Automatically creation of resource from AD Groups

Hi

Is there any way on creating "Resources" in UserApp/resource catalog from a corresponding AD group automatically, and assign the Entitlement Value?

/Michael
Parents Reply Children
  • Hi

    We have upgraded from 4.6(PCRS) to 4.7(CPRS). It wont create the resource automatically in 4.7. We have manually created dynamic resource for group. CPRS give you two options first compute
  • iampranavpg;2497998 wrote:
    Hi

    We have upgraded from 4.6(PCRS) to 4.7(CPRS). It wont create the resource automatically in 4.7. We have manually created dynamic resource for group. CPRS give you two options first compute
  • Here is a rule that creates a Resource with Entitlement :

    <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-builder-dtd" "C:\netiq\idm\apps\Designer47\plugins\com.novell.idm.policybuilder_4.0.0.201812171538\DTD\dirxmlscript4.7.2.dtd"><policy>
    <rule>
    <description>test rule</description>
    <conditions>
    <and>
    <if-op-attr mode="nocase" name="Description" op="changing-to">testres</if-op-attr>
    </and>
    </conditions>
    <actions>
    <do-create-resource id="cn=uaadmin,ou=users,o=data" resource-name="group5idm5" time-out="0" url="~UAProvURL~">
    <arg-password>
    <token-text xml:space="preserve">novell</token-text>
    </arg-password>
    <arg-string name="description">
    <token-text xml:space="preserve">testgroupeb</token-text>
    </arg-string>
    <arg-string name="display-name">
    <token-text xml:space="preserve">testgroupeB</token-text>
    </arg-string>
    <arg-string name="entitlement-dn">
    <token-text xml:space="preserve">cn=Group,cn=Active Directory Driver,cn=driverset,ou=services,o=system</token-text>
    </arg-string>
    <arg-string name="entitlement-value">
    <token-text xml:space="preserve">{"ID":"94ce357c931caa4eb47de7aa7081adef","ID2":"CN=group5idm5,OU=groups,OU=test,DC=demo,DC=com"}</token-text>
    </arg-string>
    </do-create-resource>
    </actions>
    </rule>
    </policy>

    You can set this rule in the publisher channel of your AD driver and get the entitlement value from the AD group.

    I already test this rule successfully.

    Hope this will help.

    Sylvain
  • Here is the full rule that create the resource when a AD group is created (in Input Transformation):

    <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-builder-dtd" "C:\netiq\idm\apps\Designer47\plugins\com.novell.idm.policybuilder_4.0.0.201812171538\DTD\dirxmlscript4.7.2.dtd"><policy>
    <rule>
    <description>Create resource when new group is ADDED - xxxx </description>
    <conditions>
    <and>
    <if-operation mode="nocase" op="equal">add</if-operation>
    <if-class-name mode="nocase" op="equal">Group</if-class-name>
    <if-src-dn op="in-container">~drv.group.container~</if-src-dn>
    </and>
    </conditions>
    <actions>
    <do-set-local-variable name="groupGUID" scope="policy">
    <arg-string>
    <token-association/>
    </arg-string>
    </do-set-local-variable>
    <do-set-local-variable name="groupName" scope="policy">
    <arg-string>
    <token-src-name/>
    </arg-string>
    </do-set-local-variable>
    <do-set-local-variable name="resourceName" scope="policy">
    <arg-string>
    <token-text xml:space="preserve">AD_Group_Resource_</token-text>
    <token-local-variable name="groupName"/>
    </arg-string>
    </do-set-local-variable>
    <do-create-resource id="cn=uaadmin,ou=users,o=data" resource-name="$resourceName$" time-out="0" url="~UAProvURL~">
    <arg-password>
    <token-text xml:space="preserve">novell</token-text>
    </arg-password>
    <arg-string name="description">
    <token-text xml:space="preserve">AD_Group_Resource_</token-text>
    <token-local-variable name="groupName"/>
    </arg-string>
    <arg-string name="display-name">
    <token-text xml:space="preserve">AD_Group_Resource_</token-text>
    <token-local-variable name="groupName"/>
    </arg-string>
    <arg-string name="entitlement-dn">
    <token-text xml:space="preserve">cn=Group,cn=Active Directory Driver,cn=driverset,ou=services,o=system</token-text>
    </arg-string>
    <arg-string name="entitlement-value">
    <token-text xml:space="preserve">{"ID":"</token-text>
    <token-local-variable name="groupGUID"/>
    <token-text xml:space="preserve">","ID2":"CN=</token-text>
    <token-local-variable name="groupName"/>
    <token-text xml:space="preserve">,OU=groups,OU=xxxx,DC=demoxxxx,DC=com"}</token-text>
    </arg-string>
    </do-create-resource>
    </actions>
    </rule>
    </policy>