Related Tips & Info

Managing GroupWise distribution list via GroupWise REST IDM driver without synching groups between IDV and Groups

MigrationDeletedUser
0 Likes
In any traditional implementation, the user and group objects are synchronized between IDVault and the connected application. However since the number of groups were high in number, it was a requirement from one of our customers to be able to manage GroupWise distribution list membership without enabling the group object sync in the IDM connector filter.

Solution:

(Note: The customer had a very specific hierarchy based on an employee's location and was quite complex which may not be relevant generally. Hence in the solution policy included below the condition part is skipped and only rule actions will be discussed. If anyone needs to use this, then they must add their own conditions for which this solution needs to be triggered)

Logic:

Step 1: Determine the actual GroupWise group name to which the user needs to added or removed. This can be determined in means that best suits your business use case. (Our customer was using a mapping table and in this solution we are just going to use an actual change to the "Group Membership" attribute on the user object as Groups were disabled in the filter.

Step 2: A query needs to be sent to GroupWise system to search for a group with a matching CN. This action is needed so that the groups association value can be determined from the returned query output if a group is found in GroupWise system. The association value is essential for the group modify to be successful in GroupWise system. Without the association value a group modify event will fail in the shim.

Step 3: Prepare the group modify event with an update to "Member to" attribute with the group's association value, user's dn and user's association-ref updated.

Step 4: The same needs to be done for the all removed groups as well except to remove them in GroupWise.

Note: The policy where these actions are carried out will be placed in the output transform because we do not want the filter to block the group modify xds added by the rule since the Groups are not needed to be synced in this implementation specifically.


<do-set-local-variable name="addedGroupNS" scope="policy">
                <arg-node-set>
                    <token-xpath expression="modify-attr[@attr-name='Group Membership']/add-value/value"/>
                </arg-node-set>
            </do-set-local-variable>
            <do-for-each>
                <arg-node-set>
                    <token-local-variable name="addedGroupNS"/>
                </arg-node-set>
                <arg-actions>
                    <do-set-local-variable name="currValue" scope="policy">
                        <arg-string>
                            <token-local-variable name="current-node"/>
                        </arg-string>
                    </do-set-local-variable>
                    <do-set-local-variable name="addedGroup" scope="policy">
                        <arg-string>
                            <token-parse-dn dest-dn-format="dot" length="-1" start="0">
                                <token-local-variable name="currValue"/>
                            </token-parse-dn>
                        </arg-string>
                    </do-set-local-variable>
                    <do-set-local-variable name="addedGroup" scope="policy">
                        <arg-string>
                            <token-xpath expression="substring-before($addedGroup,'.')"/>
                        </arg-string>
                    </do-set-local-variable>
                    <do-if>
                        <arg-conditions>
                            <and>
                                <if-xpath op="true">string-length($addedGroup) > 0</if-xpath>
                            </and>
                        </arg-conditions>
                        <arg-actions>
                            <do-set-local-variable name="qResult" scope="policy">
                                <arg-node-set>
                                    <token-query class-name="Group">
                                        <arg-match-attr name="50073">
                                            <arg-value type="string">
                                                <token-local-variable name="addedGroup"/>
                                            </arg-value>
                                        </arg-match-attr>
                                        <arg-string>
                                            <token-text xml:space="preserve">50073</token-text>
                                        </arg-string>
                                    </token-query>
                                </arg-node-set>
                            </do-set-local-variable>
                            <do-set-local-variable disabled="true" name="qResult1" scope="policy">
                                <arg-node-set>
                                    <token-query class-name="Group">
                                        <arg-match-attr name="Member To">
                                            <arg-value type="dn">
                                                <token-text xml:space="preserve">gwuser32</token-text>
                                            </arg-value>
                                        </arg-match-attr>
                                        <arg-string>
                                            <token-text xml:space="preserve">50073</token-text>
                                        </arg-string>
                                    </token-query>
                                </arg-node-set>
                            </do-set-local-variable>
                            <do-set-local-variable name="grpAssoc" scope="policy">
                                <arg-string>
                                    <token-xpath expression="$qResult/association"/>
                                </arg-string>
                            </do-set-local-variable>
                            <do-set-local-variable name="grpSrcDN" scope="policy">
                                <arg-string>
                                    <token-xpath expression="$qResult/@src-dn"/>
                                </arg-string>
                            </do-set-local-variable>
                            <do-add-dest-attr-value class-name="Group" name="Member To">
                                <arg-association>
                                    <token-local-variable name="grpAssoc"/>
                                </arg-association>
                                <arg-value type="dn">
                                    <token-xpath expression="@src-dn"/>
                                </arg-value>
                            </do-add-dest-attr-value>
                            <do-set-xml-attr expression="../modify[@class-name='Group'][last()]/modify-attr[@attr-name='Member To']/add-value/value" name="association-ref">
                                <arg-string>
                                    <token-association/>
                                </arg-string>
                            </do-set-xml-attr>
                            <do-set-xml-attr expression="../modify[@class-name='Group'][last()]" name="dest-dn">
                                <arg-string>
                                    <token-local-variable name="grpSrcDN"/>
                                </arg-string>
                            </do-set-xml-attr>
                        </arg-actions>
                        <arg-actions/>
                    </do-if>
                </arg-actions>
            </do-for-each>
            <do-set-local-variable name="removedGroupNS" scope="policy">
                <arg-node-set>
                    <token-xpath expression="modify-attr[@attr-name='Group Membership']/remove-value/value"/>
                </arg-node-set>
            </do-set-local-variable>
            <do-for-each>
                <arg-node-set>
                    <token-local-variable name="removedGroupNS"/>
                </arg-node-set>
                <arg-actions>
                    <do-set-local-variable name="currValue" scope="policy">
                        <arg-string>
                            <token-local-variable name="current-node"/>
                        </arg-string>
                    </do-set-local-variable>
                    <do-set-local-variable name="removedGroup" scope="policy">
                        <arg-string>
                            <token-parse-dn dest-dn-format="dot" length="-1" start="0">
                                <token-local-variable name="currValue"/>
                            </token-parse-dn>
                        </arg-string>
                    </do-set-local-variable>
                    <do-set-local-variable name="removedGroup" scope="policy">
                        <arg-string>
                            <token-xpath expression="substring-before($removedGroup,'.')"/>
                        </arg-string>
                    </do-set-local-variable>
                    <do-if>
                        <arg-conditions>
                            <and>
                                <if-xpath op="true">string-length($removedGroup) > 0</if-xpath>
                            </and>
                        </arg-conditions>
                        <arg-actions>
                            <do-set-local-variable name="qResult" scope="policy">
                                <arg-node-set>
                                    <token-query class-name="Group">
                                        <arg-match-attr name="50073">
                                            <arg-value type="string">
                                                <token-local-variable name="removedGroup"/>
                                            </arg-value>
                                        </arg-match-attr>
                                        <arg-string>
                                            <token-text xml:space="preserve">50073</token-text>
                                        </arg-string>
                                    </token-query>
                                </arg-node-set>
                            </do-set-local-variable>
                            <do-set-local-variable name="grpAssoc" scope="policy">
                                <arg-string>
                                    <token-xpath expression="$qResult/association"/>
                                </arg-string>
                            </do-set-local-variable>
                            <do-set-local-variable name="grpSrcDN" scope="policy">
                                <arg-string>
                                    <token-xpath expression="$qResult/@src-dn"/>
                                </arg-string>
                            </do-set-local-variable>
                            <do-remove-dest-attr-value class-name="Group" name="Member To">
                                <arg-association>
                                    <token-local-variable name="grpAssoc"/>
                                </arg-association>
                                <arg-value type="string">
                                    <token-xpath expression="@src-dn"/>
                                </arg-value>
                            </do-remove-dest-attr-value>
                            <do-set-xml-attr expression="../modify[@class-name='Group'][last()]/modify-attr[@attr-name='Member To']/remove-value/value" name="association-ref">
                                <arg-string>
                                    <token-association/>
                                </arg-string>
                            </do-set-xml-attr>
                            <do-set-xml-attr expression="../modify[@class-name='Group'][last()]" name="dest-dn">
                                <arg-string>
                                    <token-local-variable name="grpSrcDN"/>
                                </arg-string>
                            </do-set-xml-attr>
                        </arg-actions>
                        <arg-actions/>
                    </do-if>
                </arg-actions>
            </do-for-each>
            <do-veto/>

