manipulating dirxml-entitlementref in code

I've run into a situation that I've found can be avoided if I manually
change the value of a DirXML-EntitlementRef attribute value directly on
a user object in an LDAP browser from

cn=NOVLGGLEUSER-Account,cn=Google Apps
Driver,cn=IDM-Driverset,o=services#1# <etc..>

to

cn=NOVLGGLEUSER-Account,cn=Google Apps
Driver,cn=IDM-Driverset,o=services#0# <etc..>

Note the change from #1# to #0#.
I want to do this on hundreds of users so looking for a way to automate
it using driver code or any other means.

Any help much appreciated.
Parents
  • On 9/8/2017 4:19 PM, de Groot, David wrote:
    > I've run into a situation that I've found can be avoided if I manually
    > change the value of a DirXML-EntitlementRef attribute value directly on
    > a user object in an LDAP browser from
    >
    > cn=NOVLGGLEUSER-Account,cn=Google Apps
    > Driver,cn=IDM-Driverset,o=services#1# <etc..>
    >
    > to
    >
    > cn=NOVLGGLEUSER-Account,cn=Google Apps
    > Driver,cn=IDM-Driverset,o=services#0# <etc..>
    >
    > Note the change from #1# to #0#.
    > I want to do this on hundreds of users so looking for a way to automate
    > it using driver code or any other means.
    >
    > Any help much appreciated.


    I wrote an article on the topic but cannot recall the URL offhand.
    The key is treat the path.xml node as a nodeset, and read/write it that
    way.

    Remove a structured attribute, with three components and then add it
    back where the values of the volume and path.xml components are XPATH
    selecting those values.

  • Geoffrey Carman <geoffreycarmanNOSPAM@NOSPAMgmail.com> wrote:
    >
    >
    > I wrote an article on the topic but cannot recall the URL offhand.
    > The key is treat the path.xml node as a nodeset, and read/write it that
    > way.
    >
    > Remove a structured attribute, with three components and then add it
    > back where the values of the volume and path.xml components are XPATH
    > selecting those values.
    >


    Essentially,

    1. read out dirXML entitlement values for current user. Into a variable of
    type nodeset.
    2. For each over just those values where an xpath value test for volume
    component matches your desired Entitlement DN (remember it isn't going to
    be Alfaro style DN here in policy)
    3.a In policy remove attribute value - structured with namespace of 1,
    volume of your desired Entitlement DN
    3b clone by xpath $current-node/component[@name='path.xml'] to
    .../modify[last()]/modify-attr[last()]/value[last()]

    Or something like that.

    4a In policy add attribute value - structured with namespace of 0, volume
    of your desired Entitlement DN
    4b clone by xpath $current-node/component[@name='path.xml'] to
    .../modify[last()]/modify-attr[last()]/value[last()]

    Or something like that.



    set the first two values via policy and the third one use clone by xpath to
    clone from
  • Lothar Haeger wrote:

    > Alex McHugh wrote:
    >
    > > I seem to recall Shon saying it wasn't pure-text, that you had to use clone
    > > as it is a separate embedded XML document.
    > >
    > > That was distinction between path and path.xml as component name.

    >
    > That would make sense and explain the ".xml" suffix. It seems both ways work,
    > either XML text with a "path" component or XML nodes as children of a
    > "path.xml" component.
    >
    > Here's what I could dig up for reference:

    ...snip..

    >
    > An in 2009:
    >
    > > > Use path instead of path.xml and you can put it in as string using
    > > > token-text. If you value is dynamic (i.e. coming from an existing
    > > > value), you can use token-xml-serialize to get the string form.

    > >


    This is what I meant, when you read it back, you get it as "path.xml", but if
    you want to set it as serialized text, you need use "path"

    I guess removing can be either/or but you introduce more risk of some sort of
    "normalization" if you try and use serialzied XML (ie "path") here - especially
    as you already have the entire document nlob as path.xml
    It seems that Geoffrey and I prefer the clone approach, it may be that one has
    to create the empty component first as Shon mentioned.
    Was just trying to avoid another uncessary step with the cloning a subset of

    Shon wrote in 2011 "It will not be escaped that way once it gets into
    eDirectory, and when pulled back out of eDirectory as XDS by a driver it will
    revert back to path.xml with the XML parsed back out into a DOM node"

    and

    "path.xml is just a special case of path that contains the parsed XML as DOM
    nodes instead of as a string. If you want to write XML to it just serialize the
    XML (if needed) and write it as path rather than path.xml. The other way to
    think about doing it is to clone xpath to the component element after creating
    it with an empty value."

