sathish10 Valued Contributor.
Valued Contributor.
110 views

Capturing the removed roles from users does not work properly

Hi,

We are using the loopback driver for capturing the removed roles from users by using the below rule.

It does not work properly as we have found that sometimes it captures the assigned role as well, please help.

 

<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-op-attr name="nrfAssignedRoles" op="changing"/>
</and>
</conditions>

<actions>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">Removed Values</token-text>
<token-removed-attr name="nrfAssignedRoles"/>
</arg-string>
</do-trace-message>
<do-set-local-variable name="lvUserCn" scope="policy">
<arg-string>
<token-src-dn/>
</arg-string>
</do-set-local-variable>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">User DN</token-text>
<token-local-variable name="lvUserCn"/>
</arg-string>
</do-trace-message>
<do-for-each>
<arg-node-set>
<token-removed-attr name="nrfAssignedRoles"/>
</arg-node-set>
<arg-actions>
<do-set-local-variable name="lvRoleEntry" scope="policy">
<arg-string>
<token-xpath expression="$current-node"/>
</arg-string>
</do-set-local-variable>

 

Thanks,

Sathish

Labels (1)
0 Likes
3 Replies
pdeneu Super Contributor.
Super Contributor.

Re: Capturing the removed roles from users does not work properly

Hey,

have you got an example xds for this?

Regards


--
https://www.lanworks.de
0 Likes
Satz Respected Contributor.
Respected Contributor.

Re: Capturing the removed roles from users does not work properly

Hey try the below..

<rule>
<conditions>
<and>
<if-class-name op="equal">User</if-class-name>
<if-operation mode="nocase" op="equal">modify</if-operation>
<if-op-attr name="nrfAssignedRoles" op="changing"/>
<if-xpath op="true">(modify-attr[@attr-name="nrfAssignedRoles"]/remove-value/value)</if-xpath>
</and>
</conditions>
<actions>
<do-set-local-variable name="lvRolesRemoving" scope="policy">
<arg-node-set>
<token-xpath expression='modify-attr[@attr-name="nrfAssignedRoles"]/remove-value/value'/>
</arg-node-set>
</do-set-local-variable>
<do-for-each>
<arg-node-set>
<token-local-variable name="lvRolesRemoving"/>
</arg-node-set>
<arg-actions>
<do-set-local-variable name="lvcurrentnode" scope="policy">
<arg-string>
<token-local-variable name="current-node"/>
</arg-string>
</do-set-local-variable>
</arg-actions>
</do-for-each>
</actions>
</rule>

 

Let me if it works 

Knowledge Partner
Knowledge Partner

Re: Capturing the removed roles from users does not work properly

Regarding this unwieldy condition

<if-xpath op="true">(modify-attr[@attr-name="nrfAssignedRoles"]/remove-value/value)</if-xpath>

You can and should use if-operation-attr token for this type of thing instead (as the original poster tried to do)

This token has a changing from option. This looks at remove-value elements.
Combine this with a regex match of .+ and you get the same effect in a far more human readable (and manageable) manner.
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.