manipulating dirxml-entitlementref in code

I've run into a situation that I've found can be avoided if I manually
change the value of a DirXML-EntitlementRef attribute value directly on
a user object in an LDAP browser from

cn=NOVLGGLEUSER-Account,cn=Google Apps
Driver,cn=IDM-Driverset,o=services#1# <etc..>

to

cn=NOVLGGLEUSER-Account,cn=Google Apps
Driver,cn=IDM-Driverset,o=services#0# <etc..>

Note the change from #1# to #0#.
I want to do this on hundreds of users so looking for a way to automate
it using driver code or any other means.

Any help much appreciated.
Parents
  • On 9/8/2017 4:19 PM, de Groot, David wrote:
    > I've run into a situation that I've found can be avoided if I manually
    > change the value of a DirXML-EntitlementRef attribute value directly on
    > a user object in an LDAP browser from
    >
    > cn=NOVLGGLEUSER-Account,cn=Google Apps
    > Driver,cn=IDM-Driverset,o=services#1# <etc..>
    >
    > to
    >
    > cn=NOVLGGLEUSER-Account,cn=Google Apps
    > Driver,cn=IDM-Driverset,o=services#0# <etc..>
    >
    > Note the change from #1# to #0#.
    > I want to do this on hundreds of users so looking for a way to automate
    > it using driver code or any other means.
    >
    > Any help much appreciated.


    I wrote an article on the topic but cannot recall the URL offhand.
    The key is treat the path.xml node as a nodeset, and read/write it that
    way.

    Remove a structured attribute, with three components and then add it
    back where the values of the volume and path.xml components are XPATH
    selecting those values.

  • Geoffrey Carman <geoffreycarmanNOSPAM@NOSPAMgmail.com> wrote:
    >
    >
    > I wrote an article on the topic but cannot recall the URL offhand.
    > The key is treat the path.xml node as a nodeset, and read/write it that
    > way.
    >
    > Remove a structured attribute, with three components and then add it
    > back where the values of the volume and path.xml components are XPATH
    > selecting those values.
    >


    Essentially,

    1. read out dirXML entitlement values for current user. Into a variable of
    type nodeset.
    2. For each over just those values where an xpath value test for volume
    component matches your desired Entitlement DN (remember it isn't going to
    be Alfaro style DN here in policy)
    3.a In policy remove attribute value - structured with namespace of 1,
    volume of your desired Entitlement DN
    3b clone by xpath $current-node/component[@name='path.xml'] to
    .../modify[last()]/modify-attr[last()]/value[last()]

    Or something like that.

    4a In policy add attribute value - structured with namespace of 0, volume
    of your desired Entitlement DN
    4b clone by xpath $current-node/component[@name='path.xml'] to
    .../modify[last()]/modify-attr[last()]/value[last()]

    Or something like that.



    set the first two values via policy and the third one use clone by xpath to
    clone from
  • kristoffer wrote:

    >
    > kristoffer;2466089 Wrote:
    > >
    > > Any ideas ?
    > >

    >
    > Ok, this seems to work. Went for at pure ldap read/delete operation as
    > the value seemed hard to read/write with std. policies.


    Thanks for reporting back, creative solution you ended up with.

    I just posted some standard policies that should also work! Just for
    reference/comparison.


    --
    If you find this post helpful, and are viewing this using the web, please show
    your appreciation by clicking on the star below
  • On 9/20/2017 5:04 AM, kristoffer wrote:
    >
    > kristoffer;2466089 Wrote:
    >>
    >> Any ideas ?
    >>