    Back to the original poster, can you please post level traces of My, Lothar or
    Geoffrey's code suggestions not working, only then can we help further. Until
    that point it is just rampant speculation.

    Looking back at my code, I notice it fails if there is nothing to remove,
    attached is a fixed version. Also have attached Geoffrey and Lothar's versions
    (at least my interpretation of what I think they meant!).
    Please try them all and report back, though - be sure to enable only one of the
    different approaches at a time.


    <policy>
    <rule>
    <description>Common Setup</description>
    <conditions>
    <and/>
    </conditions>
    <actions>
    <do-set-local-variable name="nsCurrentEntitlements" notrace="true"
    scope="policy">
    <arg-node-set>
    <token-src-attr name="DirXML-EntitlementRef" notrace="true"/>
    </arg-node-set>
    </do-set-local-variable>
    <do-set-local-variable name="strTargetEntitlement" scope="policy">
    <arg-string>
    <token-text
    xml:space="preserve">\FELLES\System\IDM\MediumDriverSet\EMS\EMS_Nurse</token-tex
    t>
    </arg-string>
    </do-set-local-variable>
    <do-set-local-variable name="nsEntitlementsToRemove" scope="policy">
    <arg-node-set>
    <token-xpath expression="$nsCurrentEntitlements[component[@name='volume']
    =$strTargetEntitlement][component[@name='nameSpace'] = '0']"/>
    </arg-node-set>
    </do-set-local-variable>
    </actions>
    </rule>
    <rule>
    <description>Remove Already Revoked Entitlements Alex's approach</description>
    <conditions/>
    <actions>
    <do-if>
    <arg-conditions>
    <and>
    <if-xpath op="true">count ($nsEntitlementsToRemove) > 0</if-xpath>
    </and>
    </arg-conditions>
    <arg-actions>
    <do-remove-src-attr-value name="DirXML-EntitlementRef">
    <arg-value type="string">
    <token-text xml:space="preserve">dummy</token-text>
    </arg-value>
    </do-remove-src-attr-value>
    <do-clone-xpath
    dest-expression="../modify[last()]/modify-attr[@attr-name='DirXML-EntitlementRef
    '][last()]/remove-value[last()]" src-expression="$nsEntitlementsToRemove"/>
    <do-strip-xpath
    expression="../modify[last()]/modify-attr[@attr-name='DirXML-EntitlementRef'][la
    st()]/remove-value[last()]/value[.='dummy']"/>
    </arg-actions>
    <arg-actions>
    <do-trace-message>
    <arg-string>
    <token-text xml:space="preserve">Nothing to remove!</token-text>
    </arg-string>
    </do-trace-message>
    </arg-actions>
    </do-if>
    </actions>
    </rule>
    <rule disabled="true">
    <description>Remove Already Revoked Entitlements - Geoffrey's
    approach</description>
    <conditions/>
    <actions>
    <do-for-each>
    <arg-node-set>
    <token-local-variable name="nsEntitlementsToRemove"/>
    </arg-node-set>
    <arg-actions>
    <do-remove-src-attr-value name="DirXML-EntitlementRef">
    <arg-value type="structured">
    <arg-component name="nameSpace">
    <token-xpath expression="$current-node/component[@name='nameSpace']"/>
    </arg-component>
    <arg-component name="volume">
    <token-xpath expression="$current-node/component[@name='volume']"/>
    </arg-component>
    </arg-value>
    </do-remove-src-attr-value>
    <do-clone-xpath
    dest-expression="../modify[last()]/modify-attr[@attr-name='DirXML-EntitlementRef
    '][last()]/remove-value[last()]/value[last()]"
    src-expression="$current-node/component[@name='path.xml']"/>
    </arg-actions>
    </do-for-each>
    </actions>
    </rule>
    <rule disabled="true">
    <description>Remove Already Revoked Entitlements - Lothar's
    approach</description>
    <conditions/>
    <actions>
    <do-for-each>
    <arg-node-set>
    <token-local-variable name="nsEntitlementsToRemove"/>
    </arg-node-set>
    <arg-actions>
    <do-remove-src-attr-value name="DirXML-EntitlementRef">
    <arg-value type="structured">
    <arg-component name="nameSpace">
    <token-xpath expression="$current-node/component[@name='nameSpace']"/>
    </arg-component>
    <arg-component name="volume">
    <token-xpath expression="$current-node/component[@name='volume']"/>
    </arg-component>
    <arg-component name="path">
    <token-xml-serialize>
    <token-xpath expression="$current-node//component[@name='path.xml']"/>
    </token-xml-serialize>
    </arg-component>
    </arg-value>
    </do-remove-src-attr-value>
    </arg-actions>
    </do-for-each>
    </actions>
    </rule>
    </policy>



