How I can query attribute value from policy (Text Driver) to validate parent and child relationship

I need to validate that an object (parent) exist in the eDir before create a new  child object.

Example:

I create the parent, manually from Identity Console / Object Management.

Parent Object:

CN: 00001

Name: unit 1

ParentID: 0000

The next  objects will be create using a Text Driver

But, if in the text file the user copy a ParentID that not exits in the eDir,I need validate it and abort the operation.

Child Object

CN: 000010

Name: unit 10

ParentID: 0001

Process OK

Child Object

CN: 000010

Name: unit 10

ParentID: 9999

Process abort

I tried using a "find matchin" in a match policy but dont work.

Where CustIDPresidenciaJefa is a parten and must exists to create the CustIDUnidadLaboral

I tried using "destination atribute" but dont work.

Exists anyway to do its?

Best,

Cesar.

Parents
  • Verified Answer

    +1  

    So you know, Find Matching Object is only useful in the Matching policies.  When it is done it sets the operation destination target.  I.e. There is no association, this is an add event, and you set the @dest-dn value with this token.  So will not help in your case.

    What you would do is something like:

    <rule>
    	<description>Check for object before creating</description>
    	<comment name="author" xml:space="preserve">Geoffrey Carman</comment>
    	<comment name="version" xml:space="preserve">1</comment>
    	<comment name="lastchanged" xml:space="preserve">Sept 30, 2024</comment>
    	<conditions>
    		<and/>
    	</conditions>
    	<actions>
    		<do-set-local-variable name="Object1" scope="policy">
    			<arg-string>
    				<token-text xml:space="preserve">Some Value1</token-text>
    			</arg-string>
    		</do-set-local-variable>
    		<do-set-local-variable name="Search-For-Object1" scope="policy">
    			<arg-node-set>
    				<token-query>
    					<arg-match-attr name="CN">
    						<arg-value type="string">
    							<token-local-variable name="Object1"/>
    						</arg-value>
    					</arg-match-attr>
    				</token-query>
    			</arg-node-set>
    		</do-set-local-variable>
    		<do-if>
    			<arg-conditions>
    				<and>
    					<if-xpath op="true">$Search-For-Object1/@src-dn</if-xpath>
    				</and>
    			</arg-conditions>
    			<arg-actions>
    				<do-set-local-variable name="Object1-DN" scope="policy">
    					<arg-string>
    						<token-xpath expression="$Search-For-Object1/@src-dn"/>
    					</arg-string>
    				</do-set-local-variable>
    			</arg-actions>
    			<arg-actions/>
    		</do-if>
    	</actions>
    </rule>

    Couple of points.  The Variable Search-For-Object1 has to be a nodeset variable, that will store the XML nodesets result of the Query token.  (Also the Query token is searching the destination, switch to source if you needed that, it is looking for CN=Object1 variable value, change that as needed).   Then you can use XPATH on the variable.

    I am assuming you only ever find 1 value. So if there is ANY value, then must be the one.  If you could have more than one, and need to know you can use an If XPATH test of count($Search-for-Object1)>1 and you know you have more than one.  And you can do something else with it,

  • 0 in reply to   

    Hi Geoffrey.

    I need put its rule on Creation Policy or Match Policy?

    Sorry, but I dont have experience work with policies.

    Best,

    Cesar.

  • 0   in reply to 

    I did not quite understand your exact problem case from the way you described it.  The rule I gave is not complete, it just does one thing, look for an object with a specified CN and return the DN.  You need to flesh out the rest of the logic.

    I assume you would do this in a Placement policy.  I.e. You need to create Object2 and a child of Object1.  Or something like that.

    But maybe you have multiple Object2 named objects, in which case, you need to only check under the proper Object1 container?  Then you might use this approach as well in the Matching policy. 

    You can do the query in the matching policy, get the proper DN, and when complete use the Find Matching object, but tell it to look for a complete DN, which you provide.  (Or you could simply use the Set Operation Destination DN token with the value you found). 

  • 0 in reply to   

    Hi Geoffrey.

    Look other example.

    You have a class to save Positions for Users or Job Code

    Example:

    Class: CustJobCode

    Attr: JobCode and JobName

    You have a Text Driver to publish new users to eDir

    In the txt file you have CN user, Given Name, Surname and jobCode

    When you run the driver to create new users, you need validate that the jobCode the new user exists in the CustJobCode Class.

    If the jobCode not exits, the user can not create.

    How do you do a query for return if the jobCode in the txt file exists in class CustJobCode?

    Best.

     

  • 0   in reply to 

    So somewhere in the tree, you have a container full of CustJobCode objects?  Ok.

    So Pub-Create, you use the value of the op-attr JobCode, and query like in my example for an object whose JobCode value= op attr JobCode (Which by the way is what the default value in Match attributes where you Specify JobCode on the left, and teh right side stays as: User Values from Current object" as long as the attribute names are the same).

    So as in my code example, set a local variable as a nodeset (this part is critical that it be a nodeset variable) and then in the Argument builder screen you use the Query, pretty much as I set it in my example, though I think you will have to add an Object Class because you do not want to find users with the Job Code only CustJobCode objects.  Of course if they are in a specifc DN, I would make a GCV with the DN and use the GCV (Or literal path, but I hate hard coding paths).

