How I can query attribute value from policy (Text Driver) to validate parent and child relationship

I need to validate that an object (parent) exist in the eDir before create a new  child object.

Example:

I create the parent, manually from Identity Console / Object Management.

Parent Object:

CN: 00001

Name: unit 1

ParentID: 0000

The next  objects will be create using a Text Driver

But, if in the text file the user copy a ParentID that not exits in the eDir,I need validate it and abort the operation.

Child Object

CN: 000010

Name: unit 10

ParentID: 0001

Process OK

Child Object

CN: 000010

Name: unit 10

ParentID: 9999

Process abort

I tried using a "find matchin" in a match policy but dont work.

Where CustIDPresidenciaJefa is a parten and must exists to create the CustIDUnidadLaboral

I tried using "destination atribute" but dont work.

Exists anyway to do its?

Best,

Cesar.

Parents
  • Verified Answer

    +1  

    So you know, Find Matching Object is only useful in the Matching policies.  When it is done it sets the operation destination target.  I.e. There is no association, this is an add event, and you set the @dest-dn value with this token.  So will not help in your case.

    What you would do is something like:

    <rule>
    	<description>Check for object before creating</description>
    	<comment name="author" xml:space="preserve">Geoffrey Carman</comment>
    	<comment name="version" xml:space="preserve">1</comment>
    	<comment name="lastchanged" xml:space="preserve">Sept 30, 2024</comment>
    	<conditions>
    		<and/>
    	</conditions>
    	<actions>
    		<do-set-local-variable name="Object1" scope="policy">
    			<arg-string>
    				<token-text xml:space="preserve">Some Value1</token-text>
    			</arg-string>
    		</do-set-local-variable>
    		<do-set-local-variable name="Search-For-Object1" scope="policy">
    			<arg-node-set>
    				<token-query>
    					<arg-match-attr name="CN">
    						<arg-value type="string">
    							<token-local-variable name="Object1"/>
    						</arg-value>
    					</arg-match-attr>
    				</token-query>
    			</arg-node-set>
    		</do-set-local-variable>
    		<do-if>
    			<arg-conditions>
    				<and>
    					<if-xpath op="true">$Search-For-Object1/@src-dn</if-xpath>
    				</and>
    			</arg-conditions>
    			<arg-actions>
    				<do-set-local-variable name="Object1-DN" scope="policy">
    					<arg-string>
    						<token-xpath expression="$Search-For-Object1/@src-dn"/>
    					</arg-string>
    				</do-set-local-variable>
    			</arg-actions>
    			<arg-actions/>
    		</do-if>
    	</actions>
    </rule>

    Couple of points.  The Variable Search-For-Object1 has to be a nodeset variable, that will store the XML nodesets result of the Query token.  (Also the Query token is searching the destination, switch to source if you needed that, it is looking for CN=Object1 variable value, change that as needed).   Then you can use XPATH on the variable.

    I am assuming you only ever find 1 value. So if there is ANY value, then must be the one.  If you could have more than one, and need to know you can use an If XPATH test of count($Search-for-Object1)>1 and you know you have more than one.  And you can do something else with it,

  • 0 in reply to   

    Hi Geoffrey.

    I need put its rule on Creation Policy or Match Policy?

    Sorry, but I dont have experience work with policies.

    Best,

    Cesar.

  • 0   in reply to 

    I did not quite understand your exact problem case from the way you described it.  The rule I gave is not complete, it just does one thing, look for an object with a specified CN and return the DN.  You need to flesh out the rest of the logic.

    I assume you would do this in a Placement policy.  I.e. You need to create Object2 and a child of Object1.  Or something like that.

    But maybe you have multiple Object2 named objects, in which case, you need to only check under the proper Object1 container?  Then you might use this approach as well in the Matching policy. 

    You can do the query in the matching policy, get the proper DN, and when complete use the Find Matching object, but tell it to look for a complete DN, which you provide.  (Or you could simply use the Set Operation Destination DN token with the value you found). 

  • 0 in reply to   

    Hi Geoffrey.

    Look other example.

    You have a class to save Positions for Users or Job Code

    Example:

    Class: CustJobCode

    Attr: JobCode and JobName

    You have a Text Driver to publish new users to eDir

    In the txt file you have CN user, Given Name, Surname and jobCode

    When you run the driver to create new users, you need validate that the jobCode the new user exists in the CustJobCode Class.

    If the jobCode not exits, the user can not create.

    How do you do a query for return if the jobCode in the txt file exists in class CustJobCode?

    Best.

     

Reply
  • 0 in reply to   

    Hi Geoffrey.

    Look other example.

    You have a class to save Positions for Users or Job Code

    Example:

    Class: CustJobCode

    Attr: JobCode and JobName

    You have a Text Driver to publish new users to eDir

    In the txt file you have CN user, Given Name, Surname and jobCode

    When you run the driver to create new users, you need validate that the jobCode the new user exists in the CustJobCode Class.

    If the jobCode not exits, the user can not create.

    How do you do a query for return if the jobCode in the txt file exists in class CustJobCode?

    Best.

     

Children
  • 0   in reply to 

    So somewhere in the tree, you have a container full of CustJobCode objects?  Ok.

    So Pub-Create, you use the value of the op-attr JobCode, and query like in my example for an object whose JobCode value= op attr JobCode (Which by the way is what the default value in Match attributes where you Specify JobCode on the left, and teh right side stays as: User Values from Current object" as long as the attribute names are the same).

    So as in my code example, set a local variable as a nodeset (this part is critical that it be a nodeset variable) and then in the Argument builder screen you use the Query, pretty much as I set it in my example, though I think you will have to add an Object Class because you do not want to find users with the Job Code only CustJobCode objects.  Of course if they are in a specifc DN, I would make a GCV with the DN and use the GCV (Or literal path, but I hate hard coding paths).

    You now have a nodeset variable which is either:

    • Empty
    • Has one value
    • Has many values.

    So my variable was Search-For-Object1 I think, so you can do if XPATH is true $Search-For-Object/@src-dn because inside the nodeset will be 0, 1, or many <instance> nodes, and those will all have a src-dn XML attribute.

    This will tell you that there is at least 1 object found, which really is all you care about.  And in that case, let the create process.

    If the answer is false, then you can decide what to do.

    Now if your question was, can I query back into the file which maybe has two object classes in it?  One for users, one for CustJobClass and see if maybe there is one coming?  The NetIQ shipping driver cannot do that.

    However, a great contributor on this forum, Stefaan Van Cauwberge (Who I ALWAYS spell incorrectly) has a number of drivers and plugins (Some he sells) but the Generic File Driver is free and awesome!

    http://vancauwenberge.info/

    My favorite part is that it includes metadata on every event that tells you this is event #12 of 400 lines in the file.

    But it also allows to query back to source and it will search the text file to see if something is in it. Which is very cool.

    Hope that helps.