    Alex

    --
    If you find this post helpful, and are viewing this using the web, please show
    your appreciation by clicking on the star below
  • kristoffer wrote:

    >
    > kristoffer;2466089 Wrote:
    > >
    > > Any ideas ?
    > >

    >
    > Ok, this seems to work. Went for at pure ldap read/delete operation as
    > the value seemed hard to read/write with std. policies.


    Thanks for reporting back, creative solution you ended up with.

    I just posted some standard policies that should also work! Just for
    reference/comparison.


    --
    If you find this post helpful, and are viewing this using the web, please show
    your appreciation by clicking on the star below
  • On 9/20/2017 5:04 AM, kristoffer wrote:
    >
    > kristoffer;2466089 Wrote:
    >>
    >> Any ideas ?
    >>

    >
    > Ok, this seems to work. Went for at pure ldap read/delete operation as
    > the value seemed hard to read/write with std. policies.
    >
    >
    > Code:
    > --------------------
    > <do-set-local-variable name="Entsldap" scope="policy">
    > <arg-node-set>
    > <token-xpath expression="es:ldapSearch($lLdapConnect, $lLdapPort, $lLdapUseTls, $lLdapTlsKeystore, $lLdapTlsStorepass , $lLdapLogin, $lLdapPassword, $srcDNldap, 'base', '', 'DirXML-EntitlementRef', '0')"/>
    > </arg-node-set>
    > </do-set-local-variable>
    > <do-for-each>
    > <arg-node-set>
    > <token-xpath expression="$Entsldap//attr/value"/>
    > </arg-node-set>
    > <arg-actions>
    > <do-trace-message>
    > <arg-string>
    > <token-local-variable name="current-node"/>
    > </arg-string>
    > </do-trace-message>
    > <do-if>
    > <arg-conditions>
    > <and>
    > <if-local-variable mode="regex" name="current-node" op="equal">cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM,o=System#0#.*</if-local-variable>
    > </and>
    > </arg-conditions>
    > <arg-actions>
    > <do-trace-message>
    > <arg-string>
    > <token-text xml:space="preserve">REMOVE Ent.</token-text>
    > </arg-string>
    > </do-trace-message>
    > <do-set-local-variable name="Entsldapdeletevalue" scope="policy">
    > <arg-node-set>
    > <token-xpath expression="es:ldapDelete($lLdapConnect, $lLdapPort, $lLdapUseTls, $lLdapTlsKeystore, $lLdapTlsStorepass , $lLdapLogin, $lLdapPassword, $srcDNldap, 'DirXML-EntitlementRef', $current-node)"/>
    > </arg-node-set>
    > </do-set-local-variable>
    > </arg-actions>
    > <arg-actions/>
    > </do-if>
    > </arg-actions>
    > </do-for-each>
    > --------------------


    Why are you doing your search and deletes via LDAP?

    Use the built in tokens they are much better options. I concede that
    the LDAP Search is super useful when doing searches the Query token does
    not support. (Value=*, (!(value=*)), Timestamp < and > and so on).


  • alexmchugh;2466524 wrote:


    I just posted some standard policies that should also work! Just for
    reference/comparison.


    Will test later. Not sure if they will work because of the <?xml version="1.0" encoding="UTF-8"?> part of the path/path.xml component.
    That part will not be read out by the std. policies. (at least i have never seen it in the trace, so i think it is somehow filtered out by the engine)

    /Kristoffer
  • The value I have to remove is not getting read out proberly. Only got it to work with ldap.
    Will try some more with the new suggestions from Alex.