    >
    > Ok, this seems to work. Went for at pure ldap read/delete operation as
    > the value seemed hard to read/write with std. policies.
    >
    >
    > Code:
    > --------------------
    > <do-set-local-variable name="Entsldap" scope="policy">
    > <arg-node-set>
    > <token-xpath expression="es:ldapSearch($lLdapConnect, $lLdapPort, $lLdapUseTls, $lLdapTlsKeystore, $lLdapTlsStorepass , $lLdapLogin, $lLdapPassword, $srcDNldap, 'base', '', 'DirXML-EntitlementRef', '0')"/>
    > </arg-node-set>
    > </do-set-local-variable>
    > <do-for-each>
    > <arg-node-set>
    > <token-xpath expression="$Entsldap//attr/value"/>
    > </arg-node-set>
    > <arg-actions>
    > <do-trace-message>
    > <arg-string>
    > <token-local-variable name="current-node"/>
    > </arg-string>
    > </do-trace-message>
    > <do-if>
    > <arg-conditions>
    > <and>
    > <if-local-variable mode="regex" name="current-node" op="equal">cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM,o=System#0#.*</if-local-variable>
    > </and>
    > </arg-conditions>
    > <arg-actions>
    > <do-trace-message>
    > <arg-string>
    > <token-text xml:space="preserve">REMOVE Ent.</token-text>
    > </arg-string>
    > </do-trace-message>
    > <do-set-local-variable name="Entsldapdeletevalue" scope="policy">
    > <arg-node-set>
    > <token-xpath expression="es:ldapDelete($lLdapConnect, $lLdapPort, $lLdapUseTls, $lLdapTlsKeystore, $lLdapTlsStorepass , $lLdapLogin, $lLdapPassword, $srcDNldap, 'DirXML-EntitlementRef', $current-node)"/>
    > </arg-node-set>
    > </do-set-local-variable>
    > </arg-actions>
    > <arg-actions/>
    > </do-if>
    > </arg-actions>
    > </do-for-each>
    > --------------------


    Why are you doing your search and deletes via LDAP?

    Use the built in tokens they are much better options. I concede that
    the LDAP Search is super useful when doing searches the Query token does
    not support. (Value=*, (!(value=*)), Timestamp < and > and so on).


  • alexmchugh;2466524 wrote:


    I just posted some standard policies that should also work! Just for
    reference/comparison.


    Will test later. Not sure if they will work because of the <?xml version="1.0" encoding="UTF-8"?> part of the path/path.xml component.
    That part will not be read out by the std. policies. (at least i have never seen it in the trace, so i think it is somehow filtered out by the engine)

    /Kristoffer
  • The value I have to remove is not getting read out proberly. Only got it to work with ldap.
    Will try some more with the new suggestions from Alex.

    This is the entitlement value. I think the <?xml version="1.0" encoding="UTF-8"?> part is the problem.

    cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM,o=System#0#<?xml version="1.0" encoding="UTF-8"?>
    <ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>

    /Kristoffer
  • kristoffer <kristoffer@no-mx.forums.microfocus.com> wrote:
    >

    alexmchugh;2466524 Wrote:
    >
    >>
    >> I just posted some standard policies that should also work! Just for
    >> reference/comparison.
    >>

    >
    > Will test later. Not sure if they will work because of the <?xml

    version="1.0" encoding="UTF-8"?> part of the path/path.xml component.
    > That part will not be read out by the std. policies. (at least i have

    never seen it in the trace, so i think it is somehow filtered out by the
    engine)
    >
    >


    It isn't present because in the engine is represented as a separate
    document. (The path vs path.xml thing). The ldap representation is the same
    as the path representation. The engine uses path.xml)

    If you can show a trace where this is actually relevant (that it won't
    remove because that is missing) then I might be convinced.


  • Just tested the new policies you provided with no luck. The first two provides the same output seen below.

    This event wont remove the entitlement:

    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.6.1.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <modify class-name="User" dest-dn="\FELLES\BSK\InActiveUsers\GITLAT" dest-entry-id="210371" event-id="extest0010#20170920115025#99#1:d769465a-5929-4f35-a591-5a4669d72959">
    <modify-attr attr-name="DirXML-EntitlementRef">
    <remove-value>
    <value timestamp="1484228759#111" type="structured">
    <component name="nameSpace">0</component>
    <component name="volume">\FELLES\System\IDM\MediumDriverSet\EMS\EMS_Nurse</component>
    <component name="path.xml">
    <ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>
    </component>
    </value>
    </remove-value>
    </modify-attr>
    </modify>
    </input>
    </nds>


    The LDAP way which removes the entitlement.

