Using Expandable GCV Values

Overview#

We had a condition where the client wanted to role out their IDM to various "regions" within the organization over a period of time.

In addition, to the regions, they also based some of the deployment based on some classification of users.

Our desire was to create a methodology where they could expand their scope without requiring a lot of code changes.

We cam up with this idea that seems to work pretty well.

Structured Global Configuration Values in Designer 3.5 (Demo)#

A online demo of how to use Structured Global Configuration Values in Designer 3.5 (Demo)

Keep in Mind#

As it turns out, if you use a Global Configuration Variables with a syntax of list, when doing a compare of the values, the driver appears to compare the value to each item in the list to arrive at the decision. (We could not find any documentation of substance on the GCV syntaxes, if you know of any, let us know)

As these compares are performed with XPATH, the values are case sensitive. We insist the Global Configuration Variables values be lower case when entered; but we do not enforce it.

We force the values from the user to lowercase before we compare.

Global Configuration Variables with Values#

We created two GCVs

idv.dit.data.inscope.roles#

<definition critical-change="true" display-name="Roles In Scope" item-separator="|" name="idv.dit.data.inscope.roles" type="list">
	<description>Only willekeRoleValues with the listed values are considered in scope.
WARNING - Case Sensitive. Must be lower case here!</description>
	<value>
		<item>dentist</item>
		<item>dentistaa</item>
		<item>gfr</item>
		<item>contractordentist</item>
	</value>
</definition>

idv.dit.data.inscope.regions#

<definition critical-change="true" display-name="Current In-Scope Regions" item-separator="|" name="idv.dit.data.inscope.regions" type="list">
	<description>Only the regions which are shown are In Scope. These must be listed as the names are utilized within the IDV.
WARNING - Must be lower case here!</description>
	<value>
		<item>virginia beach</item>
	</value>
</definition>

The Driver Code#

A DirXML Example of using Using Expandable GCV Values is shown below.

non-interesting part#

<rule>
	<description>Update willekeRoleValue when Available</description>
	<comment xml:space="preserve">if the lv-roleValue is not empty set the willekeRoleValue in IDV.
Check and see if the lv-roleValue is gfr, dentistAA or Contractordentist and if true
- set the willekeTargetIDMUser=True
- break - Nothing more to do on this entry in this policy.

Check the willekeRegionCode to determine if the user is within he current target OU.
If Yes
- set the willekeTargetIDMUser=True
- break - Nothing more to do on this entry in this policy.
else
- set the willekeTargetIDMUser=False </comment>
	<comment name="author" xml:space="preserve">jim@willeke.com</comment>
	<comment name="version" xml:space="preserve">17</comment>
	<comment name="lastchanged" xml:space="preserve">2009-12-21</comment>
	<conditions>
		<and>
			<if-local-variable name="lv-roleValue" op="available"/>
			<if-local-variable mode="nocase" name="lv-roleValue" op="not-equal"/>
		</and>
	</conditions>

Actions for the RolesThe code here determines the if the value on the user is within a value within the list for idv.dit.data.inscope.roles. We set the lv-istargetuser to true or false depending on the outcome.#