    This is the entitlement value. I think the <?xml version="1.0" encoding="UTF-8"?> part is the problem.

    cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM,o=System#0#<?xml version="1.0" encoding="UTF-8"?>
    <ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>

    /Kristoffer
  • kristoffer <kristoffer@no-mx.forums.microfocus.com> wrote:
    >

    alexmchugh;2466524 Wrote:
    >
    >>
    >> I just posted some standard policies that should also work! Just for
    >> reference/comparison.
    >>

    >
    > Will test later. Not sure if they will work because of the <?xml

    version="1.0" encoding="UTF-8"?> part of the path/path.xml component.
    > That part will not be read out by the std. policies. (at least i have

    never seen it in the trace, so i think it is somehow filtered out by the
    engine)
    >
    >


    It isn't present because in the engine is represented as a separate
    document. (The path vs path.xml thing). The ldap representation is the same
    as the path representation. The engine uses path.xml)

    If you can show a trace where this is actually relevant (that it won't
    remove because that is missing) then I might be convinced.


  • Just tested the new policies you provided with no luck. The first two provides the same output seen below.

    This event wont remove the entitlement:

    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.6.1.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <modify class-name="User" dest-dn="\FELLES\BSK\InActiveUsers\GITLAT" dest-entry-id="210371" event-id="extest0010#20170920115025#99#1:d769465a-5929-4f35-a591-5a4669d72959">
    <modify-attr attr-name="DirXML-EntitlementRef">
    <remove-value>
    <value timestamp="1484228759#111" type="structured">
    <component name="nameSpace">0</component>
    <component name="volume">\FELLES\System\IDM\MediumDriverSet\EMS\EMS_Nurse</component>
    <component name="path.xml">
    <ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>
    </component>
    </value>
    </remove-value>
    </modify-attr>
    </modify>
    </input>
    </nds>


    The LDAP way which removes the entitlement.

    [09/20/17 14:07:36.390]:PrepareDriverRemoval ST:      Action: do-set-local-variable("Entsldap",scope="policy",arg-node-set(token-xpath("es:ldapSearch($lLdapConnect, $lLdapPort, $lLdapUseTls, $lLdapTlsKeystore, $lLdapTlsStorepass , $lLdapLogin, $lLdapPassword, $srcDNldap, 'base', '', 'DirXML-EntitlementRef', '0')"))).
    [09/20/17 14:07:36.390]:PrepareDriverRemoval ST: arg-node-set(token-xpath("es:ldapSearch($lLdapConnect, $lLdapPort, $lLdapUseTls, $lLdapTlsKeystore, $lLdapTlsStorepass , $lLdapLogin, $lLdapPassword, $srcDNldap, 'base', '', 'DirXML-EntitlementRef', '0')"))
    [09/20/17 14:07:36.390]:PrepareDriverRemoval ST: token-xpath("es:ldapSearch($lLdapConnect, $lLdapPort, $lLdapUseTls, $lLdapTlsKeystore, $lLdapTlsStorepass , $lLdapLogin, $lLdapPassword, $srcDNldap, 'base', '', 'DirXML-EntitlementRef', '0')")
    [09/20/17 14:07:36.449]:PrepareDriverRemoval ST: Token Value: {<instance> @src-dn = "cn=GITLAT,ou=InActiveUsers,o=BSK"}.
    [09/20/17 14:07:36.449]:PrepareDriverRemoval ST: Arg Value: {<instance> @src-dn = "cn=GITLAT,ou=InActiveUsers,o=BSK"}.
    [09/20/17 14:07:36.449]:PrepareDriverRemoval ST: Action: do-for-each(arg-node-set(token-xpath("$Entsldap//attr/value"))).
    [09/20/17 14:07:36.449]:PrepareDriverRemoval ST: arg-node-set(token-xpath("$Entsldap//attr/value"))
    [09/20/17 14:07:36.449]:PrepareDriverRemoval ST: token-xpath("$Entsldap//attr/value")
    [09/20/17 14:07:36.450]:PrepareDriverRemoval ST: Token Value: {<value>,<value>,<value>}.
    [09/20/17 14:07:36.450]:PrepareDriverRemoval ST: Arg Value: {<value>,<value>,<value>}.
    [09/20/17 14:07:36.450]:PrepareDriverRemoval ST: Performing actions for local-variable(current-node) = <value>.
    [09/20/17 14:07:36.450]:PrepareDriverRemoval ST: Action: do-trace-message(token-local-variable("current-node")).
    [09/20/17 14:07:36.450]:PrepareDriverRemoval ST: arg-string(token-local-variable("current-node"))
    [09/20/17 14:07:36.450]:PrepareDriverRemoval ST: token-local-variable("current-node")
    [09/20/17 14:07:36.450]:PrepareDriverRemoval ST: Token Value: "cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM,o=System#0#<?xml version="1.0" encoding="UTF-8"?>
    <ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>
    ".
    [09/20/17 14:07:36.450]:PrepareDriverRemoval ST: Arg Value: "cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM,o=System#0#<?xml version="1.0" encoding="UTF-8"?>
    <ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>
    ".
    [09/20/17 14:07:36.451]:PrepareDriverRemoval ST:cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM,o=System#0#<?xml version="1.0" encoding="UTF-8"?>
    <ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>

