Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
213 views

Group membership depending on Attribute


Hello,

IDM 3.6.1, I have a very simple driver that looks at an oracle database
and sets some attributes for users. Dependent on these attributes I
would like to add them to different groups in the IDM tree as these are
then sync'd to AD and eDir, but for some reason the users are not being
added to the groups. I would also like to remove them from the group
when the attribute says x - when I was testing this I ended up deleting
a few users...

Here is the snippet of code I am trying, its running under publisher
command.

<rule>
<description>Add to Group</description>
<conditions>
<and>
<if-op-attr mode="regex" name="costCenter"
op="changing-to">ADD</if-op-attr>
<if-class-name op="equal">user</if-class-name>
</and>
</conditions>
<actions>
<do-set-dest-attr-value name="Group Membership">
<arg-value type="string">
<token-attr name="CN"/>
<token-text
xml:space="preserve">idm-tree\groups\groupname</token-text>
</arg-value>
</do-set-dest-attr-value>
<do-clone-op-attr dest-name="Security Equals" src-name="Group
Membership"/>
</actions>
</rule>
<rule>
<description>Remove From Group</description>
<conditions>
<and>
<if-op-attr mode="regex" name="costCenter"
op="changing-to">x</if-op-attr>
<if-class-name op="equal">user</if-class-name>
</and>
</conditions>
<actions>
<do-remove-dest-attr-value name="Group Membership">
<arg-value type="string">
<token-attr name="CN"/>
<token-text
xml:space="preserve">idm-tree\groups\groupname</token-text>
</arg-value>
</do-remove-dest-attr-value>
<do-clone-op-attr dest-name="Security Equals" src-name="Group
Membership"/>
</actions>
</rule>

I have used a few attributes that are not needed - hence costCenter. I
have looked everywhere and no matter which I try it doesn't seem to
work...any help gratefully appreciated

Thanks

Jeff


--
Stonej
------------------------------------------------------------------------
Stonej's Profile: https://forums.netiq.com/member.php?userid=4156
View this thread: https://forums.netiq.com/showthread.php?t=51732

Labels (1)
0 Likes
7 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Group membership depending on Attribute

Stonej wrote:

>
> Hello,
>
> IDM 3.6.1, I have a very simple driver that looks at an oracle database
> and sets some attributes for users. Dependent on these attributes I
> would like to add them to different groups in the IDM tree as these are
> then sync'd to AD and eDir, but for some reason the users are not being
> added to the groups. I would also like to remove them from the group
> when the attribute says x - when I was testing this I ended up deleting
> a few users...
>
> Here is the snippet of code I am trying, its running under publisher
> command.
>
> <rule>
> <description>Add to Group</description>
> <conditions>
> <and>
> <if-op-attr mode="regex" name="costCenter"
> op="changing-to">ADD</if-op-attr>
> <if-class-name op="equal">user</if-class-name>
> </and>
> </conditions>
> <actions>
> <do-set-dest-attr-value name="Group Membership">
> <arg-value type="string">
> <token-attr name="CN"/>
> <token-text
> xml:space="preserve">idm-tree\groups\groupname</token-text>
> </arg-value>
> </do-set-dest-attr-value>
> <do-clone-op-attr dest-name="Security Equals" src-name="Group
> Membership"/>
> </actions>
> </rule>
> <rule>
> <description>Remove From Group</description>
> <conditions>
> <and>
> <if-op-attr mode="regex" name="costCenter"
> op="changing-to">x</if-op-attr>
> <if-class-name op="equal">user</if-class-name>
> </and>
> </conditions>
> <actions>
> <do-remove-dest-attr-value name="Group Membership">
> <arg-value type="string">
> <token-attr name="CN"/>
> <token-text
> xml:space="preserve">idm-tree\groups\groupname</token-text>
> </arg-value>
> </do-remove-dest-attr-value>
> <do-clone-op-attr dest-name="Security Equals" src-name="Group
> Membership"/>
> </actions>
> </rule>
>
> I have used a few attributes that are not needed - hence costCenter. I
> have looked everywhere and no matter which I try it doesn't seem to
> work...any help gratefully appreciated