    [09/20/17 14:07:36.390]:PrepareDriverRemoval ST:      Action: do-set-local-variable("Entsldap",scope="policy",arg-node-set(token-xpath("es:ldapSearch($lLdapConnect, $lLdapPort, $lLdapUseTls, $lLdapTlsKeystore, $lLdapTlsStorepass , $lLdapLogin, $lLdapPassword, $srcDNldap, 'base', '', 'DirXML-EntitlementRef', '0')"))).
    [09/20/17 14:07:36.390]:PrepareDriverRemoval ST: arg-node-set(token-xpath("es:ldapSearch($lLdapConnect, $lLdapPort, $lLdapUseTls, $lLdapTlsKeystore, $lLdapTlsStorepass , $lLdapLogin, $lLdapPassword, $srcDNldap, 'base', '', 'DirXML-EntitlementRef', '0')"))
    [09/20/17 14:07:36.390]:PrepareDriverRemoval ST: token-xpath("es:ldapSearch($lLdapConnect, $lLdapPort, $lLdapUseTls, $lLdapTlsKeystore, $lLdapTlsStorepass , $lLdapLogin, $lLdapPassword, $srcDNldap, 'base', '', 'DirXML-EntitlementRef', '0')")
    [09/20/17 14:07:36.449]:PrepareDriverRemoval ST: Token Value: {<instance> @src-dn = "cn=GITLAT,ou=InActiveUsers,o=BSK"}.
    [09/20/17 14:07:36.449]:PrepareDriverRemoval ST: Arg Value: {<instance> @src-dn = "cn=GITLAT,ou=InActiveUsers,o=BSK"}.
    [09/20/17 14:07:36.449]:PrepareDriverRemoval ST: Action: do-for-each(arg-node-set(token-xpath("$Entsldap//attr/value"))).
    [09/20/17 14:07:36.449]:PrepareDriverRemoval ST: arg-node-set(token-xpath("$Entsldap//attr/value"))
    [09/20/17 14:07:36.449]:PrepareDriverRemoval ST: token-xpath("$Entsldap//attr/value")
    [09/20/17 14:07:36.450]:PrepareDriverRemoval ST: Token Value: {<value>,<value>,<value>}.
    [09/20/17 14:07:36.450]:PrepareDriverRemoval ST: Arg Value: {<value>,<value>,<value>}.
    [09/20/17 14:07:36.450]:PrepareDriverRemoval ST: Performing actions for local-variable(current-node) = <value>.
    [09/20/17 14:07:36.450]:PrepareDriverRemoval ST: Action: do-trace-message(token-local-variable("current-node")).
    [09/20/17 14:07:36.450]:PrepareDriverRemoval ST: arg-string(token-local-variable("current-node"))
    [09/20/17 14:07:36.450]:PrepareDriverRemoval ST: token-local-variable("current-node")
    [09/20/17 14:07:36.450]:PrepareDriverRemoval ST: Token Value: "cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM,o=System#0#<?xml version="1.0" encoding="UTF-8"?>
    <ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>
    ".
    [09/20/17 14:07:36.450]:PrepareDriverRemoval ST: Arg Value: "cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM,o=System#0#<?xml version="1.0" encoding="UTF-8"?>
    <ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>
    ".
    [09/20/17 14:07:36.451]:PrepareDriverRemoval ST:cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM,o=System#0#<?xml version="1.0" encoding="UTF-8"?>
    <ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>