	
	<actions>
		<do-set-local-variable name="lv-istargetuser" scope="policy">
			<arg-string>
				<token-text xml:space="preserve">FALSE</token-text>
			</arg-string>
		</do-set-local-variable>
		<do-set-dest-attr-value name="willekeRoleValue">
			<arg-value>
				<token-local-variable name="lv-roleValue"/>
			</arg-value>
		</do-set-dest-attr-value>
		<do-if>
			<arg-conditions>
				<and>
					<if-xpath op="true">$lv-roleValue=$idv.dit.data.inscope.roles</if-xpath>
				</and>
			</arg-conditions>
			<arg-actions>
				<do-trace-message color="brblue">
					<arg-string>
						<token-text xml:space="preserve">Target Role</token-text>
						<token-text xml:space="preserve"> : </token-text>
						<token-local-variable name="lv-roleValue"/>
						<token-text xml:space="preserve"> Matched!</token-text>
					</arg-string>
				</do-trace-message>
				<do-set-local-variable name="lv-istargetuser" scope="policy">
					<arg-string>
						<token-text xml:space="preserve">TRUE</token-text>
					</arg-string>
				</do-set-local-variable>
				<do-if>
					<arg-conditions>
						<or>
							<if-local-variable mode="nocase" name="lv-roleValue" op="equal">gfr</if-local-variable>
							<if-local-variable mode="nocase" name="lv-roleValue" op="equal">contractordentist</if-local-variable>
						</or>
					</arg-conditions>
					<arg-actions>
						<do-set-dest-attr-value name="willekeTargetIDMUser">
							<arg-value>
								<token-local-variable name="lv-istargetuser"/>
							</arg-value>
						</do-set-dest-attr-value>
						<do-break/>
					</arg-actions>
					<arg-actions/>
				</do-if>
			</arg-actions>
			<arg-actions>
				<do-trace-message color="brblue">
					<arg-string>
						<token-text xml:space="preserve">Target Role</token-text>
						<token-text xml:space="preserve"> : </token-text>
						<token-local-variable name="lv-roleValue"/>
						<token-text xml:space="preserve"> FAILED!!!!!!!!!!!!</token-text>
					</arg-string>
				</do-trace-message>
				<do-set-local-variable name="lv-istargetuser" scope="policy">
					<arg-string>
						<token-text xml:space="preserve">FALSE</token-text>
					</arg-string>
				</do-set-local-variable>
				<do-set-dest-attr-value name="willekeTargetIDMUser">
					<arg-value>
						<token-text xml:space="preserve">FALSE</token-text>
					</arg-value>
				</do-set-dest-attr-value>
				<do-break/>
			</arg-actions>

Actions for the Regions#

The code here determines the if the value on the user is within a value within the list for idv.dit.data.inscope.regions. We set the lv-istargetuser to true or false depending on the outcome. 
		</do-if>
		<do-set-local-variable name="lv-regionvalueonthisone" scope="policy">
			<arg-string>
				<token-lower-case>
					<token-attr name="willekeRegionCode"/>
				</token-lower-case>
			</arg-string>
		</do-set-local-variable>
		<do-if>
			<arg-conditions>
				<and>
					<if-xpath op="true">$lv-regionvalueonthisone=$idv.dit.data.inscope.regions</if-xpath>
				</and>
			</arg-conditions>
			<arg-actions>
				<do-trace-message color="brblue">
					<arg-string>
						<token-text xml:space="preserve">Target Region</token-text>
						<token-text xml:space="preserve"> : </token-text>
						<token-local-variable name="lv-regionvalueonthisone"/>
						<token-text xml:space="preserve"> Matched!</token-text>
					</arg-string>
				</do-trace-message>
				<do-set-local-variable name="lv-istargetuser" scope="policy">
					<arg-string>
						<token-text xml:space="preserve">TRUE</token-text>
					</arg-string>
				</do-set-local-variable>
			</arg-actions>
			<arg-actions>
				<do-trace-message color="brblue">
					<arg-string>
						<token-text xml:space="preserve">Target Region</token-text>
						<token-text xml:space="preserve"> : </token-text>
						<token-local-variable name="lv-regionvalueonthisone"/>
						<token-text xml:space="preserve"> FAILED!!!!!!!!!!!!</token-text>
					</arg-string>
				</do-trace-message>
				<do-set-local-variable name="lv-istargetuser" scope="policy">
					<arg-string>
						<token-text xml:space="preserve">FALSE</token-text>
					</arg-string>
				</do-set-local-variable>
			</arg-actions>
		</do-if>
		<do-set-dest-attr-value name="willekeTargetIDMUser">
			<arg-value>
				<token-local-variable name="lv-istargetuser"/>
			</arg-value>
		</do-set-dest-attr-value>
	</actions>
</rule>

More Information#

There might be more information for this subject on one of the following:
Please see our Copyright And Intellectual Property Page and Standard Disclaimer Pages!