Comments

#1 you use regex mode in the if-op-attr statements but the matches are not regular expressions. Is there a reason for this?
#2 group membership is a DN syntax attribute not string
#3 you need to switch the <token-attr name="CN"/> so that it is after the token-text

<arg-value type="dn">
<token-text xml:space="preserve">idm-tree\groups\groupname\</token-text>
<token-attr name="CN"/>
</arg-value>


#4 I'd generally sync the relevant data to some attributes in the IDVault and then put this group logic in a null driver. Makes things cleaner and easier to test/debug.
#5 It's generally best practice to use <token-src-name/> instead of <token-attr name="CN"/> where this makes sense. In this case, I would recommend this.



--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Group membership depending on Attribute


If you are still testing .. why not use role based entitlement driver
for automatic groubmembership handling


--
vivekbm
------------------------------------------------------------------------
vivekbm's Profile: https://forums.netiq.com/member.php?userid=528
View this thread: https://forums.netiq.com/showthread.php?t=51732

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Group membership depending on Attribute

vivekbm wrote:

>
> If you are still testing .. why not use role based entitlement driver
> for automatic groubmembership handling


We've done this in many environments, but I got the impression that the RBE driver didn't have much of a future (it can't fully support the IDM4 style entitlements for example).

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Group membership depending on Attribute


alexmchugh;248648 Wrote:
> vivekbm wrote:
>
> >
> > If you are still testing .. why not use role based entitlement driver
> > for automatic groubmembership handling

>
> We've done this in many environments, but I got the impression that the
> RBE driver didn't have much of a future (it can't fully support the IDM4
> style entitlements for example).
>
> --
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


With all you help I have managed to get this working in a fashion. For
some reason whenever I add a user to a group in the IDVault it deletes
everyone else in the group !

We are hoping to upgrade to IDM4 in the next couple of months, from the
sounds of it, this will fix many of these little issues that I have....

Jeff


--
Stonej
------------------------------------------------------------------------
Stonej's Profile: https://forums.netiq.com/member.php?userid=4156
View this thread: https://forums.netiq.com/showthread.php?t=51732

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Group membership depending on Attribute

On Fri, 19 Sep 2014 10:39:50 +0000, Stonej wrote:

> alexmchugh;248648 Wrote:
>> vivekbm wrote:
>>
>>
>> > If you are still testing .. why not use role based entitlement driver
>> > for automatic groubmembership handling

>>
>> We've done this in many environments, but I got the impression that the
>> RBE driver didn't have much of a future (it can't fully support the
>> IDM4 style entitlements for example).
>>
>> --
>> If you find this post helpful and are logged into the web interface,
>> show your appreciation and click on the star below...

>
> With all you help I have managed to get this working in a fashion. For
> some reason whenever I add a user to a group in the IDVault it deletes
> everyone else in the group !


That may be a feature. Post a level 3 trace of this, so we can see what's
happening.


> We are hoping to upgrade to IDM4 in the next couple of months, from the
> sounds of it, this will fix many of these little issues that I have....


Upgrade from what version?


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Group membership depending on Attribute


Upgrade form Version 3.6.1 to 4...

Here is a trace :

http://pastebin.com/L2BnxZFf

too long to paste here...

Thanks


--
Stonej
------------------------------------------------------------------------
Stonej's Profile: https://forums.netiq.com/member.php?userid=4156
View this thread: https://forums.netiq.com/showthread.php?t=51732

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Group membership depending on Attribute

Stonej wrote:

>
> Upgrade form Version 3.6.1 to 4...
>
> Here is a trace :
>
> http://pastebin.com/L2BnxZFf
>
> too long to paste here...
>
> Thanks


change do-set-dest-attr-value to do-add-dest-attr-value and you should be OK

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.