    [09/20/17 14:07:36.451]:PrepareDriverRemoval ST: Action: do-if().
    [09/20/17 14:07:36.451]:PrepareDriverRemoval ST: Evaluating conditions.
    [09/20/17 14:07:36.451]:PrepareDriverRemoval ST: (if-local-variable 'current-node' match "cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM,o=System#0#.*") = TRUE.
    [09/20/17 14:07:36.451]:PrepareDriverRemoval ST: Performing if actions.
    [09/20/17 14:07:36.451]:PrepareDriverRemoval ST: Action: do-trace-message("REMOVE Ent.").
    [09/20/17 14:07:36.451]:PrepareDriverRemoval ST: arg-string("REMOVE Ent.")
    [09/20/17 14:07:36.451]:PrepareDriverRemoval ST: token-text("REMOVE Ent.")
    [09/20/17 14:07:36.451]:PrepareDriverRemoval ST: Arg Value: "REMOVE Ent.".
    [09/20/17 14:07:36.451]:PrepareDriverRemoval ST:REMOVE Ent.
    [09/20/17 14:07:36.451]:PrepareDriverRemoval ST: Action: do-set-local-variable("Entsldapdeletevalue",scope="policy",arg-node-set(token-xpath("es:ldapDelete($lLdapConnect, $lLdapPort, $lLdapUseTls, $lLdapTlsKeystore, $lLdapTlsStorepass , $lLdapLogin, $lLdapPassword, $srcDNldap, 'DirXML-EntitlementRef', $current-node)"))).
    [09/20/17 14:07:36.451]:PrepareDriverRemoval ST: arg-node-set(token-xpath("es:ldapDelete($lLdapConnect, $lLdapPort, $lLdapUseTls, $lLdapTlsKeystore, $lLdapTlsStorepass , $lLdapLogin, $lLdapPassword, $srcDNldap, 'DirXML-EntitlementRef', $current-node)"))
    [09/20/17 14:07:36.452]:PrepareDriverRemoval ST: token-xpath("es:ldapDelete($lLdapConnect, $lLdapPort, $lLdapUseTls, $lLdapTlsKeystore, $lLdapTlsStorepass , $lLdapLogin, $lLdapPassword, $srcDNldap, 'DirXML-EntitlementRef', $current-node)")
    [09/20/17 14:07:36.512]:PrepareDriverRemoval ST: Token Value: {}.
    [09/20/17 14:07:36.512]:PrepareDriverRemoval ST: Arg Value: {}.


    Might conduct one more test where i take the input from LDAP, and try to remove it with std. policy.

    /Kristoffer
  • kristoffer;2466539 wrote:


    Might conduct one more test where i take the input from LDAP, and try to remove it with std. policy.

    /Kristoffer


    Final test that also works.
    I can read the values with ldap and remove them with std. policies. Notice the <?xml version="1.0" encoding="UTF-8"?> part which dissapears when read with std. policy.

