Highlighted
tschloesser Super Contributor.
Super Contributor.
967 views

Problem converting operations

Hi,

I have the following challenge, and I am quite sure I solved it in the past - but now under IDM 4.7 things seam to be different.

The challenge sounds quite simple: I want to convert an add to an modify.

A little more in detail I am working on a matching policy which should match a group against a resource. Dou to this fact I am not able to use the do-find-matching-object action.

But running a query and analyzing the number of instances found is working as designed.

Now I set up rule to fire when one resource is found.
In this case I want to get rid of the add operation, but I want to modify the resource found.

In the past I did a do-strip-xpath(.) action followed by do-set-destination-attribute. But this is leading into a null pointer exception.
Without the do-strip-xpath(.) the policy is working and the resource is updated, but I can see errors since the add can not be done - for obvious reasons 😉

The only working solution I found is to choose to write the modify directly and than do a veto - but there should be a way to remove the add and replace it by an modify which is running through the later policies, is there not.

I hope that I am only to blind to see, and that someone has a clue what I am doing wrong! While testing I was using the following xPath expressions, which all lead to the same result:
do-srtip.xpath expression="."
do-srtip.xpath expression="add", do-srtip.xpath expression=".../add", do-srtip.xpath expression="self::add

BTW: this is what the not working policy is looking like:

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-builder-dtd" "E:\NetIQ\Designer47\plugins\com.novell.idm.policybuilder_4.0.0.201804161219\DTD\dirxmlscript4.6.2.dtd"><policy xmlns:es="http://www.novell.com/nxsl/ecmascript">
<rule>
<description>find matching resource</description>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">Group</if-class-name>
</and>
</conditions>
<actions>
<do-set-local-variable name="lv.Results" scope="policy">
<arg-node-set>
<token-query class-name="nrfResource">
<arg-dn>
<token-global-variable name="gcv.resourceContextDN"/>
</arg-dn>
<arg-match-attr name="cn">
<arg-value type="string">
<token-op-property name="resourceName"/>
</arg-value>
</arg-match-attr>
</token-query>
</arg-node-set>
</do-set-local-variable>
<do-set-local-variable name="lv.ObjectsFound" scope="policy">
<arg-string>
<token-xpath expression="count($lv.Results)"/>
</arg-string>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-xpath op="true">$lv.ObjectsFound = 1</if-xpath>
</and>
</arg-conditions>
<arg-actions>
<do-trace-message level="0">
<arg-string>
<token-text xml:space="preserve">Merging Objects</token-text>
</arg-string>
</do-trace-message>
<do-strip-xpath expression="."/>
<do-set-dest-attr-value class-name="nrfResource" name="nrfLocalizedDescrs" when="after">
<arg-dn>
<token-text xml:space="preserve">\IDM-DEV-TREE\</token-text>
<token-global-variable name="gcv.resourceContextDN"/>
<token-text xml:space="preserve">\</token-text>
<token-op-property name="resourceName"/>
</arg-dn>
<arg-value type="string">
<token-text xml:space="preserve">en~</token-text>
<token-attr name="Description"/>
<token-text xml:space="preserve">|</token-text>
<token-text xml:space="preserve">de~</token-text>
<token-attr name="Description"/>
</arg-value>
</do-set-dest-attr-value>
</arg-actions>
<arg-actions/>
</do-if>
</actions>
</rule>
</policy>
Labels (1)
0 Likes
7 Replies
tschloesser Super Contributor.
Super Contributor.

Re: Problem converting operations

Sorry, I was really to blind to see. Using //add as an expression in this case is working.

But I am pretty sure, that strip xPath(.) was working before, so maybe there are some changes in the way the idm engine is interpreting the XDS objekcts!
0 Likes
tschloesser Super Contributor.
Super Contributor.

Re: Problem converting operations

Hm, very strange in the simulation the //add expression to remove just the add is working - in the engine I am still facing the add followed by the modify.

