Group membership depending on Attribute


Hello,

IDM 3.6.1, I have a very simple driver that looks at an oracle database
and sets some attributes for users. Dependent on these attributes I
would like to add them to different groups in the IDM tree as these are
then sync'd to AD and eDir, but for some reason the users are not being
added to the groups. I would also like to remove them from the group
when the attribute says x - when I was testing this I ended up deleting
a few users...

Here is the snippet of code I am trying, its running under publisher
command.

<rule>
<description>Add to Group</description>
<conditions>
<and>
<if-op-attr mode="regex" name="costCenter"
op="changing-to">ADD</if-op-attr>
<if-class-name op="equal">user</if-class-name>
</and>
</conditions>
<actions>
<do-set-dest-attr-value name="Group Membership">
<arg-value type="string">
<token-attr name="CN"/>
<token-text
xml:space="preserve">idm-tree\groups\groupname</token-text>
</arg-value>
</do-set-dest-attr-value>
<do-clone-op-attr dest-name="Security Equals" src-name="Group
Membership"/>
</actions>
</rule>
<rule>
<description>Remove From Group</description>
<conditions>
<and>
<if-op-attr mode="regex" name="costCenter"
op="changing-to">x</if-op-attr>
<if-class-name op="equal">user</if-class-name>
</and>
</conditions>
<actions>
<do-remove-dest-attr-value name="Group Membership">
<arg-value type="string">
<token-attr name="CN"/>
<token-text
xml:space="preserve">idm-tree\groups\groupname</token-text>
</arg-value>
</do-remove-dest-attr-value>
<do-clone-op-attr dest-name="Security Equals" src-name="Group
Membership"/>
</actions>
</rule>

I have used a few attributes that are not needed - hence costCenter. I
have looked everywhere and no matter which I try it doesn't seem to
work...any help gratefully appreciated

Thanks

Jeff


--
Stonej
------------------------------------------------------------------------
Stonej's Profile: https://forums.netiq.com/member.php?userid=4156
View this thread: https://forums.netiq.com/showthread.php?t=51732

  • Stonej wrote:

    >
    > Hello,
    >
    > IDM 3.6.1, I have a very simple driver that looks at an oracle database
    > and sets some attributes for users. Dependent on these attributes I
    > would like to add them to different groups in the IDM tree as these are
    > then sync'd to AD and eDir, but for some reason the users are not being
    > added to the groups. I would also like to remove them from the group
    > when the attribute says x - when I was testing this I ended up deleting
    > a few users...
    >
    > Here is the snippet of code I am trying, its running under publisher
    > command.
    >
    > <rule>
    > <description>Add to Group</description>
    > <conditions>
    > <and>
    > <if-op-attr mode="regex" name="costCenter"
    > op="changing-to">ADD</if-op-attr>
    > <if-class-name op="equal">user</if-class-name>
    > </and>
    > </conditions>
    > <actions>
    > <do-set-dest-attr-value name="Group Membership">
    > <arg-value type="string">
    > <token-attr name="CN"/>
    > <token-text
    > xml:space="preserve">idm-tree\groups\groupname</token-text>
    > </arg-value>
    > </do-set-dest-attr-value>
    > <do-clone-op-attr dest-name="Security Equals" src-name="Group
    > Membership"/>
    > </actions>
    > </rule>
    > <rule>
    > <description>Remove From Group</description>
    > <conditions>
    > <and>
    > <if-op-attr mode="regex" name="costCenter"
    > op="changing-to">x</if-op-attr>
    > <if-class-name op="equal">user</if-class-name>
    > </and>
    > </conditions>
    > <actions>
    > <do-remove-dest-attr-value name="Group Membership">
    > <arg-value type="string">
    > <token-attr name="CN"/>
    > <token-text
    > xml:space="preserve">idm-tree\groups\groupname</token-text>
    > </arg-value>
    > </do-remove-dest-attr-value>
    > <do-clone-op-attr dest-name="Security Equals" src-name="Group
    > Membership"/>
    > </actions>
    > </rule>
    >
    > I have used a few attributes that are not needed - hence costCenter. I
    > have looked everywhere and no matter which I try it doesn't seem to
    > work...any help gratefully appreciated