    /Kristoffer

    [09/20/17 14:23:02.648]:PrepareDriverRemoval ST:      Action: do-set-local-variable("Entsldap",scope="policy",arg-node-set(token-xpath("es:ldapSearch($lLdapConnect, $lLdapPort, $lLdapUseTls, $lLdapTlsKeystore, $lLdapTlsStorepass , $lLdapLogin, $lLdapPassword, $srcDNldap, 'base', '', 'DirXML-EntitlementRef', '0')"))).
    [09/20/17 14:23:02.648]:PrepareDriverRemoval ST: arg-node-set(token-xpath("es:ldapSearch($lLdapConnect, $lLdapPort, $lLdapUseTls, $lLdapTlsKeystore, $lLdapTlsStorepass , $lLdapLogin, $lLdapPassword, $srcDNldap, 'base', '', 'DirXML-EntitlementRef', '0')"))
    [09/20/17 14:23:02.648]:PrepareDriverRemoval ST: token-xpath("es:ldapSearch($lLdapConnect, $lLdapPort, $lLdapUseTls, $lLdapTlsKeystore, $lLdapTlsStorepass , $lLdapLogin, $lLdapPassword, $srcDNldap, 'base', '', 'DirXML-EntitlementRef', '0')")
    [09/20/17 14:23:02.707]:PrepareDriverRemoval ST: Token Value: {<instance> @src-dn = "cn=GITTTR,ou=InActiveUsers,o=BSK"}.
    [09/20/17 14:23:02.707]:PrepareDriverRemoval ST: Arg Value: {<instance> @src-dn = "cn=GITTTR,ou=InActiveUsers,o=BSK"}.
    [09/20/17 14:23:02.707]:PrepareDriverRemoval ST: Action: do-for-each(arg-node-set(token-xpath("$Entsldap//attr/value"))).
    [09/20/17 14:23:02.707]:PrepareDriverRemoval ST: arg-node-set(token-xpath("$Entsldap//attr/value"))
    [09/20/17 14:23:02.707]:PrepareDriverRemoval ST: token-xpath("$Entsldap//attr/value")
    [09/20/17 14:23:02.707]:PrepareDriverRemoval ST: Token Value: {<value>}.
    [09/20/17 14:23:02.707]:PrepareDriverRemoval ST: Arg Value: {<value>}.
    [09/20/17 14:23:02.707]:PrepareDriverRemoval ST: Performing actions for local-variable(current-node) = <value>.
    [09/20/17 14:23:02.708]:PrepareDriverRemoval ST: Action: do-trace-message(token-local-variable("current-node")).
    [09/20/17 14:23:02.708]:PrepareDriverRemoval ST: arg-string(token-local-variable("current-node"))
    [09/20/17 14:23:02.708]:PrepareDriverRemoval ST: token-local-variable("current-node")
    [09/20/17 14:23:02.708]:PrepareDriverRemoval ST: Token Value: "cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM,o=System#0#<?xml version="1.0" encoding="UTF-8"?>
    <ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>
    ".
    [09/20/17 14:23:02.708]:PrepareDriverRemoval ST: Arg Value: "cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM,o=System#0#<?xml version="1.0" encoding="UTF-8"?>
    <ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>
    ".
    [09/20/17 14:23:02.708]:PrepareDriverRemoval ST:cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM,o=System#0#<?xml version="1.0" encoding="UTF-8"?>
    <ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>

    [09/20/17 14:23:02.708]:PrepareDriverRemoval ST: Action: do-if().
    [09/20/17 14:23:02.708]:PrepareDriverRemoval ST: Evaluating conditions.
    [09/20/17 14:23:02.708]:PrepareDriverRemoval ST: (if-local-variable 'current-node' match "cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM,o=System#0#.*") = TRUE.
    [09/20/17 14:23:02.708]:PrepareDriverRemoval ST: Performing if actions.
    [09/20/17 14:23:02.709]:PrepareDriverRemoval ST: Action: do-trace-message("REMOVE Ent.").
    [09/20/17 14:23:02.709]:PrepareDriverRemoval ST: arg-string("REMOVE Ent.")
    [09/20/17 14:23:02.709]:PrepareDriverRemoval ST: token-text("REMOVE Ent.")
    [09/20/17 14:23:02.709]:PrepareDriverRemoval ST: Arg Value: "REMOVE Ent.".
    [09/20/17 14:23:02.709]:PrepareDriverRemoval ST:REMOVE Ent.
    [09/20/17 14:23:02.709]:PrepareDriverRemoval ST: Action: do-set-local-variable("Test",scope="policy",arg-node-set(token-split("#",token-local-variable("current-node")))).
    [09/20/17 14:23:02.709]:PrepareDriverRemoval ST: arg-node-set(token-split("#",token-local-variable("current-node")))
    [09/20/17 14:23:02.709]:PrepareDriverRemoval ST: token-split("#",token-local-variable("current-node"))
    [09/20/17 14:23:02.709]:PrepareDriverRemoval ST: token-split("#",token-local-variable("current-node"))
    [09/20/17 14:23:02.709]:PrepareDriverRemoval ST: token-local-variable("current-node")
    [09/20/17 14:23:02.709]:PrepareDriverRemoval ST: Token Value: "cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM,o=System#0#<?xml version="1.0" encoding="UTF-8"?>
    <ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>
    ".
    [09/20/17 14:23:02.709]:PrepareDriverRemoval ST: Arg Value: "cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM,o=System#0#<?xml version="1.0" encoding="UTF-8"?>
    <ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>
    ".
    [09/20/17 14:23:02.710]:PrepareDriverRemoval ST: Token Value: {"cn=EMS_Nurse,cn=EMS,cn=MediumDriverSet,ou=IDM...","0","<?xml version="1.0" encoding=
  • kristoffer wrote:

    >
    > kristoffer;2466539 Wrote:
    >
    > Final test that also works.


    Odd.

    What about Lothar's version? That should have offered the option to solve this
    also.

    > I can read the values with ldap and remove them with std. policies.
    > Notice the <?xml version="1.0" encoding="UTF-8"?> part which dissapears
    > when read with std. policy.
    >


    Can you post the error you got when trying to detect and remove using native
    code, specifically the version that lacked <?xml version="1.0"
    encoding="UTF-8"?>

    --
    If you find this post helpful, and are viewing this using the web, please show
    your appreciation by clicking on the star below
  • Alex McHugh wrote:

    > kristoffer wrote:
    >
    > >
    > > kristoffer;2466539 Wrote:
    > >
    > > Final test that also works.

    >
    > Odd.
    >
    > What about Lothar's version? That should have offered the option to solve this
    > also.
    >


    Try this one - uses Lothar's technique, but blindly appends your problematic
    <?xml version="1.0" encoding="UTF-8"?> blob first.

    Keen to see actual errors, also what agent granted these back in the day?
    Pretty sure I've removed UA and maybe RBE via pure DirXML-Script in the past.


    <policy>
    <rule>
    <description>Common Setup</description>
    <conditions>
    <and/>
    </conditions>
    <actions>
    <do-set-local-variable name="nsCurrentEntitlements" notrace="true"
    scope="policy">
    <arg-node-set>
    <token-src-attr name="DirXML-EntitlementRef" notrace="true"/>
    </arg-node-set>
    </do-set-local-variable>
    <do-set-local-variable name="strTargetEntitlement" scope="policy">
    <arg-string>
    <token-text
    xml:space="preserve">\FELLES\System\IDM\MediumDriverSet\EMS\EMS_Nurse</token-tex
    t>
    </arg-string>
    </do-set-local-variable>
    <do-set-local-variable name="nsEntitlementsToRemove" scope="policy">
    <arg-node-set>
    <token-xpath expression="$nsCurrentEntitlements[component[@name='volume']
    =$strTargetEntitlement][component[@name='nameSpace'] = '0']"/>
    </arg-node-set>
    </do-set-local-variable>
    </actions>
    </rule>
    <rule>
    <description>Remove Already Revoked Entitlements - Lothar's way
    v2</description>
    <conditions/>
    <actions>
    <do-for-each>
    <arg-node-set>
    <token-local-variable name="nsEntitlementsToRemove"/>
    </arg-node-set>
    <arg-actions>
    <do-remove-src-attr-value name="DirXML-EntitlementRef">
    <arg-value type="structured">
    <arg-component name="nameSpace">
    <token-xpath expression="$current-node/component[@name='nameSpace']"/>
    </arg-component>
    <arg-component name="volume">
    <token-xpath expression="$current-node/component[@name='volume']"/>
    </arg-component>
    <arg-component name="path">
    <token-text xml:space="preserve"><?xml version="1.0"
    encoding="UTF-8"?></token-text>
    <token-xml-serialize>
    <token-xml-parse>
    <token-xpath expression="$current-node//component[@name='path.xml']"/>
    </token-xml-parse>
    </token-xml-serialize>
    </arg-component>
    </arg-value>
    </do-remove-src-attr-value>
    </arg-actions>
    </do-for-each>
    </actions>
    </rule>
    </policy>




    --
    If you find this post helpful, and are viewing this using the web, please show
    your appreciation by clicking on the star below
  • alexmchugh;2466554 wrote:


    Try this one - uses Lothar's technique, but blindly appends your problematic
    <?xml version="1.0" encoding="UTF-8"?> blob first.


