Related Tips & Info

Group Memberships - How to copy all groups from user to another?

iWill
0 Likes

Hi there,

Do you know how to copy/duplicate all group memberships from one user to another?

Comment List
Anonymous
Parents

  • - as indicates, you need to get the group membership values from user 1 into a node-set variable and then add those values to user 2.

    Where you are in your driver channel/policy set/policy/rules will also impact exactly how you approach this desire. Updating this information in a connected application vs within the Vault will also impact the selection of steps required to get your desired results.

    Assuming that you are working in a loopback driver subscriber channel, for an add event of a new user (user 2) the following sample code could be helpful. There should be additional error checking, and possibly checking for duplicates of Group Membership values if there is something in the DOM document being processed. If this were a Modify event, the example would need to be adapted for that operation instead of an add. The example uses a hard coded reference to query the source user in this example.

    <rule>
      <description>Copy Group Membership from Source User</description>
      <conditions>
        <and>
          <if-operation mode="nocase" op="equal">add</if-operation>
          <if-class-name mode="nocase" op="equal">User</if-class-name>
        </and>
      </conditions>
      <actions>
        <do-set-local-variable name="lv-SrcGroupMembers" scope="policy">
          <arg-node-set>
            <token-src-attr class-name="User" name="Group Membership">
              <arg-dn>
                <token-text xml:space="preserve">Vault\Users\Staff\mySrcUser</token-text>
              </arg-dn>
            </token-src-attr>
          </arg-node-set>
        </do-set-local-variable>
        <do-if>
          <arg-conditions>
            <and>
              <if-op-attr name="Group Membership" op="not-available"/>
            </and>
          </arg-conditions>
          <arg-actions>
            <do-append-xml-element expression="." name="add-attr"/>
            <do-set-xml-attr expression="./add-attr[last()]" name="attr-name">
              <arg-string>
                <token-text xml:space="preserve">Group Membership</token-text>
              </arg-string>
            </do-set-xml-attr>
          </arg-actions>
          <arg-actions/>
        </do-if>
        <do-clone-xpath dest-expression='./add-attr[@attr-name="Group Membership"][last()]' src-expression="$lv-SrcGroupMembers"/>
      </actions>
    </rule>

    For those new to working with DirXML Script the following explanations may be helpful.

    Start by scoping the Rule so only Add operations for a User is processed by using the the two conditions.

    <conditions>
      <and>
        <if-operation mode="nocase" op="equal">add</if-operation>
        <if-class-name mode="nocase" op="equal">User</if-class-name>
      </and>
    </conditions>

    Query the source attribute Group Membership on the source user (user 1) to get the current values of that attribute and store them in a node-set local variable (lv-SrcGroupMembers)

    <do-set-local-variable name="lv-SrcGroupMembers" scope="policy">
      <arg-node-set>
        <token-src-attr class-name="User" name="Group Membership">
          <arg-dn>
            <token-text xml:space="preserve">Vault\Users\Staff\mySrcUser</token-text>
          </arg-dn>
        </token-src-attr>
      </arg-node-set>
    </do-set-local-variable>

    Now check to see if the current operation (for user 2) has the operation attribute of Group Membership in the DOM document and if it is not, add it using the append XML and set XML attribute actions.

    <do-if>
      <arg-conditions>
        <and>
          <if-op-attr name="Group Membership" op="not-available"/>
        </and>
      </arg-conditions>
      <arg-actions>
        <do-append-xml-element expression="." name="add-attr"/>
        <do-set-xml-attr expression="./add-attr[last()]" name="attr-name">
          <arg-string>
            <token-text xml:space="preserve">Group Membership</token-text>
          </arg-string>
        </do-set-xml-attr>
      </arg-actions>
      <arg-actions/>
    </do-if>

    Finally add the Group Membership node-set of values from local variable nodset to the operational attribute in the DOM document for the target user (user 2) using the clone by XPath expression.

    <do-clone-xpath dest-expression='./add-attr[@attr-name="Group Membership"][last()]' src-expression="$lv-SrcGroupMembers"/>

    Keep in mind this example is for a specific case and you will need to adapt it to your needs.

    Hopefully the above addresses your question.

    Cheers,

    D

Comment

  • - as indicates, you need to get the group membership values from user 1 into a node-set variable and then add those values to user 2.

    Where you are in your driver channel/policy set/policy/rules will also impact exactly how you approach this desire. Updating this information in a connected application vs within the Vault will also impact the selection of steps required to get your desired results.

    Assuming that you are working in a loopback driver subscriber channel, for an add event of a new user (user 2) the following sample code could be helpful. There should be additional error checking, and possibly checking for duplicates of Group Membership values if there is something in the DOM document being processed. If this were a Modify event, the example would need to be adapted for that operation instead of an add. The example uses a hard coded reference to query the source user in this example.

    <rule>
      <description>Copy Group Membership from Source User</description>
      <conditions>
        <and>
          <if-operation mode="nocase" op="equal">add</if-operation>
          <if-class-name mode="nocase" op="equal">User</if-class-name>
        </and>
      </conditions>
      <actions>
        <do-set-local-variable name="lv-SrcGroupMembers" scope="policy">
          <arg-node-set>
            <token-src-attr class-name="User" name="Group Membership">
              <arg-dn>
                <token-text xml:space="preserve">Vault\Users\Staff\mySrcUser</token-text>
              </arg-dn>
            </token-src-attr>
          </arg-node-set>
        </do-set-local-variable>
        <do-if>
          <arg-conditions>
            <and>
              <if-op-attr name="Group Membership" op="not-available"/>
            </and>
          </arg-conditions>
          <arg-actions>
            <do-append-xml-element expression="." name="add-attr"/>
            <do-set-xml-attr expression="./add-attr[last()]" name="attr-name">
              <arg-string>
                <token-text xml:space="preserve">Group Membership</token-text>
              </arg-string>
            </do-set-xml-attr>
          </arg-actions>
          <arg-actions/>
        </do-if>
        <do-clone-xpath dest-expression='./add-attr[@attr-name="Group Membership"][last()]' src-expression="$lv-SrcGroupMembers"/>
      </actions>
    </rule>

    For those new to working with DirXML Script the following explanations may be helpful.

    Start by scoping the Rule so only Add operations for a User is processed by using the the two conditions.

    <conditions>
      <and>
        <if-operation mode="nocase" op="equal">add</if-operation>
        <if-class-name mode="nocase" op="equal">User</if-class-name>
      </and>
    </conditions>

    Query the source attribute Group Membership on the source user (user 1) to get the current values of that attribute and store them in a node-set local variable (lv-SrcGroupMembers)

    <do-set-local-variable name="lv-SrcGroupMembers" scope="policy">
      <arg-node-set>
        <token-src-attr class-name="User" name="Group Membership">
          <arg-dn>
            <token-text xml:space="preserve">Vault\Users\Staff\mySrcUser</token-text>
          </arg-dn>
        </token-src-attr>
      </arg-node-set>
    </do-set-local-variable>

    Now check to see if the current operation (for user 2) has the operation attribute of Group Membership in the DOM document and if it is not, add it using the append XML and set XML attribute actions.

    <do-if>
      <arg-conditions>
        <and>
          <if-op-attr name="Group Membership" op="not-available"/>
        </and>
      </arg-conditions>
      <arg-actions>
        <do-append-xml-element expression="." name="add-attr"/>
        <do-set-xml-attr expression="./add-attr[last()]" name="attr-name">
          <arg-string>
            <token-text xml:space="preserve">Group Membership</token-text>
          </arg-string>
        </do-set-xml-attr>
      </arg-actions>
      <arg-actions/>
    </do-if>

    Finally add the Group Membership node-set of values from local variable nodset to the operational attribute in the DOM document for the target user (user 2) using the clone by XPath expression.

    <do-clone-xpath dest-expression='./add-attr[@attr-name="Group Membership"][last()]' src-expression="$lv-SrcGroupMembers"/>

    Keep in mind this example is for a specific case and you will need to adapt it to your needs.

    Hopefully the above addresses your question.

    Cheers,

    D

Children
No Data
Related Discussions
Recommended

Resources

Support
Documentation
Training
CyberRes Academy
Partner Portal
Contact us
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
How To Buy
Careers
Investor Relations
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.