    [09/20/17 14:07:36.451]:PrepareDriverRemoval ST: Action: do-if().
    [09/20/17 14:07:36.451]:PrepareDriverRemoval ST: Evaluating conditions.
    [09/20/17 14:07:36.451]:PrepareDriverRemoval ST: (if-local-variable 'current-node' match "cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM,o=System#0#.*") = TRUE.
    [09/20/17 14:07:36.451]:PrepareDriverRemoval ST: Performing if actions.
    [09/20/17 14:07:36.451]:PrepareDriverRemoval ST: Action: do-trace-message("REMOVE Ent.").
    [09/20/17 14:07:36.451]:PrepareDriverRemoval ST: arg-string("REMOVE Ent.")
    [09/20/17 14:07:36.451]:PrepareDriverRemoval ST: token-text("REMOVE Ent.")
    [09/20/17 14:07:36.451]:PrepareDriverRemoval ST: Arg Value: "REMOVE Ent.".
    [09/20/17 14:07:36.451]:PrepareDriverRemoval ST:REMOVE Ent.
    [09/20/17 14:07:36.451]:PrepareDriverRemoval ST: Action: do-set-local-variable("Entsldapdeletevalue",scope="policy",arg-node-set(token-xpath("es:ldapDelete($lLdapConnect, $lLdapPort, $lLdapUseTls, $lLdapTlsKeystore, $lLdapTlsStorepass , $lLdapLogin, $lLdapPassword, $srcDNldap, 'DirXML-EntitlementRef', $current-node)"))).
    [09/20/17 14:07:36.451]:PrepareDriverRemoval ST: arg-node-set(token-xpath("es:ldapDelete($lLdapConnect, $lLdapPort, $lLdapUseTls, $lLdapTlsKeystore, $lLdapTlsStorepass , $lLdapLogin, $lLdapPassword, $srcDNldap, 'DirXML-EntitlementRef', $current-node)"))
    [09/20/17 14:07:36.452]:PrepareDriverRemoval ST: token-xpath("es:ldapDelete($lLdapConnect, $lLdapPort, $lLdapUseTls, $lLdapTlsKeystore, $lLdapTlsStorepass , $lLdapLogin, $lLdapPassword, $srcDNldap, 'DirXML-EntitlementRef', $current-node)")
    [09/20/17 14:07:36.512]:PrepareDriverRemoval ST: Token Value: {}.
    [09/20/17 14:07:36.512]:PrepareDriverRemoval ST: Arg Value: {}.


    Might conduct one more test where i take the input from LDAP, and try to remove it with std. policy.

    /Kristoffer
  • kristoffer;2466539 wrote:


    Might conduct one more test where i take the input from LDAP, and try to remove it with std. policy.

    /Kristoffer


    Final test that also works.
    I can read the values with ldap and remove them with std. policies. Notice the <?xml version="1.0" encoding="UTF-8"?> part which dissapears when read with std. policy.

