Commander
Commander
554 views

Google Apps Driver Placement Policies for Users

Hi,

Already I deployed Google Apps driver successfully into NetIQ IDM 4.8.

when I create a user into identity vault after that user is created into google apps (g suite) directory base container.

can anyone have an idea about placement policies that can transfer users to particular OU?

I tried that this is the below snapshot.1.JPG

but it's still not working ..

can Anyone help me on that.

Labels (3)
Tags (1)
0 Likes
7 Replies

I am facing same issue.

 

Kindly suggest if do you have any solution.

 

Regards,

Chirag

Tags (1)
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Could you post trace of the engine/shim processing this?  I.e. Show us this policy firing, then jump to when it is submitted to the shim and show us the trace of that happening and any error/success it generates please.

 

0 Likes
Commander
Commander

Hi geoffc,

As you mention into reply i generated log but it's showing success and user will not place into temp emp. it's still going in the base OU.

0 Likes

Hi.

I have not used Google Apps driver with 4.8, but in 4.7 you specify destination DN in a slash format (not LDAP), such as:

temp emp\username@yourdomain.com

Note that there is no leading backslash (\).

Best regards

Marcus

0 Likes
Lieutenant Commander
Lieutenant Commander

 
0 Likes
Commodore
Commodore

I would not expect that the ou notation would be:

cn=... bla bla ...,orgunit="temp emp" but rathercn=... bla bla ...,orgunit=temp emp. That would be a normal LDAP notation.

0 Likes
Micro Focus Expert
Micro Focus Expert

@Dhaval Patel Hopefully you have found your solution by now.

In any case the following is likely more than you need and some of the other answers have already indicated that your target destination needs to be in slash format with no leading slash. Something like "GoogleOrg/SubOrg/UserName" is what you need for placement. (If you are moving a user that is a different question and would be a Modify process outside of the Placement Policy Set.)

From a working GoogleApps driver I have the following Placement policy that determines placement based on school location as well as the services the student is assigned to. The school has setup Google Organizations for each location and then sub-containers below that for each of the services groupings. There is a mix of Auxilary Class Attributes customized for the customer that I have cleaned up to protect the innocent. With that in mind the Policy looks like:

<rule>
<description>Place all students in Google based on the 'PrimaryLoc' &amp; 'GAServices' values</description>
<comment xml:space="preserve">If values for the PrimaryLoc and GAServices are present, use this to place user in the corresponding Organization location (PrimaryLoc/GAServices).
If the value for GAServices is not present set it to the No Services Sub Organization default value and use that value in setting the destination location.
If the value for PrimaryLocation matches the Inactive Location place the Student in the Retained Students Organization instead.</comment>
<conditions>
<and>
<if-attr mode="nocase" name="UserRole" op="equal">student</if-attr>
</and>
</conditions>
<actions>
<do-if>
<arg-conditions>
<and>
<if-attr name="GAServices" op="available"/>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="lv.GAServices" scope="policy">
<arg-string>
<token-attr name="GAServices"/>
</arg-string>
</do-set-local-variable>
</arg-actions>
<arg-actions>
<do-set-local-variable name="lv.GAServices" scope="policy">
<arg-string>
<token-global-variable name="gapp.NoServicesSubOrg"/>
</arg-string>
</do-set-local-variable>
<do-set-src-attr-value name="GAServices">
<arg-value type="string">
<token-local-variable name="lv.GAServices"/>
</arg-value>
</do-set-src-attr-value>
</arg-actions>
</do-if>
<do-if>
<arg-conditions>
<and>
<if-op-attr mode="case" name="PrimaryLoc" op="not-equal">$InactiveLocation$</if-op-attr>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="lv.StudentLocation" scope="policy">
<arg-string>
<token-attr name="PrimaryLoc"/>
<token-text xml:space="preserve">/</token-text>
<token-local-variable name="lv.GAServices"/>
</arg-string>
</do-set-local-variable>
</arg-actions>
<arg-actions>
<do-set-local-variable name="lv.StudentLocation" scope="policy">
<arg-string>
<token-global-variable name="$gapp.StudentRetainedOrg$"/>
<token-text xml:space="preserve">/</token-text>
<token-local-variable name="lv.GAServices"/>
</arg-string>
</do-set-local-variable>
</arg-actions>
</do-if>
<do-trace-message level="1">
<arg-string>
<token-text xml:space="preserve">Student School Location is --> </token-text>
<token-local-variable name="lv.StudentLocation"/>
</arg-string>
</do-trace-message>
<do-set-op-dest-dn>
<arg-dn>
<token-local-variable name="lv.StudentLocation"/>
<token-text xml:space="preserve">/</token-text>
<token-attr name="CN"/>
</arg-dn>
</do-set-op-dest-dn>
<do-trace-message level="1">
<arg-string>
<token-text xml:space="preserve">Goes Here --> </token-text>
<token-dest-dn/>
</arg-string>
</do-trace-message>
<do-break/>
</actions>
</rule>

Hope you and others find this helpful.

Cheers,

D

 

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.