Processing :

Policy triggering event 
  <input>
<modify cached-time="20160217162441.885Z" class-name="User" event-id="idm45sles#20160217162441#1#1:0111bbbc-bd86-4f1c-8d89-bcbb110186bd" qualified-     src-dn="O=data\OU=users\CN=gwuser40" src-dn="\IDM45SLES\data\users\gwuser40" src-entry-id="35997" timestamp="1455726281#2">
<association state="associated">GW14LAB.gw14PO.gwuser40{106}{E2C68200-0DB2-0000-BC67-773135376134}3859B981-0737-0000-8EB4-DAE704F9F7C2</association>
<modify-attr attr-name="Group Membership">
<add-value>
<value timestamp="1455726281#1" type="dn">\IDM45SLES\data\groups\GWGrp2</value>
</add-value>
</modify-attr>
<operation-data AccountTracking-AppAccountStatus="-" AccountTracking-IdvAccountStatus="-" AccountTracking-Operation="modify"/>
</modify>

</input>

Query being sent to GroupWise system
  <input>
<query class-name="Group" scope="subtree">
<search-class class-name="Group"/>
<search-attr attr-name="50073">
<value type="string">GWGrp2</value>
</search-attr>
<read-attr attr-name="50073"/>
</query>
</input>

Query Response from GroupWise
  <output>
<instance class-name="Group" event-id="0" src-dn="GW14LAB.gw14PO.GWGrp2">
<association>GW14LAB.gw14PO.GWGrp2{110}{1B4C5480-0226-0000-BC67-773135376134}3859B981-0737-0000-8EB4-DAE704F9F7C2</association>
<attr attr-name="50073">
<value type="string">GWGrp2</value>
</attr>
</instance>
<status event-id="0" level="success"/>
</output>

Modified XDS Event along with Group update
  <input>
<modify class-name="Group" dest-dn="GW14LAB.gw14PO.GWGrp2" event-id="idm45sles#20160217162441#1#1:0111bbbc-bd86-4f1c-8d89-bcbb110186bd">
<association>GW14LAB.gw14PO.GWGrp2{110}{1B4C5480-0226-0000-BC67-773135376134}3859B981-0737-0000-8EB4-DAE704F9F7C2</association>
<modify-attr attr-name="Member To">
<add-value>
<value association-ref="GW14LAB.gw14PO.gwuser40{106}{E2C68200-0DB2-0000-BC67-773135376134}3859B981-0737-0000-8EB4-DAE704F9F7C2" type="dn">\IDM45SLES\data\users\gwuser40</value>
</add-value>
</modify-attr>
</modify>
</input>

Operation result
<nds dtdversion="2.0" ndsversion="8.x">
<source>
<product build="20150211_0629" instance="GroupWise 2014 REST" version="4.0.0.1">DirXML Driver for GroupWise</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="idm45sles#20160217162441#1#1:0111bbbc-bd86-4f1c-8d89-bcbb110186bd" level="success"/>
</output>
</nds>

 

Tags:

Labels:

How To-Best Practice
Comment List
Related
Recommended

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.