    Comments

    #1 you use regex mode in the if-op-attr statements but the matches are not regular expressions. Is there a reason for this?
    #2 group membership is a DN syntax attribute not string
    #3 you need to switch the <token-attr name="CN"/> so that it is after the token-text

    <arg-value type="dn">
    <token-text xml:space="preserve">idm-tree\groups\groupname\</token-text>
    <token-attr name="CN"/>
    </arg-value>


    #4 I'd generally sync the relevant data to some attributes in the IDVault and then put this group logic in a null driver. Makes things cleaner and easier to test/debug.
    #5 It's generally best practice to use <token-src-name/> instead of <token-attr name="CN"/> where this makes sense. In this case, I would recommend this.



    --
    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  • If you are still testing .. why not use role based entitlement driver
    for automatic groubmembership handling


    --
    vivekbm
    ------------------------------------------------------------------------
    vivekbm's Profile: https://forums.netiq.com/member.php?userid=528
    View this thread: https://forums.netiq.com/showthread.php?t=51732

  • vivekbm wrote:

    >
    > If you are still testing .. why not use role based entitlement driver
    > for automatic groubmembership handling


    We've done this in many environments, but I got the impression that the RBE driver didn't have much of a future (it can't fully support the IDM4 style entitlements for example).

    --
    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  • alexmchugh;248648 Wrote:
    > vivekbm wrote:
    >
    > >
    > > If you are still testing .. why not use role based entitlement driver
    > > for automatic groubmembership handling

    >
    > We've done this in many environments, but I got the impression that the
    > RBE driver didn't have much of a future (it can't fully support the IDM4
    > style entitlements for example).
    >
    > --
    > If you find this post helpful and are logged into the web interface,
    > show your appreciation and click on the star below...


    With all you help I have managed to get this working in a fashion. For
    some reason whenever I add a user to a group in the IDVault it deletes
    everyone else in the group !

    We are hoping to upgrade to IDM4 in the next couple of months, from the
    sounds of it, this will fix many of these little issues that I have....

    Jeff


    --
    Stonej
    ------------------------------------------------------------------------
    Stonej's Profile: https://forums.netiq.com/member.php?userid=4156
    View this thread: https://forums.netiq.com/showthread.php?t=51732

  • On Fri, 19 Sep 2014 10:39:50 0000, Stonej wrote:

    > alexmchugh;248648 Wrote:
    >> vivekbm wrote:
    >>
    >>
    >> > If you are still testing .. why not use role based entitlement driver
    >> > for automatic groubmembership handling

    >>
    >> We've done this in many environments, but I got the impression that the
    >> RBE driver didn't have much of a future (it can't fully support the
    >> IDM4 style entitlements for example).
    >>
    >> --
    >> If you find this post helpful and are logged into the web interface,
    >> show your appreciation and click on the star below...

    >
    > With all you help I have managed to get this working in a fashion. For
    > some reason whenever I add a user to a group in the IDVault it deletes
    > everyone else in the group !


    That may be a feature. Post a level 3 trace of this, so we can see what's
    happening.


    > We are hoping to upgrade to IDM4 in the next couple of months, from the
    > sounds of it, this will fix many of these little issues that I have....


    Upgrade from what version?


    --
    --------------------------------------------------------------------------
    David Gersic dgersic_@_niu.edu
    Knowledge Partner http://forums.netiq.com

    Please post questions in the forums. No support provided via email.
    If you find this post helpful, please click on the star below.

  • Upgrade form Version 3.6.1 to 4...

    Here is a trace :

    http://pastebin.com/L2BnxZFf

    too long to paste here...

    Thanks


    --
    Stonej
    ------------------------------------------------------------------------
    Stonej's Profile: https://forums.netiq.com/member.php?userid=4156
    View this thread: https://forums.netiq.com/showthread.php?t=51732

  • Stonej wrote:

    >
    > Upgrade form Version 3.6.1 to 4...
    >
    > Here is a trace :
    >
    > http://pastebin.com/L2BnxZFf
    >
    > too long to paste here...
    >
    > Thanks


    change do-set-dest-attr-value to do-add-dest-attr-value and you should be OK

    --
    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...