Capturing the removed roles from users does not work properly

Hi,

We are using the loopback driver for capturing the removed roles from users by using the below rule.

It does not work properly as we have found that sometimes it captures the assigned role as well, please help.

 

<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-op-attr name="nrfAssignedRoles" op="changing"/>
</and>
</conditions>

<actions>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">Removed Values</token-text>
<token-removed-attr name="nrfAssignedRoles"/>
</arg-string>
</do-trace-message>
<do-set-local-variable name="lvUserCn" scope="policy">
<arg-string>
<token-src-dn/>
</arg-string>
</do-set-local-variable>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">User DN</token-text>
<token-local-variable name="lvUserCn"/>
</arg-string>
</do-trace-message>
<do-for-each>
<arg-node-set>
<token-removed-attr name="nrfAssignedRoles"/>
</arg-node-set>
<arg-actions>
<do-set-local-variable name="lvRoleEntry" scope="policy">
<arg-string>
<token-xpath expression="$current-node"/>
</arg-string>
</do-set-local-variable>

 

Thanks,

Sathish

  • Hey,

    have you got an example xds for this?

    Regards

  • Hey try the below..

    <rule>
    <conditions>
    <and>
    <if-class-name op="equal">User</if-class-name>
    <if-operation mode="nocase" op="equal">modify</if-operation>
    <if-op-attr name="nrfAssignedRoles" op="changing"/>
    <if-xpath op="true">(modify-attr[@attr-name="nrfAssignedRoles"]/remove-value/value)</if-xpath>
    </and>
    </conditions>
    <actions>
    <do-set-local-variable name="lvRolesRemoving" scope="policy">
    <arg-node-set>
    <token-xpath expression='modify-attr[@attr-name="nrfAssignedRoles"]/remove-value/value'/>
    </arg-node-set>
    </do-set-local-variable>
    <do-for-each>
    <arg-node-set>
    <token-local-variable name="lvRolesRemoving"/>
    </arg-node-set>
    <arg-actions>
    <do-set-local-variable name="lvcurrentnode" scope="policy">
    <arg-string>
    <token-local-variable name="current-node"/>
    </arg-string>
    </do-set-local-variable>
    </arg-actions>
    </do-for-each>
    </actions>
    </rule>

     

    Let me if it works 

  • Regarding this unwieldy condition

    <if-xpath op="true">(modify-attr[@attr-name="nrfAssignedRoles"]/remove-value/value)</if-xpath>

    You can and should use if-operation-attr token for this type of thing instead (as the original poster tried to do)

    This token has a changing from option. This looks at remove-value elements.
    Combine this with a regex match of . and you get the same effect in a far more human readable (and manageable) manner.