    /Kristoffer

    [09/20/17 14:23:02.648]:PrepareDriverRemoval ST:      Action: do-set-local-variable("Entsldap",scope="policy",arg-node-set(token-xpath("es:ldapSearch($lLdapConnect, $lLdapPort, $lLdapUseTls, $lLdapTlsKeystore, $lLdapTlsStorepass , $lLdapLogin, $lLdapPassword, $srcDNldap, 'base', '', 'DirXML-EntitlementRef', '0')"))).
    [09/20/17 14:23:02.648]:PrepareDriverRemoval ST: arg-node-set(token-xpath("es:ldapSearch($lLdapConnect, $lLdapPort, $lLdapUseTls, $lLdapTlsKeystore, $lLdapTlsStorepass , $lLdapLogin, $lLdapPassword, $srcDNldap, 'base', '', 'DirXML-EntitlementRef', '0')"))
    [09/20/17 14:23:02.648]:PrepareDriverRemoval ST: token-xpath("es:ldapSearch($lLdapConnect, $lLdapPort, $lLdapUseTls, $lLdapTlsKeystore, $lLdapTlsStorepass , $lLdapLogin, $lLdapPassword, $srcDNldap, 'base', '', 'DirXML-EntitlementRef', '0')")
    [09/20/17 14:23:02.707]:PrepareDriverRemoval ST: Token Value: {<instance> @src-dn = "cn=GITTTR,ou=InActiveUsers,o=BSK"}.
    [09/20/17 14:23:02.707]:PrepareDriverRemoval ST: Arg Value: {<instance> @src-dn = "cn=GITTTR,ou=InActiveUsers,o=BSK"}.
    [09/20/17 14:23:02.707]:PrepareDriverRemoval ST: Action: do-for-each(arg-node-set(token-xpath("$Entsldap//attr/value"))).
    [09/20/17 14:23:02.707]:PrepareDriverRemoval ST: arg-node-set(token-xpath("$Entsldap//attr/value"))
    [09/20/17 14:23:02.707]:PrepareDriverRemoval ST: token-xpath("$Entsldap//attr/value")
    [09/20/17 14:23:02.707]:PrepareDriverRemoval ST: Token Value: {<value>}.
    [09/20/17 14:23:02.707]:PrepareDriverRemoval ST: Arg Value: {<value>}.
    [09/20/17 14:23:02.707]:PrepareDriverRemoval ST: Performing actions for local-variable(current-node) = <value>.
    [09/20/17 14:23:02.708]:PrepareDriverRemoval ST: Action: do-trace-message(token-local-variable("current-node")).
    [09/20/17 14:23:02.708]:PrepareDriverRemoval ST: arg-string(token-local-variable("current-node"))
    [09/20/17 14:23:02.708]:PrepareDriverRemoval ST: token-local-variable("current-node")
    [09/20/17 14:23:02.708]:PrepareDriverRemoval ST: Token Value: "cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM,o=System#0#<?xml version="1.0" encoding="UTF-8"?>
    <ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>
    ".
    [09/20/17 14:23:02.708]:PrepareDriverRemoval ST: Arg Value: "cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM,o=System#0#<?xml version="1.0" encoding="UTF-8"?>
    <ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>
    ".
    [09/20/17 14:23:02.708]:PrepareDriverRemoval ST:cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM,o=System#0#<?xml version="1.0" encoding="UTF-8"?>
    <ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>

    [09/20/17 14:23:02.708]:PrepareDriverRemoval ST: Action: do-if().
    [09/20/17 14:23:02.708]:PrepareDriverRemoval ST: Evaluating conditions.
    [09/20/17 14:23:02.708]:PrepareDriverRemoval ST: (if-local-variable 'current-node' match "cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM,o=System#0#.*") = TRUE.
    [09/20/17 14:23:02.708]:PrepareDriverRemoval ST: Performing if actions.
    [09/20/17 14:23:02.709]:PrepareDriverRemoval ST: Action: do-trace-message("REMOVE Ent.").
    [09/20/17 14:23:02.709]:PrepareDriverRemoval ST: arg-string("REMOVE Ent.")
    [09/20/17 14:23:02.709]:PrepareDriverRemoval ST: token-text("REMOVE Ent.")
    [09/20/17 14:23:02.709]:PrepareDriverRemoval ST: Arg Value: "REMOVE Ent.".
    [09/20/17 14:23:02.709]:PrepareDriverRemoval ST:REMOVE Ent.
    [09/20/17 14:23:02.709]:PrepareDriverRemoval ST: Action: do-set-local-variable("Test",scope="policy",arg-node-set(token-split("#",token-local-variable("current-node")))).
    [09/20/17 14:23:02.709]:PrepareDriverRemoval ST: arg-node-set(token-split("#",token-local-variable("current-node")))
    [09/20/17 14:23:02.709]:PrepareDriverRemoval ST: token-split("#",token-local-variable("current-node"))
    [09/20/17 14:23:02.709]:PrepareDriverRemoval ST: token-split("#",token-local-variable("current-node"))
    [09/20/17 14:23:02.709]:PrepareDriverRemoval ST: token-local-variable("current-node")
    [09/20/17 14:23:02.709]:PrepareDriverRemoval ST: Token Value: "cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM,o=System#0#<?xml version="1.0" encoding="UTF-8"?>
    <ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>
    ".
    [09/20/17 14:23:02.709]:PrepareDriverRemoval ST: Arg Value: "cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM,o=System#0#<?xml version="1.0" encoding="UTF-8"?>
    <ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>
    ".
    [09/20/17 14:23:02.710]:PrepareDriverRemoval ST: Token Value: {"cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM...","0","<?xml version="1.0" encoding=
  • kristoffer wrote:

    >
    > kristoffer;2466539 Wrote:
    >
    > Final test that also works.


    Odd.

    What about Lothar's version? That should have offered the option to solve this
    also.

    > I can read the values with ldap and remove them with std. policies.
    > Notice the <?xml version="1.0" encoding="UTF-8"?> part which dissapears
    > when read with std. policy.
    >


    Can you post the error you got when trying to detect and remove using native
    code, specifically the version that lacked <?xml version="1.0"
    encoding="UTF-8"?>

    --
    If you find this post helpful, and are viewing this using the web, please show
    your appreciation by clicking on the star below
  • Alex McHugh wrote:

    > kristoffer wrote:
    >
    > >
    > > kristoffer;2466539 Wrote:
    > >
    > > Final test that also works.

    >
    > Odd.
    >
    > What about Lothar's version? That should have offered the option to solve this
    > also.
    >


    Try this one - uses Lothar's technique, but blindly appends your problematic
    <?xml version="1.0" encoding="UTF-8"?> blob first.

    Keen to see actual errors, also what agent granted these back in the day?
    Pretty sure I've removed UA and maybe RBE via pure DirXML-Script in the past.


    <policy>
    <rule>
    <description>Common Setup</description>
    <conditions>
    <and/>
    </conditions>
    <actions>
    <do-set-local-variable name="nsCurrentEntitlements" notrace="true"
    scope="policy">
    <arg-node-set>
    <token-src-attr name="DirXML-EntitlementRef" notrace="true"/>
    </arg-node-set>
    </do-set-local-variable>
    <do-set-local-variable name="strTargetEntitlement" scope="policy">
    <arg-string>
    <token-text
    xml:space="preserve">\FELLES\System\IDM\MediumDriverSet\EMS\EMS_Nurse</token-tex
    t>
    </arg-string>
    </do-set-local-variable>
    <do-set-local-variable name="nsEntitlementsToRemove" scope="policy">
    <arg-node-set>
    <token-xpath expression="$nsCurrentEntitlements[component[@name='volume']
    =$strTargetEntitlement][component[@name='nameSpace'] = '0']"/>
    </arg-node-set>
    </do-set-local-variable>
    </actions>
    </rule>
    <rule>
    <description>Remove Already Revoked Entitlements - Lothar's way
    v2</description>
    <conditions/>
    <actions>
    <do-for-each>
    <arg-node-set>
    <token-local-variable name="nsEntitlementsToRemove"/>
    </arg-node-set>
    <arg-actions>
    <do-remove-src-attr-value name="DirXML-EntitlementRef">
    <arg-value type="structured">
    <arg-component name="nameSpace">
    <token-xpath expression="$current-node/component[@name='nameSpace']"/>
    </arg-component>
    <arg-component name="volume">
    <token-xpath expression="$current-node/component[@name='volume']"/>
    </arg-component>
    <arg-component name="path">
    <token-text xml:space="preserve"><?xml version="1.0"
    encoding="UTF-8"?></token-text>
    <token-xml-serialize>
    <token-xml-parse>
    <token-xpath expression="$current-node//component[@name='path.xml']"/>
    </token-xml-parse>
    </token-xml-serialize>
    </arg-component>
    </arg-value>
    </do-remove-src-attr-value>
    </arg-actions>
    </do-for-each>
    </actions>
    </rule>
    </policy>




    --
    If you find this post helpful, and are viewing this using the web, please show
    your appreciation by clicking on the star below
Reply
  • Alex McHugh wrote:

    > kristoffer wrote:
    >
    > >
    > > kristoffer;2466539 Wrote:
    > >
    > > Final test that also works.

    >
    > Odd.
    >
    > What about Lothar's version? That should have offered the option to solve this
    > also.
    >


    Try this one - uses Lothar's technique, but blindly appends your problematic
    <?xml version="1.0" encoding="UTF-8"?> blob first.

    Keen to see actual errors, also what agent granted these back in the day?
    Pretty sure I've removed UA and maybe RBE via pure DirXML-Script in the past.


    <policy>
    <rule>
    <description>Common Setup</description>
    <conditions>
    <and/>
    </conditions>
    <actions>
    <do-set-local-variable name="nsCurrentEntitlements" notrace="true"
    scope="policy">
    <arg-node-set>
    <token-src-attr name="DirXML-EntitlementRef" notrace="true"/>
    </arg-node-set>
    </do-set-local-variable>
    <do-set-local-variable name="strTargetEntitlement" scope="policy">
    <arg-string>
    <token-text
    xml:space="preserve">\FELLES\System\IDM\MediumDriverSet\EMS\EMS_Nurse</token-tex
    t>
    </arg-string>
    </do-set-local-variable>
    <do-set-local-variable name="nsEntitlementsToRemove" scope="policy">
    <arg-node-set>
    <token-xpath expression="$nsCurrentEntitlements[component[@name='volume']
    =$strTargetEntitlement][component[@name='nameSpace'] = '0']"/>
    </arg-node-set>
    </do-set-local-variable>
    </actions>
    </rule>
    <rule>
    <description>Remove Already Revoked Entitlements - Lothar's way
    v2</description>
    <conditions/>
    <actions>
    <do-for-each>
    <arg-node-set>
    <token-local-variable name="nsEntitlementsToRemove"/>
    </arg-node-set>
    <arg-actions>
    <do-remove-src-attr-value name="DirXML-EntitlementRef">
    <arg-value type="structured">
    <arg-component name="nameSpace">
    <token-xpath expression="$current-node/component[@name='nameSpace']"/>
    </arg-component>
    <arg-component name="volume">
    <token-xpath expression="$current-node/component[@name='volume']"/>
    </arg-component>
    <arg-component name="path">
    <token-text xml:space="preserve"><?xml version="1.0"
    encoding="UTF-8"?></token-text>
    <token-xml-serialize>
    <token-xml-parse>
    <token-xpath expression="$current-node//component[@name='path.xml']"/>
    </token-xml-parse>
    </token-xml-serialize>
    </arg-component>
    </arg-value>
    </do-remove-src-attr-value>
    </arg-actions>
    </do-for-each>
    </actions>
    </rule>
    </policy>




    --
    If you find this post helpful, and are viewing this using the web, please show
    your appreciation by clicking on the star below
Children
  • alexmchugh;2466554 wrote:


    Try this one - uses Lothar's technique, but blindly appends your problematic
    <?xml version="1.0" encoding="UTF-8"?> blob first.


    YES. This works. Had to fintune it a little bit. (added /ref two linefeeds)
    I think i stick with this method to keep the code in std. policies and avoid doing the ldap query.


    <do-remove-src-attr-value name="DirXML-EntitlementRef">
    <arg-value type="structured">
    <arg-component name="nameSpace">
    <token-xpath expression="$current-node/component[@name='nameSpace']"/>
    </arg-component>
    <arg-component name="volume">
    <token-xpath expression="$current-node/component[@name='volume']"/>
    </arg-component>
    <arg-component name="path">
    <token-text xml:space="preserve"><?xml version="1.0" encoding="UTF-8"?>
    </token-text>
    <token-xml-serialize>
    <token-xpath expression="$current-node//component[@name='path.xml']/ref"/>
    </token-xml-serialize>
    <token-text xml:space="preserve">
    </token-text>
    </arg-component>
    </arg-value>
    </do-remove-src-attr-value>


    alexmchugh;2466554 wrote:

    Keen to see actual errors, also what agent granted these back in the day?
    Pretty sure I've removed UA and maybe RBE via pure DirXML-Script in the past.


    Never received any errors. Whatever i put in the path component i just received a Success when removing the value. (see one of my previous postings with a trace example)
    The entitlement is granted by a role resource using RoleResource driver. All our entitlements have this extra XML header.


    /Kristoffer
  • kristoffer wrote:

    >
    > alexmchugh;2466554 Wrote:
    > >
    > >
    > > Try this one - uses Lothar's technique, but blindly appends your
    > > problematic
    > > <?xml version="1.0" encoding="UTF-8"?> blob first.

    >
    > YES. This works. Had to fintune it a little bit. (added /ref two
    > linefeeds)
    > I think i stick with this method to keep the code in std. policies and
    > avoid doing the ldap query.


    Thanks for the update, glad it finally worked! Odd that it was so tricky (as I
    said I have done similar in the past, with entitlements granted by workflow and
    ESD, the code was far simpler!)

    --
    If you find this post helpful, and are viewing this using the web, please show
    your appreciation by clicking on the star below