Does anybody has an Idea how to change this XDS
<nds dtdversion="2.2">
<source>
<product build="20171012_120000" instance="\IDM-DEV-TREE\IHK-BER\system\IDMDriverSet\Active Directory Driver" versi
on="4.0.3.0">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<add class-name="Group" event-id="Active Directory Driver##163fd5c8d5d##0" src-dn="CN=vSphere User,OU=Administrativ
e Gruppen,OU=Benutzergruppen,OU=Gruppenkonten,DC=ihkberlin,DC=intern">
<association>12925a3195a559488150cd36d7bb07f6</association>
<add-attr attr-name="CN">
<value naming="true" type="string">vSphere User</value>
</add-attr>
<add-attr attr-name="Description">
<value naming="true" type="string">vSphere Role: Virtual Machine User-testA</value>
</add-attr>
<add-attr attr-name="groupType">
<value naming="true" type="int">-2147483644</value>
</add-attr>
<add-attr attr-name="GUID">
<value naming="true" type="octet">EpJaMZWlWUiBUM0217sH9g==</value>
</add-attr>
<operation-data attempt-to-match="true" initialOperationType="modify" resourceName="mad-vSphere User"/>
</add>
</input>
</nds>

just to that:
<nds dtdversion="2.2">
<source>
<product build="20171012_120000" instance="\IDM-DEV-TREE\IHK-BER\system\IDMDriverSet\Active Directory Driver" versi
on="4.0.3.0">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify class-name="group" dest-dn="\IDM-DEV-TREE\IHK-BER\system\IDMDriverSet\UserApplication\AppConfig\RoleConfig\ResourceDefs\mad-vSphere User" event-id="Active Directory Driver##163fd5c8d5d##0">
<modify-attr attr-name="Description">
<remove-all-values/>
<add-value>
<value type="string">vSphere Role: Virtual Machine User-testA</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
0 Likes
Knowledge Partner
Knowledge Partner

Re: Problem converting operations

On 6/14/2018 4:44 AM, tschloesser wrote:
>
> Hm, very strange in the simulation the //add expression to remove just
> the add is working - in the engine I am still facing the add followed by
> the modify.


How about to Set Dest Attr to get your new <modify> node added and then
simply veto the current <add> node?

Also, do-find-matching should have an option to look for all objects so
matching might work.


> Does anybody has an Idea how to change this XDS
> <nds dtdversion="2.2">
> <source>
> <product build="20171012_120000"
> instance="\IDM-DEV-TREE\IHK-BER\system\IDMDriverSet\Active Directory
> Driver" versi
> on="4.0.3.0">AD</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <input>
> <add class-name="Group" event-id="Active Directory
> Driver##163fd5c8d5d##0" src-dn="CN=vSphere User,OU=Administrativ
> e Gruppen,OU=Benutzergruppen,OU=Gruppenkonten,DC=ihkberlin,DC=intern">
> <association>12925a3195a559488150cd36d7bb07f6</association>
> <add-attr attr-name="CN">
> <value naming="true" type="string">vSphere User</value>
> </add-attr>
> <add-attr attr-name="Description">
> <value naming="true" type="string">vSphere Role: Virtual Machine
> User-testA</value>
> </add-attr>
> <add-attr attr-name="groupType">
> <value naming="true" type="int">-2147483644</value>
> </add-attr>
> <add-attr attr-name="GUID">
> <value naming="true"
> type="octet">EpJaMZWlWUiBUM0217sH9g==</value>
> </add-attr>
> <operation-data attempt-to-match="true"
> initialOperationType="modify" resourceName="mad-vSphere User"/>
> </add>
> </input>
> </nds>
>
> just to that:
> <nds dtdversion="2.2">
> <source>
> <product build="20171012_120000"
> instance="\IDM-DEV-TREE\IHK-BER\system\IDMDriverSet\Active Directory
> Driver" versi
> on="4.0.3.0">AD</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <input>
> <modify class-name="group"
> dest-dn="\IDM-DEV-TREE\IHK-BER\system\IDMDriverSet\UserApplication\AppConfig\RoleConfig\ResourceDefs\mad-vSphere
> User" event-id="Active Directory Driver##163fd5c8d5d##0">
> <modify-attr attr-name="Description">
> <remove-all-values/>
> <add-value>
> <value type="string">vSphere Role: Virtual Machine
> User-testA</value>
> </add-value>
> </modify-attr>
> </modify>
> </input>
> </nds>
>
>


0 Likes
tschloesser Super Contributor.
Super Contributor.

Re: Problem converting operations

Thanks for your thoughts on my request 😉

How about to Set Dest Attr to get your new <modify> node added and then
simply veto the current <add> node?


This was one of my ideas, but the only thing working in this case is to configure the do-set-det-attr action to write-directly to the destination - otherwise the veto will affect the "syntehtic" modify as well no matter if it is set to be done before ore after the current operation.
I am not quite sure this was the case in previous versions of IDM as well, but it is definitely in IDM 4.7.

