly discourages modifying the DirXML-EntitlementRef and so we started workflows with no approvals from a driver. Here is the code we used:
<rule> <description>Remove from All Groups</description> <comment xml:space="preserve">When the user is no longer a target user, or there is a change in jobCode or willekesectionCode revoke all group entitlements</comment> <comment name="author" xml:space="preserve">jim@willeke.com</comment> <comment name="version" xml:space="preserve">16</comment> <comment name="lastchanged" xml:space="preserve">2009-12-16</comment> <conditions> <or> <if-op-attr mode="nocase" name="willekeTargetIDMUser" op="changing-to">FALSE</if-op-attr> <if-op-attr name="jobCode" op="changing"/> <if-op-attr name="willekeSectionCode" op="changing"/> </or> <or> <if-attr name="DirXML-EntitlementRef" op="available"/> </or> </conditions> <actions> <do-set-local-variable name="lv-ldap-userDN" scope="policy"> <arg-string> <token-parse-dn dest-dn-format="ldap"> <token-xpath expression="@qualified-src-dn"/> </token-parse-dn> </arg-string> </do-set-local-variable> <do-for-each> <arg-node-set> <token-src-attr name="DirXML-EntitlementRef"/> </arg-node-set> <arg-actions> <do-set-local-variable name="lv-nameSpace" scope="policy"> <arg-string> <token-xpath expression="$current-node/component[@name='nameSpace']"/> </arg-string> </do-set-local-variable> <do-set-local-variable name="lv-volume" scope="policy"> <arg-string> <token-xpath expression="$current-node/component[@name='volume']"/> </arg-string> </do-set-local-variable> <do-set-local-variable name="lv-param" scope="policy"> <arg-string> <token-xpath expression="$current-node/component[@name='path.xml']/ref/param/text()"/> </arg-string> </do-set-local-variable> <do-if> <arg-conditions> <and> <if-local-variable mode="nocase" name="lv-nameSpace" op="equal">1</if-local-variable> <if-local-variable mode="nocase" name="lv-volume" op="equal">\willekeIDV-LAB\com\willeke\services\idm\DriverSet\ADwilleke\willekeADGroups</if-local-variable> </and> </arg-conditions> <arg-actions> <do-start-workflow id="CN=admin,OU=services,dc=willeke,dc=com" url="$idv.workflow.url$" workflow-id="CN=RevokeADGroup,CN=RequestDefs,CN=AppConfig,CN=UserApplication,CN=DriverSet,OU=idm,OU=services,dc=willeke,dc=com"> <arg-password> <token-named-password name="UAdminPW"/> </arg-password> <arg-dn> <token-local-variable name="lv-ldap-userDN"/> </arg-dn> <arg-string name="GroupResourceDN"> <token-local-variable name="lv-param"/> </arg-string> </do-start-workflow> </arg-actions> <arg-actions/> </do-if> <do-if> <arg-conditions> <and> <if-local-variable mode="nocase" name="lv-nameSpace" op="equal">1</if-local-variable> <if-local-variable mode="nocase" name="lv-volume" op="equal">\willekeIDV-LAB\com\willeke\services\idm\DriverSet\RACF\willekeRACFGroup</if-local-variable> </and> </arg-conditions> <arg-actions> <do-start-workflow id="CN=admin,OU=services,dc=willeke,dc=com" url="$idv.workflow.url$" workflow-id="CN=RevokeRACFGroup,CN=RequestDefs,CN=AppConfig,CN=UserApplication,CN=DriverSet,OU=idm,OU=services,dc=willeke,dc=com"> <arg-password> <token-named-password name="UAdminPW"/> </arg-password> <arg-dn> <token-local-variable name="lv-ldap-userDN"/> </arg-dn> <arg-string name="GroupResourceDN"> <token-local-variable name="lv-param"/> </arg-string> </do-start-workflow> </arg-actions> <arg-actions/> </do-if> </arg-actions> </do-for-each> </actions> </rule>!! More Information There might be more information for this subject on one of the following: