Anonymous_User Absent Member.
Absent Member.
920 views

Add user to Group in Active Directory


Hi,

We are using NetIQ IDM 4.0.2. We use AD driver to sync only users from
IDM to Active Directory and not the Groups. Groups will be maintained by
AD team.

As per our requirement, The user will raise request for share access
thru workflow and if gets approved the user will be added to the
respective share group in AD.

Please help if this can be done with driver policy and a sample policy
of that.

Thanks,
DK


--
dinatechmnovell
------------------------------------------------------------------------
dinatechmnovell's Profile: https://forums.netiq.com/member.php?userid=6777
View this thread: https://forums.netiq.com/showthread.php?t=50284

Labels (1)
0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Add user to Group in Active Directory

dinatechmnovell wrote:

>
> Hi,
>
> We are using NetIQ IDM 4.0.2. We use AD driver to sync only users from
> IDM to Active Directory and not the Groups. Groups will be maintained by
> AD team.
>
> As per our requirement, The user will raise request for share access
> thru workflow and if gets approved the user will be added to the
> respective share group in AD.
>
> Please help if this can be done with driver policy and a sample policy
> of that.


There shouldn't need to be any major changes to driver policy for this.

I'd use the AD group entitlement object, link it to a resource with the set value at assignment and do most of the heavy lifting in the userapp/workflow


--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Add user to Group in Active Directory


Below is the code, I am using. But it gives Src-dn missing error. Please
help to build the correct rule/policy.

<policy>
<rule>
<description>Group Provisioning</description>
<conditions>
<and>
<if-operation mode="case" op="equal">modify</if-operation>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-association op="associated"/>
<if-entitlement name="entADGroup" op="available"/>
</and>
</conditions>
<actions>
<do-add-dest-attr-value class-name="Group" name="Member">
<arg-dn>
<token-text
xml:space="preserve">CN=TestGrp,cn=Users,dc=eseclab,dc=Com</token-text>
</arg-dn>
<arg-value type="string">
<token-dest-dn/>
</arg-value>
</do-add-dest-attr-value>
</actions>
</rule>
</policy>


--
dinatechmnovell
------------------------------------------------------------------------
dinatechmnovell's Profile: https://forums.netiq.com/member.php?userid=6777
View this thread: https://forums.netiq.com/showthread.php?t=50284

0 Likes
Knowledge Partner
Knowledge Partner

Re: Add user to Group in Active Directory

On 3/16/2014 6:35 AM, dinatechmnovell wrote:
>
> Below is the code, I am using. But it gives Src-dn missing error. Please
> help to build the correct rule/policy.
>
> <policy>
> <rule>
> <description>Group Provisioning</description>
> <conditions>
> <and>
> <if-operation mode="case" op="equal">modify</if-operation>
> <if-class-name mode="nocase" op="equal">User</if-class-name>
> <if-association op="associated"/>
> <if-entitlement name="entADGroup" op="available"/>
> </and>
> </conditions>
> <actions>
> <do-add-dest-attr-value class-name="Group" name="Member">
> <arg-dn>
> <token-text
> xml:space="preserve">CN=TestGrp,cn=Users,dc=eseclab,dc=Com</token-text>
> </arg-dn>
> <arg-value type="string">
> <token-dest-dn/>
> </arg-value>
> </do-add-dest-attr-value>
> </actions>
> </rule>
> </policy>


Modify events on an associated object do not have a Dest DN in the
event. The Token-dest-dn seems like it should magically figure that out
for you, alas, it is a simple alias for the XPATH @dest-dn (Discussed in
my book in fact).

So you would need to use the Resolve token to resolve the Association
value to the DN and use that value. So in your add-dest-attr you
specify the group DN explicit, replace the value of token-dest-dn with
local variable DEST-DN that you get in the previous action:

<do-set-local-variable name="DEST-DN" scope="policy">
<arg-string>
<token-resolve datastore="dest">
<arg-association>
<token-association/>
</arg-association>
</token-resolve>
</arg-string>
</do-set-local-variable>

My book on IDM tokens is available at:

http://www.ninja-tools.com/Definitive-Guide-to-NetIQ-IDM-Tokens-Soft-Copy-2001.htm


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Add user to Group in Active Directory

Geoffrey Carman wrote:

> Modify events on an associated object do not have a Dest DN in the event. The Token-dest-dn seems like it should magically figure that out for you, alas, it is a simple alias for the XPATH @dest-dn (Discussed in my book in fact).
>
> So you would need to use the Resolve token to resolve the Association value to the DN and use that value. So in your add-dest-attr you specify the group DN explicit, replace the value of token-dest-dn with local variable DEST-DN that you get in the previous action:
>
> <do-set-local-variable name="DEST-DN" scope="policy">
> <arg-string>
> <token-resolve datastore="dest">
> <arg-association>
> <token-association/>
> </arg-association>
> </token-resolve>
> </arg-string>
> </do-set-local-variable>


All true, but actually - in your scenario, you don't even need to resolve the dest-dn of the user object. You can set the association-ref on the member attribute value and let the driver shim handle this for you. This is faster (as long as the current operation is already associated)
<do-set-xml-attr expression="../modify[last()]/modify-attr[last()]/add-value[last()]/value[last()]" name="association-ref">
<arg-string>
<token-association/>
</arg-string>
</do-set-xml-attr>


The other problem with your code is the way you test for entitlements

<if-entitlement name="entADGroup" op="available"/>

This means that this code will execute each every modify - which is inefficent and may cause warnings/errors to be reported from AD that the user is already a member of the group.

I would instead use the following code.

NOTE: wrapping added/removed entitlement in a foreach is good practice even if the value is single valued as it implicitly calls <do-implement-entitlement> which is a special action that ensures that entitlement activities are written to the DirXML-EntitlementResult attribute on the user.

<rule>
<description>Group Provisioning</description>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-operation mode="nocase" op="equal">modify</if-operation>
<if-association op="associated"/>
<if-entitlement name="entADGroup" op="changing"/>
</and>
</conditions>
<actions>
<do-for-each>
<arg-node-set>
<token-added-entitlement name="entADGroup"/>
</arg-node-set>
<arg-actions>
<do-add-dest-attr-value class-name="Group" name="Member">
<arg-dn>
<token-text xml:space="preserve">CN=TestGrp,cn=Users,dc=eseclab,dc=Com</token-text>
</arg-dn>
<arg-value type="string">
<token-src-dn/>
</arg-value>
</do-add-dest-attr-value>
<do-set-xml-attr expression="../modify[last()]/modify-attr[last()]/add-value[last()]/value[last()]" name="association-ref">
<arg-string>
<token-association/>
</arg-string>
</do-set-xml-attr>
<do-break/>
</arg-actions>
</do-for-each>
</actions>
</rule>


--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Add user to Group in Active Directory

> All true, but actually - in your scenario, you don't even need to resolve the dest-dn of the user object. You can set the association-ref on the member attribute value and let the driver shim handle this for you. This is faster (as long as the current operation is already associated)
> <do-set-xml-attr expression="../modify[last()]/modify-attr[last()]/add-value[last()]/value[last()]" name="association-ref">
> <arg-string>
> <token-association/>
> </arg-string>
> </do-set-xml-attr>


That is true as well. I suspect my approach might be simpler to digest,
but your way is more efficient.


> The other problem with your code is the way you test for entitlements
>
> <if-entitlement name="entADGroup" op="available"/>
>
> This means that this code will execute each every modify - which is inefficent and may cause warnings/errors to be reported from AD that the user is already a member of the group.
>
> I would instead use the following code.
>
> NOTE: wrapping added/removed entitlement in a foreach is good practice even if the value is single valued as it implicitly calls <do-implement-entitlement> which is a special action that ensures that entitlement activities are written to the DirXML-EntitlementResult attribute on the user.
>
> <rule>
> <description>Group Provisioning</description>
> <conditions>
> <and>
> <if-class-name mode="nocase" op="equal">User</if-class-name>
> <if-operation mode="nocase" op="equal">modify</if-operation>
> <if-association op="associated"/>
> <if-entitlement name="entADGroup" op="changing"/>
> </and>
> </conditions>
> <actions>
> <do-for-each>
> <arg-node-set>
> <token-added-entitlement name="entADGroup"/>
> </arg-node-set>
> <arg-actions>
> <do-add-dest-attr-value class-name="Group" name="Member">
> <arg-dn>
> <token-text xml:space="preserve">CN=TestGrp,cn=Users,dc=eseclab,dc=Com</token-text>
> </arg-dn>
> <arg-value type="string">
> <token-src-dn/>
> </arg-value>
> </do-add-dest-attr-value>
> <do-set-xml-attr expression="../modify[last()]/modify-attr[last()]/add-value[last()]/value[last()]" name="association-ref">
> <arg-string>
> <token-association/>
> </arg-string>
> </do-set-xml-attr>
> <do-break/>
> </arg-actions>
> </do-for-each>
> </actions>
> </rule>
>
>


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Add user to Group in Active Directory

On Fri, 14 Mar 2014 09:14:02 +0000, dinatechmnovell wrote:

> Hi,
>
> We are using NetIQ IDM 4.0.2. We use AD driver to sync only users from
> IDM to Active Directory and not the Groups. Groups will be maintained by
> AD team.


You may want to re-think this.


> As per our requirement, The user will raise request for share access
> thru workflow and if gets approved the user will be added to the
> respective share group in AD.


If you're intending to do group manipulations from within IDM, it's
somewhat easier to do if you sync the groups.


> Please help if this can be done with driver policy and a sample policy
> of that.


You might find some ideas here:

http://www.novell.com/communities/node/6723/changing-users-primary-group-
active-directory


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.