Also, do-find-matching should have an option to look for all objects so
matching might work.


Unfortunately this is not the case - as long as the UI does not provide such an option and there is no reference to it in the DirXML Script DTD.
"It will have a class-name attribute and <search-class> based on the class-name attribute from the current object."

At he end, I found that the conversion of an add to something else can be done not in any of the threre policy sets (matching/creation/placement). Anytime the add is removed from the XDS the operation will be automatically vetoed by the engine, no matter if there is some other operation in the XDS.

So either this should be done in the ETP or later in the CTP. I decided to go with the CTP. If I recognize in the MP, I do not need the add, I add an operation-property like delete-add="true" and serch for that in the CTP.

Kind regards,

Thorsten
0 Likes
Knowledge Partner
Knowledge Partner

Re: Problem converting operations

On 6/19/2018 2:34 AM, tschloesser wrote:
>
> Thanks for your thoughts on my request 😉
>
> -How about to Set Dest Attr to get your new <modify> node added and
> then
> simply veto the current <add> node?-
>
> This was one of my ideas, but the only thing working in this case is to
> configure the do-set-det-attr action to write-directly to the
> destination - otherwise the veto will affect the "syntehtic" modify as
> well no matter if it is set to be done before ore after the current
> operation.
> I am not quite sure this was the case in previous versions of IDM as
> well, but it is definitely in IDM 4.7.
>
> -Also, do-find-matching should have an option to look for all objects
> so
> matching might work.-
>
> Unfortunately this is not the case - as long as the UI does not provide
> such an option and there is no reference to it in the DirXML Script
> DTD.


Maybe I am remembering the unique name token, yep that is it:

https://www.netiq.com/documentation/identity-manager-developer/dtd-documentation/dirxmlscript/token-unique-name.html


> "It will have a class-name attribute and <search-class> based on the
> class-name attribute from the current object."


So you know you can change the op class on the fly?

https://www.netiq.com/documentation/identity-manager-developer/dtd-documentation/dirxmlscript/do-set-op-class-name.html

So do-find-matching as user.

The do-set-op-class to whatever.

Do-find-matching again.

do-set-op-class again as needed...


> At he end, I found that the conversion of an add to something else can
> be done not in any of the threre policy sets
> (matching/creation/placement). Anytime the add is removed from the XDS
> the operation will be automatically vetoed by the engine, no matter if
> there is some other operation in the XDS.
>
> So either this should be done in the ETP or later in the CTP. I decided
> to go with the CTP. If I recognize in the MP, I do not need the add, I
> add an operation-property like delete-add="true" and serch for that in
> the CTP.
>
> Kind regards,
>
> Thorsten
>
>


0 Likes
tschloesser Super Contributor.
Super Contributor.

Re: Problem converting operations

geoffc;2482714 wrote:
On 6/19/2018 2:34 AM, tschloesser wrote:
> "It will have a class-name attribute and <search-class> based on the
> class-name attribute from the current object."


So you know you can change the op class on the fly?

https://www.netiq.com/documentation/identity-manager-developer/dtd-documentation/dirxmlscript/do-set-op-class-name.html

So do-find-matching as user.

The do-set-op-class to whatever.

Do-find-matching again.

do-set-op-class again as needed...


>

Thanks for sharing this thougt - I have to admit I never thought 'out that option!

Kind regards,

Thorsten
0 Likes
Knowledge Partner
Knowledge Partner

Re: Problem converting operations

On 6/20/2018 2:04 AM, tschloesser wrote:
>
> geoffc;2482714 Wrote:
>> On 6/19/2018 2:34 AM, tschloesser wrote:
>>> "It will have a class-name attribute and <search-class> based on the
>>> class-name attribute from the current object."

>>
>> So you know you can change the op class on the fly?
>>
>> https://www.netiq.com/documentation/identity-manager-developer/dtd-documentation/dirxmlscript/do-set-op-class-name.html
>>
>> So do-find-matching as user.
>>
>> The do-set-op-class to whatever.
>>
>> Do-find-matching again.
>>
>> do-set-op-class again as needed...
>>
>>
>>>

> Thanks for sharing this thougt - I have to admit I never thought 'out
> that option!


It is one of those tokens that you look at and think, really? When
would you use that?

Not the most efficient approach, since a single query minus the
class-name could do it more efficiently than 3 or 4 queries one per
class, but such is life.


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.