    YES. This works. Had to fintune it a little bit. (added /ref two linefeeds)
    I think i stick with this method to keep the code in std. policies and avoid doing the ldap query.


    <do-remove-src-attr-value name="DirXML-EntitlementRef">
    <arg-value type="structured">
    <arg-component name="nameSpace">
    <token-xpath expression="$current-node/component[@name='nameSpace']"/>
    </arg-component>
    <arg-component name="volume">
    <token-xpath expression="$current-node/component[@name='volume']"/>
    </arg-component>
    <arg-component name="path">
    <token-text xml:space="preserve"><?xml version="1.0" encoding="UTF-8"?>
    </token-text>
    <token-xml-serialize>
    <token-xpath expression="$current-node//component[@name='path.xml']/ref"/>
    </token-xml-serialize>
    <token-text xml:space="preserve">
    </token-text>
    </arg-component>
    </arg-value>
    </do-remove-src-attr-value>


    alexmchugh;2466554 wrote:

    Keen to see actual errors, also what agent granted these back in the day?
    Pretty sure I've removed UA and maybe RBE via pure DirXML-Script in the past.


    Never received any errors. Whatever i put in the path component i just received a Success when removing the value. (see one of my previous postings with a trace example)
    The entitlement is granted by a role resource using RoleResource driver. All our entitlements have this extra XML header.


    /Kristoffer
Reply
  • alexmchugh;2466554 wrote:


    Try this one - uses Lothar's technique, but blindly appends your problematic
    <?xml version="1.0" encoding="UTF-8"?> blob first.


    YES. This works. Had to fintune it a little bit. (added /ref two linefeeds)
    I think i stick with this method to keep the code in std. policies and avoid doing the ldap query.


    <do-remove-src-attr-value name="DirXML-EntitlementRef">
    <arg-value type="structured">
    <arg-component name="nameSpace">
    <token-xpath expression="$current-node/component[@name='nameSpace']"/>
    </arg-component>
    <arg-component name="volume">
    <token-xpath expression="$current-node/component[@name='volume']"/>
    </arg-component>
    <arg-component name="path">
    <token-text xml:space="preserve"><?xml version="1.0" encoding="UTF-8"?>
    </token-text>
    <token-xml-serialize>
    <token-xpath expression="$current-node//component[@name='path.xml']/ref"/>
    </token-xml-serialize>
    <token-text xml:space="preserve">
    </token-text>
    </arg-component>
    </arg-value>
    </do-remove-src-attr-value>


    alexmchugh;2466554 wrote:

    Keen to see actual errors, also what agent granted these back in the day?
    Pretty sure I've removed UA and maybe RBE via pure DirXML-Script in the past.


    Never received any errors. Whatever i put in the path component i just received a Success when removing the value. (see one of my previous postings with a trace example)
    The entitlement is granted by a role resource using RoleResource driver. All our entitlements have this extra XML header.


    /Kristoffer
Children
  • kristoffer wrote:

    >
    > alexmchugh;2466554 Wrote:
    > >
    > >
    > > Try this one - uses Lothar's technique, but blindly appends your
    > > problematic
    > > <?xml version="1.0" encoding="UTF-8"?> blob first.

    >
    > YES. This works. Had to fintune it a little bit. (added /ref two
    > linefeeds)
    > I think i stick with this method to keep the code in std. policies and
    > avoid doing the ldap query.


    Thanks for the update, glad it finally worked! Odd that it was so tricky (as I
    said I have done similar in the past, with entitlements granted by workflow and
    ESD, the code was far simpler!)

    --
    If you find this post helpful, and are viewing this using the web, please show
    your appreciation by clicking on the star below