Group Memberships - How to copy all groups from user to another?

0 Likes
over 1 year ago

Hi there,

Do you know how to copy/duplicate all group memberships from one user to another?

Comment List
Anonymous
  • - as indicates, you need to get the group membership values from user 1 into a node-set variable and then add those values to user 2.

    Where you are in your driver channel/policy set/policy/rules will also impact exactly how you approach this desire. Updating this information in a connected application vs within the Vault will also impact the selection of steps required to get your desired results.

    Assuming that you are working in a loopback driver subscriber channel, for an add event of a new user (user 2) the following sample code could be helpful. There should be additional error checking, and possibly checking for duplicates of Group Membership values if there is something in the DOM document being processed. If this were a Modify event, the example would need to be adapted for that operation instead of an add. The example uses a hard coded reference to query the source user in this example.

    <rule>
    <description>Copy Group Membership from Source User</description>
    <conditions>
    <and>
    <if-operation mode="nocase" op="equal">add</if-operation>
    <if-class-name mode="nocase" op="equal">User</if-class-name>
    </and>
    </conditions>
    <actions>
    <do-set-local-variable name="lv-SrcGroupMembers" scope="policy">
    <arg-node-set>
    <token-src-attr class-name="User" name="Group Membership">
    <arg-dn>
    <token-text xml:space="preserve">Vault\Users\Staff\mySrcUser</token-text>
    </arg-dn>
    </token-src-attr>
    </arg-node-set>
    </do-set-local-variable>
    <do-if>
    <arg-conditions>
    <and>
    <if-op-attr name="Group Membership" op="not-available"/>
    </and>
    </arg-conditions>
    <arg-actions>
    <do-append-xml-element expression="." name="add-attr"/>
    <do-set-xml-attr expression="./add-attr[last()]" name="attr-name">
    <arg-string>
    <token-text xml:space="preserve">Group Membership</token-text>
    </arg-string>
    </do-set-xml-attr>
    </arg-actions>
    <arg-actions/>
    </do-if>
    <do-clone-xpath dest-expression='./add-attr[@attr-name="Group Membership"][last()]' src-expression="$lv-SrcGroupMembers"/>
    </actions>
    </rule>

    For those new to working with DirXML Script the following explanations may be helpful.

    Start by scoping the Rule so only Add operations for a User is processed by using the the two conditions.

    <conditions>
    <and>
    <if-operation mode="nocase" op="equal">add</if-operation>
    <if-class-name mode="nocase" op="equal">User</if-class-name>
    </and>
    </conditions>

    Query the source attribute Group Membership on the source user (user 1) to get the current values of that attribute and store them in a node-set local variable (lv-SrcGroupMembers)

    <do-set-local-variable name="lv-SrcGroupMembers" scope="policy">
    <arg-node-set>
    <token-src-attr class-name="User" name="Group Membership">
    <arg-dn>
    <token-text xml:space="preserve">Vault\Users\Staff\mySrcUser</token-text>
    </arg-dn>
    </token-src-attr>
    </arg-node-set>
    </do-set-local-variable>

    Now check to see if the current operation (for user 2) has the operation attribute of Group Membership in the DOM document and if it is not, add it using the append XML and set XML attribute actions.

    <do-if>
    <arg-conditions>
    <and>
    <if-op-attr name="Group Membership" op="not-available"/>
    </and>
    </arg-conditions>
    <arg-actions>
    <do-append-xml-element expression="." name="add-attr"/>
    <do-set-xml-attr expression="./add-attr[last()]" name="attr-name">
    <arg-string>
    <token-text xml:space="preserve">Group Membership</token-text>
    </arg-string>
    </do-set-xml-attr>
    </arg-actions>
    <arg-actions/>
    </do-if>

    Finally add the Group Membership node-set of values from local variable nodset to the operational attribute in the DOM document for the target user (user 2) using the clone by XPath expression.

    <do-clone-xpath dest-expression='./add-attr[@attr-name="Group Membership"][last()]' src-expression="$lv-SrcGroupMembers"/>

    Keep in mind this example is for a specific case and you will need to adapt it to your needs.

    Hopefully the above addresses your question.

    Cheers,

    D

  • In a driver?

    You add all group memberships of user 1 to a nodeset variable and then add those to group member of user 2.

    I think you can add the nodeset directly, if not you need to do a for each loop over the nodeset.

Related Discussions
Recommended