    You now have a nodeset variable which is either:

    • Empty
    • Has one value
    • Has many values.

    So my variable was Search-For-Object1 I think, so you can do if XPATH is true $Search-For-Object/@src-dn because inside the nodeset will be 0, 1, or many <instance> nodes, and those will all have a src-dn XML attribute.

    This will tell you that there is at least 1 object found, which really is all you care about.  And in that case, let the create process.

    If the answer is false, then you can decide what to do.

    Now if your question was, can I query back into the file which maybe has two object classes in it?  One for users, one for CustJobClass and see if maybe there is one coming?  The NetIQ shipping driver cannot do that.

    However, a great contributor on this forum, Stefaan Van Cauwberge (Who I ALWAYS spell incorrectly) has a number of drivers and plugins (Some he sells) but the Generic File Driver is free and awesome!

    http://vancauwenberge.info/

    My favorite part is that it includes metadata on every event that tells you this is event #12 of 400 lines in the file.

    But it also allows to query back to source and it will search the text file to see if something is in it. Which is very cool.

    Hope that helps.

Reply
  • 0   in reply to 

    So somewhere in the tree, you have a container full of CustJobCode objects?  Ok.

    So Pub-Create, you use the value of the op-attr JobCode, and query like in my example for an object whose JobCode value= op attr JobCode (Which by the way is what the default value in Match attributes where you Specify JobCode on the left, and teh right side stays as: User Values from Current object" as long as the attribute names are the same).

    So as in my code example, set a local variable as a nodeset (this part is critical that it be a nodeset variable) and then in the Argument builder screen you use the Query, pretty much as I set it in my example, though I think you will have to add an Object Class because you do not want to find users with the Job Code only CustJobCode objects.  Of course if they are in a specifc DN, I would make a GCV with the DN and use the GCV (Or literal path, but I hate hard coding paths).

    You now have a nodeset variable which is either:

    • Empty
    • Has one value
    • Has many values.

    So my variable was Search-For-Object1 I think, so you can do if XPATH is true $Search-For-Object/@src-dn because inside the nodeset will be 0, 1, or many <instance> nodes, and those will all have a src-dn XML attribute.

    This will tell you that there is at least 1 object found, which really is all you care about.  And in that case, let the create process.

    If the answer is false, then you can decide what to do.

    Now if your question was, can I query back into the file which maybe has two object classes in it?  One for users, one for CustJobClass and see if maybe there is one coming?  The NetIQ shipping driver cannot do that.

    However, a great contributor on this forum, Stefaan Van Cauwberge (Who I ALWAYS spell incorrectly) has a number of drivers and plugins (Some he sells) but the Generic File Driver is free and awesome!

    http://vancauwenberge.info/

    My favorite part is that it includes metadata on every event that tells you this is event #12 of 400 lines in the file.

    But it also allows to query back to source and it will search the text file to see if something is in it. Which is very cool.

    Hope that helps.

Children
  • 0 in reply to   

    Hi Geoffrey.

    Now, look my code, using other example where I need to search into the same class.

    Class: CustOU

    Attrib: CustIDUnidadLaboral (Object ID)

               CustNombreUnidadLaboral (Description)

               CustIDPresidenciaJefa (owner or parent from CustIDUnidadLaboral)

    Then, I go to create a new CustIDUnidadLaboral, I need to validate that CustIDPresidenciaJefa exists as CustIDUnidadLaboral in CustOU

    Example:

    in CustOU class exists a object 

     CustIDUnidadLaboral = 001

     CustNombreUnidadLaboral = Chief Operating Officer 

     CustIDPresidenciaJefa = 000

    Now I need create a new object and validate that the CustIDPresidenciaJefa 001 exists

    New Object:

    CustIDUnidadLaboral = 002

     CustNombreUnidadLaboral = Operation Manager 

     CustIDPresidenciaJefa = 001

    Then, in the Pub-Create I have the follow code:

    In fact, I use a node set variable, and in the Query set the class name CustOU

    When I run the driver, the (if-xpath true "$Search-For-Object1/@src-dn") = FALSE. still the CustIDPresidenciaJefa exists as a CustIDUnidadLaboral  on CustOU class.

    Its is the log:

    [09/30/24 16:32:58.268]:MID-Text-SAP-OU PT:Applying policy: %+C%14CNOVLDTXTBASE-pub-cp%-C.
    [09/30/24 16:32:58.268]:MID-Text-SAP-OU PT:  Applying to add #1.
    [09/30/24 16:32:58.268]:MID-Text-SAP-OU PT:    Evaluating selection criteria for rule 'Required Attributes'.
    [09/30/24 16:32:58.268]:MID-Text-SAP-OU PT:      (if-class-name equal "CustOU") = TRUE.
    [09/30/24 16:32:58.268]:MID-Text-SAP-OU PT:    Rule selected.
    [09/30/24 16:32:58.268]:MID-Text-SAP-OU PT:    Applying rule 'Required Attributes'.
    [09/30/24 16:32:58.268]:MID-Text-SAP-OU PT:      Action: do-veto-if-op-attr-not-available("CustIDUnidadLaboral").
    [09/30/24 16:32:58.268]:MID-Text-SAP-OU PT:      Action: do-veto-if-op-attr-not-available("CustIDPresidenciaJefa").
    [09/30/24 16:32:58.269]:MID-Text-SAP-OU PT:      Action: do-veto-if-op-attr-not-available("CustEstatus").
    [09/30/24 16:32:58.269]:MID-Text-SAP-OU PT:    Evaluating selection criteria for rule 'Check for object before creating'.
    [09/30/24 16:32:58.269]:MID-Text-SAP-OU PT:      (if-class-name equal "CustOU") = TRUE.
    [09/30/24 16:32:58.269]:MID-Text-SAP-OU PT:    Rule selected.
    [09/30/24 16:32:58.269]:MID-Text-SAP-OU PT:    Applying rule 'Check for object before creating'.
    [09/30/24 16:32:58.269]:MID-Text-SAP-OU PT:      Action: do-set-local-variable("vIdPresidJefa",scope="policy",token-op-attr("CustIDPresidenciaJefa")).
    [09/30/24 16:32:58.269]:MID-Text-SAP-OU PT:        arg-string(token-op-attr("CustIDPresidenciaJefa"))
    [09/30/24 16:32:58.269]:MID-Text-SAP-OU PT:          token-op-attr("CustIDPresidenciaJefa")
    [09/30/24 16:32:58.269]:MID-Text-SAP-OU PT:            Token Value: "90000111".
    [09/30/24 16:32:58.270]:MID-Text-SAP-OU PT:          Arg Value: "90000111".
    [09/30/24 16:32:58.270]:MID-Text-SAP-OU PT:      Action: do-set-local-variable("Search-For-Object1",scope="policy",arg-node-set(token-query(class-name="CustOU",arg-match-attr("CustIDPresidenciaJefa"),token-local-variable("vIdPresidJefa")))).
    [09/30/24 16:32:58.270]:MID-Text-SAP-OU PT:        arg-node-set(token-query(class-name="CustOU",arg-match-attr("CustIDPresidenciaJefa"),token-local-variable("vIdPresidJefa")))
    [09/30/24 16:32:58.270]:MID-Text-SAP-OU PT:          token-query(class-name="CustOU",arg-match-attr("CustIDPresidenciaJefa"),token-local-variable("vIdPresidJefa"))
    [09/30/24 16:32:58.270]:MID-Text-SAP-OU PT:            arg-match-attr("CustIDPresidenciaJefa")
    [09/30/24 16:32:58.270]:MID-Text-SAP-OU PT:            arg-string(token-local-variable("vIdPresidJefa"))
    [09/30/24 16:32:58.271]:MID-Text-SAP-OU PT:              token-local-variable("vIdPresidJefa")
    [09/30/24 16:32:58.271]:MID-Text-SAP-OU PT:                Token Value: "90000111".
    [09/30/24 16:32:58.271]:MID-Text-SAP-OU PT:              Arg Value: "90000111".
    [09/30/24 16:32:58.271]:MID-Text-SAP-OU PT:            Query from policy
    [09/30/24 16:32:58.271]:MID-Text-SAP-OU PT:            
    <nds dtdversion="4.0" ndsversion="8.x">
      <source>
        <product edition="Advanced" version="4.8.7.0000">DirXML</product>
        <contact>NetIQ Corporation</contact>
      </source>
      <input>
        <query class-name="CustOU" scope="subtree">
          <search-class class-name="CustOU"/>
          <search-attr attr-name="CustIDPresidenciaJefa">
            <value type="string">90000111</value>
          </search-attr>
          <read-attr attr-name="90000111"/>
        </query>
      </input>
    </nds>
    [09/30/24 16:32:58.271]:MID-Text-SAP-OU PT:            Pumping XDS to eDirectory.
    [09/30/24 16:32:58.272]:MID-Text-SAP-OU PT:            Performing operation query for .
    [09/30/24 16:32:58.272]:MID-Text-SAP-OU PT:            --JCLNT-- \MID-TELEFONICA-PROD-TREE\system\driverset1\MID-Text-SAP-OU - Publisher : Duplicating : context = 99811817, tempContext = 99811770
    [09/30/24 16:32:58.272]:MID-Text-SAP-OU PT:            --JCLNT-- \MID-TELEFONICA-PROD-TREE\system\driverset1\MID-Text-SAP-OU - Publisher : Calling free on tempContext = 99811770
    [09/30/24 16:32:58.273]:MID-Text-SAP-OU PT:            Query from policy result
    [09/30/24 16:32:58.273]:MID-Text-SAP-OU PT:            
    <nds dtdversion="4.0" ndsversion="8.x">
      <source>
        <product edition="Advanced" version="4.8.7.0000">DirXML</product>
        <contact>NetIQ Corporation</contact>
      </source>
      <output>
        <status event-id="0" level="success"></status>
      </output>
    </nds>
    [09/30/24 16:32:58.273]:MID-Text-SAP-OU PT:          Token Value: {}.
    [09/30/24 16:32:58.274]:MID-Text-SAP-OU PT:          Arg Value: {}.
    [09/30/24 16:32:58.274]:MID-Text-SAP-OU PT:      Action: do-if().
    [09/30/24 16:32:58.274]:MID-Text-SAP-OU PT:        Evaluating conditions.
    [09/30/24 16:32:58.274]:MID-Text-SAP-OU PT:          (if-xpath true "$Search-For-Object1/@src-dn") = FALSE.
    [09/30/24 16:32:58.274]:MID-Text-SAP-OU PT:        Performing else actions.
    [09/30/24 16:32:58.274]:MID-Text-SAP-OU PT:          Action: do-veto().
    [09/30/24 16:32:58.274]:MID-Text-SAP-OU PT:Policy returned:
    [09/30/24 16:32:58.274]:MID-Text-SAP-OU PT:
    <nds dtdversion="1.1" ndsversion="8.6" xml:space="default">

    Now, When you said  "Of course if they are in a specifc DN, I would make a GCV with the DN and use the GCV" its because I must place a DN in the "Select Object" configuration option for the query?

    something like that:

    Best,

  • 0   in reply to 

    So two questions  here.  Second first.  The Specify DN, is nicer if you use a GCV instead of a path, since you can more easily change it in one place if you decide to move the container.  Or if you install in a second tree, and it is structured different.  But functionally no other difference.

    First question:  Why did the query and XPATH say none found?

    Snipping from your trace:

    [09/30/24 16:32:58.271]:MID-Text-SAP-OU PT:            
    <nds dtdversion="4.0" ndsversion="8.x">
      <source>
        <product edition="Advanced" version="4.8.7.0000">DirXML</product>
        <contact>NetIQ Corporation</contact>
      </source>
      <input>
        <query class-name="CustOU" scope="subtree">
          <search-class class-name="CustOU"/>
          <search-attr attr-name="CustIDPresidenciaJefa">
            <value type="string">90000111</value>
          </search-attr>
          <read-attr attr-name="90000111"/>
        </query>
      </input>
    </nds>
    [09/30/24 16:32:58.271]:MID-Text-SAP-OU PT:            Pumping XDS to eDirectory.
    [09/30/24 16:32:58.272]:MID-Text-SAP-OU PT:            Performing operation query for .
    [09/30/24 16:32:58.272]:MID-Text-SAP-OU PT:            --JCLNT-- \MID-TELEFONICA-PROD-TREE\system\driverset1\MID-Text-SAP-OU - Publisher : Duplicating : context = 99811817, tempContext = 99811770
    [09/30/24 16:32:58.272]:MID-Text-SAP-OU PT:            --JCLNT-- \MID-TELEFONICA-PROD-TREE\system\driverset1\MID-Text-SAP-OU - Publisher : Calling free on tempContext = 99811770
    [09/30/24 16:32:58.273]:MID-Text-SAP-OU PT:            Query from policy result
    [09/30/24 16:32:58.273]:MID-Text-SAP-OU PT:            
    <nds dtdversion="4.0" ndsversion="8.x">
      <source>
        <product edition="Advanced" version="4.8.7.0000">DirXML</product>
        <contact>NetIQ Corporation</contact>
      </source>
      <output>
        <status event-id="0" level="success"></status>
      </output>
    </nds>
    [09/30/24 16:32:58.273]:MID-Text-SAP-OU PT:          Token Value: {}.
    [09/30/24 16:32:58.274]:MID-Text-SAP-OU PT:          Arg Value: {}.
    [09/30/24 16:32:58.274]:MID-Text-SAP-OU PT:      Action: do-if().
    [09/30/24 16:32:58.274]:MID-Text-SAP-OU PT:        Evaluating conditions.
    [09/30/24 16:32:58.274]:MID-Text-SAP-OU PT:          (if-xpath true "$Search-For-Object1/@src-dn") = FALSE.

    First up, cosmetic...  You have as Read Attribute the local variable, lvdPresidjfa...  Here you are expected to but an actual attribute name. You search by this attr name=value.  See inside the Query XML that has a <search-attr> done correctly.  Just the attribute returned makes no sense as the attribute name is NOT 90000111.

    I do not think that is causing the issue. But maybe?  Fix that and try again.

    However, your trace shows a query, and an empty <status> document.  That means no such objects were found.  So what could be cause?

    1) Wrong OU for these objects?

    2) No permissions for driver?  Drivers get their permissions via Security Equals.  You could use iManager and the Rights task, and then look at the effective righst of the object the driver is missing and then see what effective rights the driver object itself has to the missed object.

    3) Wrong class? Wrong value?  Some other typo?

  • 0 in reply to   

    Hi Geoffrey,

    I change the Query. 

     Action: do-set-local-variable("Search-For-Object1",scope="policy",arg-node-set(token-query(class-name="CustOU",scope="subtree",arg-dn("\MID-TELEFONICA-PROD-TREE\data\telefonica\access\OrgUnits\"),arg-match-attr("CustIDPresidenciaJefa"),"CustIDUnidadLaboral"))).
    Where:
    arg-match-attr("CustIDPresidenciaJefa") is the attribute from the txt file
    and 
    CustIDUnidadLaboral is the attribut in CustOU class to return.
    The select object is a DN and the Specify DN is the container \MID-TELEFONICA-PROD-TREE\data\telefonica\access\OrgUnits\
    but i have the same resut, the if-xpath is false
     
    [10/01/24 15:36:31.528]:MID-Text-SAP-OU PT:    Applying rule 'Check for object before creating'.
    [10/01/24 15:36:31.528]:MID-Text-SAP-OU PT:      Action: do-set-local-variable("vIdPresidJefa",scope="policy",token-op-attr("CustIDPresidenciaJefa")).
    [10/01/24 15:36:31.528]:MID-Text-SAP-OU PT:        arg-string(token-op-attr("CustIDPresidenciaJefa"))
    [10/01/24 15:36:31.528]:MID-Text-SAP-OU PT:          token-op-attr("CustIDPresidenciaJefa")
    [10/01/24 15:36:31.528]:MID-Text-SAP-OU PT:            Token Value: "90000111".
    [10/01/24 15:36:31.528]:MID-Text-SAP-OU PT:          Arg Value: "90000111".
    [10/01/24 15:36:31.529]:MID-Text-SAP-OU PT:      Action: do-set-local-variable("Search-For-Object1",scope="policy",arg-node-set(token-query(class-name="CustOU",scope="subtree",arg-dn("\MID-TELEFONICA-PROD-TREE\data\telefonica\access\OrgUnits\"),arg-match-attr("CustIDPresidenciaJefa"),"CustIDUnidadLaboral"))).
    [10/01/24 15:36:31.529]:MID-Text-SAP-OU PT:        arg-node-set(token-query(class-name="CustOU",scope="subtree",arg-dn("\MID-TELEFONICA-PROD-TREE\data\telefonica\access\OrgUnits\"),arg-match-attr("CustIDPresidenciaJefa"),"CustIDUnidadLaboral"))
    [10/01/24 15:36:31.529]:MID-Text-SAP-OU PT:          token-query(class-name="CustOU",scope="subtree",arg-dn("\MID-TELEFONICA-PROD-TREE\data\telefonica\access\OrgUnits\"),arg-match-attr("CustIDPresidenciaJefa"),"CustIDUnidadLaboral")
    [10/01/24 15:36:31.529]:MID-Text-SAP-OU PT:            arg-dn("\MID-TELEFONICA-PROD-TREE\data\telefonica\access\OrgUnits\")
    [10/01/24 15:36:31.530]:MID-Text-SAP-OU PT:              token-text("\MID-TELEFONICA-PROD-TREE\data\telefonica\access\OrgUnits\")
    [10/01/24 15:36:31.530]:MID-Text-SAP-OU PT:              Arg Value: "\MID-TELEFONICA-PROD-TREE\data\telefonica\access\OrgUnits\".
    [10/01/24 15:36:31.530]:MID-Text-SAP-OU PT:            arg-match-attr("CustIDPresidenciaJefa")
    [10/01/24 15:36:31.530]:MID-Text-SAP-OU PT:            arg-string("CustIDUnidadLaboral")
    [10/01/24 15:36:31.530]:MID-Text-SAP-OU PT:              token-text("CustIDUnidadLaboral")
    [10/01/24 15:36:31.530]:MID-Text-SAP-OU PT:              Arg Value: "CustIDUnidadLaboral".
    [10/01/24 15:36:31.530]:MID-Text-SAP-OU PT:            Query from policy
    [10/01/24 15:36:31.530]:MID-Text-SAP-OU PT:            
    <nds dtdversion="4.0" ndsversion="8.x">
      <source>
        <product edition="Advanced" version="4.8.7.0000">DirXML</product>
        <contact>NetIQ Corporation</contact>
      </source>
      <input>
        <query class-name="CustOU" dest-dn="\MID-TELEFONICA-PROD-TREE\data\telefonica\access\OrgUnits\" scope="subtree">
          <search-class class-name="CustOU"/>
          <search-attr attr-name="CustIDPresidenciaJefa">
            <value type="string">90000111</value>
          </search-attr>
          <read-attr attr-name="CustIDUnidadLaboral"/>
        </query>
      </input>
    </nds>
    [10/01/24 15:36:31.531]:MID-Text-SAP-OU PT:            Pumping XDS to eDirectory.
    [10/01/24 15:36:31.531]:MID-Text-SAP-OU PT:            Performing operation query for \MID-TELEFONICA-PROD-TREE\data\telefonica\access\OrgUnits\.
    [10/01/24 15:36:31.531]:MID-Text-SAP-OU PT:            --JCLNT-- \MID-TELEFONICA-PROD-TREE\system\driverset1\MID-Text-SAP-OU - Publisher : Duplicating : context = 99811706, tempContext = 99811680
    [10/01/24 15:36:31.532]:MID-Text-SAP-OU PT:            --JCLNT-- \MID-TELEFONICA-PROD-TREE\system\driverset1\MID-Text-SAP-OU - Publisher : Calling free on tempContext = 99811680
    [10/01/24 15:36:31.532]:MID-Text-SAP-OU PT:            Query from policy result
    [10/01/24 15:36:31.532]:MID-Text-SAP-OU PT:            
    <nds dtdversion="4.0" ndsversion="8.x">
      <source>
        <product edition="Advanced" version="4.8.7.0000">DirXML</product>
        <contact>NetIQ Corporation</contact>
      </source>
      <output>
        <status event-id="0" level="success"></status>
      </output>
    </nds>
    [10/01/24 15:36:31.533]:MID-Text-SAP-OU PT:          Token Value: {}.
    [10/01/24 15:36:31.533]:MID-Text-SAP-OU PT:          Arg Value: {}.
    [10/01/24 15:36:31.533]:MID-Text-SAP-OU PT:      Action: do-if().
    [10/01/24 15:36:31.533]:MID-Text-SAP-OU PT:        Evaluating conditions.
    [10/01/24 15:36:31.533]:MID-Text-SAP-OU PT:          (if-xpath true "$Search-For-Object1/@src-dn") = FALSE.
    [10/01/24 15:36:31.533]:MID-Text-SAP-OU PT:        Performing else actions.
    [10/01/24 15:36:31.533]:MID-Text-SAP-OU PT:          Action: do-veto().
    [10/01/24 15:36:31.533]:MID-Text-SAP-OU PT:Policy returned:
    How Can I debug the "$Search-For-Object1/@src-dn" value
    Best,
  • 0   in reply to 

    Side note:  Use the Insert submenu down below, and insert a code block and paste your trace into there.  Makes it easier to read, and easier to sort out your comments.

    So the query is not working.  Back to previous questions about permissions.

    As your usual user, can you do an LDAP query for something like:

    (&(objectClass=CustOU)(CustIDPresidenciaJefa=90000111))
    Returning the attribiute CustIDUnidadLaboral
    Start with base at the root of the tree I think.
    What comes back via LDAP?  I.e. You say the object is there, but is the object as you have defined it for IDM really there?  Maybe it needs to be addressed differently?  (An LDIF export of the Server object)
  • Suggested Answer

    0   in reply to 

    I know that in the driver filter, you should use only structural classes, it might be that this is turning out empty, if "CustOU" is an auxiliary class not structural.

    So I would try using the structural class of that object.

  • 0 in reply to   

    Hi Geoffre, 

    Good Work, the query is working.

    I did not understand the structure of the query very well, after several tests I understood that the Match Attributes had to assign the attribute and to the variable where it captured the text file value.

    Thanks,

    Great Job!!

    Its the result:

    When Match Object
    
    :MID-Text PT:Applying command transformation policies.
    :MID-Text PT:Applying policy: %+C%14CPub-CTP-01-ValObjects-Mov%-C.
    :MID-Text PT:  Applying to modify #1.
    :MID-Text PT:    Evaluating selection criteria for rule 'Validate Objects'.
    :MID-Text PT:      (if-class-name equal "User") = TRUE.
    :MID-Text PT:      (if-op-attr 'jobCode' available) = TRUE.
    :MID-Text PT:    Rule selected.
    :MID-Text PT:    Applying rule 'Validate Objects'.
    :MID-Text PT:      Action: do-set-local-variable("vJobCode",scope="policy",token-op-attr("jobCode")).
    :MID-Text PT:        arg-string(token-op-attr("jobCode"))
    :MID-Text PT:          token-op-attr("jobCode")
    :MID-Text PT:            Token Value: "90100036".
    :MID-Text PT:          Arg Value: "90100036".
    :MID-Text PT:      Action: do-set-local-variable("Search-For-Object1",scope="policy",arg-node-set(token-query(class-name="CustPosition",max-result-count="1",scope="subtree",arg-dnTREE\data\telefonica\access\Positions\"),arg-match-attr("CustIDCargo",token-local-variable("vJobCode")),"CustIDCargo"))).
    :MID-Text PT:        arg-node-set(token-query(class-name="CustPosition",max-result-count="1",scope="subtree",arg-dn("\MID-TELEFONICA-PROD-TREE\data\telefonica\access\Positions\"),arg-match-attrcal-variable("vJobCode")),"CustIDCargo"))
    :MID-Text PT:          token-query(class-name="CustPosition",max-result-count="1",scope="subtree",arg-dn("\MID-TELEFONICA-PROD-TREE\data\telefonica\access\Positions\"),arg-match-attr("CustIDCargo",JobCode")),"CustIDCargo")
    :MID-Text PT:            arg-dn("\MID-TELEFONICA-PROD-TREE\data\telefonica\access\Positions\")
    :MID-Text PT:              token-text("\MID-TELEFONICA-PROD-TREE\data\telefonica\access\Positions\")
    :MID-Text PT:              Arg Value: "\MID-TELEFONICA-PROD-TREE\data\telefonica\access\Positions\".
    :MID-Text PT:            arg-match-attr("CustIDCargo",token-local-variable("vJobCode"))
    :MID-Text PT:              arg-string(token-local-variable("vJobCode"))
    :MID-Text PT:                token-local-variable("vJobCode")
    :MID-Text PT:                  Token Value: "90100036".
    :MID-Text PT:                Arg Value: "90100036".
    :MID-Text PT:            arg-string("CustIDCargo")
    :MID-Text PT:              token-text("CustIDCargo")
    :MID-Text PT:              Arg Value: "CustIDCargo".
    :MID-Text PT:            Query from policy
    :MID-Text PT:            
    
    <nds dtdversion="4.0" ndsversion="8.x">
      <source>
        <product edition="Advanced" version="4.8.7.0000">DirXML</product>
        <contact>NetIQ Corporation</contact>
      </source>
      <input>
        <query-ex class-name="CustPosition" dest-dn="\MID-TELEFONICA-PROD-TREE\data\telefonica\access\Positions\" max-result-count="1" scope="subtree">
          <search-class class-name="CustPosition"/>
          <search-attr attr-name="CustIDCargo">
            <value type="string">90100036</value>
          </search-attr>
          <read-attr attr-name="CustIDCargo"/>
        </query-ex>
      </input>
    </nds>
    
    <nds dtdversion="4.0" ndsversion="8.x">
      <source>
        <product edition="Advanced" version="4.8.7.0000">DirXML</product>
        <contact>NetIQ Corporation</contact>
      </source>
      <output>
        <instance class-name="CustPosition" event-id="0" qualified-src-dn="O=data\OU=telefonica\OU=access\OU=Positions\CN=90100036" src-dn="\MID-TELEFONICA-PROD-TREE\data\telefonica\access\Positions\90100036" src-entry-id="36274">
          <attr attr-name="CustIDCargo">
            <value timestamp="1727720567#46" type="string">90100036</value>
          </attr>
        </instance>
        <query-token>rO0ABXNyACxjb20ubm92ZWxsLm5kcy5kaXJ4bWwuZW5naW5lLk5EU1JlYWRlciRUb2tlbuWeJE0ga5xBAgACSgAFc3RhbXBJAAlzdGF0ZUhhc2h4cAAAAZJZGxczT2hfdg==</query-token>
        <status event-id="0" level="success"></status>
      </output>
    </nds>
    
    :MID-Text PT:          Token Value: {<instance> @class-name = "CustPosition" @event-id = "0" @qualified-src-dn = "O=data\OU=telefonica\OU=access\OU=Positions\CN=90100036" @src-dn = "\MID-TELEFONICA-PROD-TREE\data\telefonica\access\Positions\90100036" @src-entry-id = "36274",<query-token> @datastore = "dest" @read-attr = "CustIDCargo"}.
    :MID-Text PT:          Arg Value: {<instance> @class-name = "CustPosition" @event-id = "0" @qualified-src-dn = "O=data\OU=telefonica\OU=access\OU=Positions\CN=90100036" @src-dn = "\MID-TELEFONICA-PROD-TREE\data\telefonica\access\Positions\90100036" @src-entry-id = "36274",<query-token> @datastore = "dest" @read-attr = "CustIDCargo"}.
    :MID-Text PT:      Action: do-if().
    :MID-Text PT:        Evaluating conditions.
    :MID-Text PT:          (if-local-variable 'Search-For-Object1' not-equal "") = TRUE.
    :MID-Text PT:        Performing if actions.
    :MID-Text PT:          Action: do-trace-message("Encontro ocurrencia").
    :MID-Text PT:            arg-string("Encontro ocurrencia")
    :MID-Text PT:              token-text("Encontro ocurrencia")
    :MID-Text PT:              Arg Value: "Encontro ocurrencia".
    :MID-Text PT:Encontro ocurrencia
    :MID-Text PT:      Action: do-trace-message(token-local-variable("vJobCode")).
    :MID-Text PT:        arg-string(token-local-variable("vJobCode"))
    :MID-Text PT:          token-local-variable("vJobCode")
    :MID-Text PT:            Token Value: "90100036".
    :MID-Text PT:          Arg Value: "90100036".
    :MID-Text PT:90100036
    :MID-Text PT:      Action: do-trace-message(token-local-variable("Search-For-Object1")).
    :MID-Text PT:        arg-string(token-local-variable("Search-For-Object1"))
    :MID-Text PT:          token-local-variable("Search-For-Object1")
    :MID-Text PT:            Token Value: "90100036".
    :MID-Text PT:          Arg Value: "90100036".
    :MID-Text PT:90100036
    :MID-Text PT:  Query from policy
    :MID-Text PT:  
    
    When NOT Match Object
    ______________________________________________________________________________________
    
    :MID-Text PT:Applying policy: %+C%14CPub-CTP-01-ValObjects-Mov%-C.
    :MID-Text PT:  Applying to modify #1.
    :MID-Text PT:    Evaluating selection criteria for rule 'Validate Objects'.
    :MID-Text PT:      (if-class-name equal "User") = TRUE.
    :MID-Text PT:      (if-op-attr 'jobCode' available) = TRUE.
    :MID-Text PT:    Rule selected.
    :MID-Text PT:    Applying rule 'Validate Objects'.
    :MID-Text PT:      Action: do-set-local-variable("vJobCode",scope="policy",token-op-attr("jobCode")).
    :MID-Text PT:        arg-string(token-op-attr("jobCode"))
    :MID-Text PT:          token-op-attr("jobCode")
    :MID-Text PT:            Token Value: "90122225111".
    :MID-Text PT:          Arg Value: "90122225111".
    :MID-Text PT:      Action: do-set-local-variable("Search-For-Object1",scope="policy",arg-node-set(token-query(class-name="CustPosition",max-result-count="1",scope="subtree",arg-dn("\MID-TELEFONICA-PROD-TREE\data\telefonica\access\Positions\"),arg-match-attr("CustIDCargo",token-local-variable("vJobCode")),"CustIDCargo"))).
    :MID-Text PT:        arg-node-set(token-query(class-name="CustPosition",max-result-count="1",scope="subtree",arg-dn("\MID-TELEFONICA-PROD-TREE\data\telefonica\access\Positions\"),arg-match-attr("CustIDCargo",token-local-variable("vJobCode")),"CustIDCargo"))
    :MID-Text PT:          token-query(class-name="CustPosition",max-result-count="1",scope="subtree",arg-dn("\MID-TELEFONICA-PROD-TREE\data\telefonica\access\Positions\"),arg-match-attr("CustIDCargo",token-local-variable("vJobCode")),"CustIDCargo")
    :MID-Text PT:            arg-dn("\MID-TELEFONICA-PROD-TREE\data\telefonica\access\Positions\")
    :MID-Text PT:              token-text("\MID-TELEFONICA-PROD-TREE\data\telefonica\access\Positions\")
    :MID-Text PT:              Arg Value: "\MID-TELEFONICA-PROD-TREE\data\telefonica\access\Positions\".
    :MID-Text PT:            arg-match-attr("CustIDCargo",token-local-variable("vJobCode"))
    :MID-Text PT:              arg-string(token-local-variable("vJobCode"))
    :MID-Text PT:                token-local-variable("vJobCode")
    :MID-Text PT:                  Token Value: "90122225111".
    :MID-Text PT:                Arg Value: "90122225111".
    :MID-Text PT:            arg-string("CustIDCargo")
    :MID-Text PT:              token-text("CustIDCargo")
    :MID-Text PT:              Arg Value: "CustIDCargo".
    :MID-Text PT:            Query from policy
    
     <input>
        <query-ex class-name="CustPosition" dest-dn="\MID-TELEFONICA-PROD-TREE\data\telefonica\access\Positions\" max-result-count="1" scope="subtree">
          <search-class class-name="CustPosition"/>
          <search-attr attr-name="CustIDCargo">
            <value type="string">90122225111</value>
          </search-attr>
          <read-attr attr-name="CustIDCargo"/>
        </query-ex>
      </input>
    </nds>
    
    :MID-Text PT:          Token Value: {}.
    :MID-Text PT:          Arg Value: {}.
    :MID-Text PT:      Action: do-if().
    :MID-Text PT:        Evaluating conditions.
    :MID-Text PT:          (if-local-variable 'Search-For-Object1' not-equal "") = FALSE.
    :MID-Text PT:        Performing else actions.
    :MID-Text PT:          Action: do-trace-message("No existe el Cargo").
    :MID-Text PT:            arg-string("No existe el Cargo")
    :MID-Text PT:              token-text("No existe el Cargo")
    :MID-Text PT:              Arg Value: "No existe el Cargo".
    :MID-Text PT:No existe el Cargo
    :MID-Text PT:          Action: do-send-email-from-template(notification-dn="Security\Default Notification Collection",template-dn="security\Default Notification Collection\User Migrate","cmorrone@abc.com.ve","mrojas@abc.com.ve",token-op-attr("CN"),"Error: El cargo no existe","csar.morrone@abc.com").
    :MID-Text PT:            to("cmorrone@abc.com.ve")
    :MID-Text PT:              token-text("cmorrone@abc.com.ve")
    :MID-Text PT:              Arg Value: "cmorrone@abc.com.ve".
    :MID-Text PT:            cc("mrojas@abc.com.ve")
    :MID-Text PT:              token-text("mrojas@abc.com.ve")
    :MID-Text PT:              Arg Value: "mrojas@abc.com.ve".
    :MID-Text PT:            CN(token-op-attr("CN"))
    :MID-Text PT:              token-op-attr("CN")
    :MID-Text PT:                Token Value: "".
    :MID-Text PT:              Arg Value: "".
    :MID-Text PT:            FailureReason("Error: El cargo no existe")
    :MID-Text PT:              token-text("Error: El cargo no existe")
    :MID-Text PT:              Arg Value: "Error: El cargo no existe".
    :MID-Text PT:            cc("csar.morrone@abc.com")
    :MID-Text PT:              token-text("csar.morrone@abcl.com")
    :MID-Text PT:              Arg Value: "csar.morrone@abc.com".
    :MID-Text PT:          Action: do-veto().
    :MID-Text PT:Policy returned:
    :MID-Text PT:

  • 0 in reply to   

    Hi Geoffrey.

    After performing several tests, I got the query to work correctly.
    The problem was that in the Match Attribute I placed the attribute name 
    and left it with the value of the current object,
    when I assigned the name of the variable it started to work.

    Great Job, Thanks for you help.

    Best
    Cesar.
  • 0   in reply to 

    In Match attributes, the option for Use Value from Current operation requires that there be a value for that exact attribute name in the current op doc.  If its not there, or has  different name (Pre-schema map for example) then you have to do it the way you did and specify it somehow.