Anonymous_User Absent Member.
Absent Member.
319 views

Understanding of HR driver updating field vs manual update.


I have a policy in the Subscriber Event Transformation Policy for when
the Surname in the IDV gets updated from our HR system, which is below.
The driver filter for the subscribe is set to Synchronize on Subscribe
and Ignore on Publish within the AD driver. However, if the Surname
gets updated in the IDV from the HR system, it does not trigger the
policy I have created. Though, if I manually change the Surname for the
user in the IDV it does change.

<rule>
<description>surname is changing</description>
<conditions>
<and>
<if-op-attr name="Surname" op="available"/>
<if-op-attr name="Surname" op="changing"/>
<if-class-name op="equal">User</if-class-name>
<if-operation op="not-equal">add</if-operation>
</and>
</conditions>
<actions>
<do-clear-dest-attr-value class-name="User" disabled="true"
name="Surname"/>
<do-add-dest-attr-value class-name="User" disabled="true"
name="Surname">
<arg-value type="string">
<token-src-attr name="Surname"/>
</arg-value>
</do-add-dest-attr-value>
<do-set-dest-attr-value class-name="User" name="Surname">
<arg-value type="string">
<token-src-attr name="Surname"/>
</arg-value>
</do-set-dest-attr-value>
</actions>
</rule>

I also posted a level 3 trace. Last name is Nemeth around 12/03/15
16:33:52.605 - it does not select the rule, at 12/03/15 16:38:08.978
this is when I manually changed the name and it went through fine.


+----------------------------------------------------------------------+
|Filename: ADExch_1.zip |
|Download: https://forums.netiq.com/attachment.php?attachmentid=383 |
+----------------------------------------------------------------------+

--
richreitenauer
------------------------------------------------------------------------
richreitenauer's Profile: https://forums.netiq.com/member.php?userid=7038
View this thread: https://forums.netiq.com/showthread.php?t=54792

Labels (1)
0 Likes
2 Replies
Knowledge Partner
Knowledge Partner

Re: Understanding of HR driver updating field vs manual update.

richreitenauer wrote:

>
> I have a policy in the Subscriber Event Transformation Policy for when
> the Surname in the IDV gets updated from our HR system, which is below.
> The driver filter for the subscribe is set to Synchronize on Subscribe
> and Ignore on Publish within the AD driver. However, if the Surname
> gets updated in the IDV from the HR system, it does not trigger the
> policy I have created. Though, if I manually change the Surname for the
> user in the IDV it does change.
>
> <rule>
> <description>surname is changing</description>
> <conditions>
> <and>
> <if-op-attr name="Surname" op="available"/>
> <if-op-attr name="Surname" op="changing"/>
> <if-class-name op="equal">User</if-class-name>
> <if-operation op="not-equal">add</if-operation>
> </and>
> </conditions>
> <actions>
> <do-clear-dest-attr-value class-name="User" disabled="true"
> name="Surname"/>
> <do-add-dest-attr-value class-name="User" disabled="true"
> name="Surname">
> <arg-value type="string">
> <token-src-attr name="Surname"/>
> </arg-value>
> </do-add-dest-attr-value>
> <do-set-dest-attr-value class-name="User" name="Surname">
> <arg-value type="string">
> <token-src-attr name="Surname"/>
> </arg-value>
> </do-set-dest-attr-value>
> </actions>
> </rule>
>
> I also posted a level 3 trace. Last name is Nemeth around 12/03/15
> 16:33:52.605 - it does not select the rule, at 12/03/15 16:38:08.978
> this is when I manually changed the name and it went through fine.
>
>
> +----------------------------------------------------------------------+
> > Filename: ADExch_1.zip |
> > Download: https://forums.netiq.com/attachment.php?attachmentid=383 |

> +----------------------------------------------------------------------+


It might have to do woth the fact that your policy "Allow Future Users"
replaces the new name with the old name because of incorrect usage of
token-do-reformat-op-attr. There's no "Nemeth" anymore in the returned XDS doc:

[12/03/15 16:37:59.025]:ADExch-Alvernia ST:

[...]

<modify-attr attr-name="Surname">
<remove-value>
<value timestamp="1445454669#8" type="string">Nemeth</value>
</remove-value>
<add-value>
<value timestamp="1449178678#2" type="string">Anderson</value>
</add-value>
</modify-attr>

[...]

[12/03/15 16:37:59.041]:ADExch-Alvernia ST:Applying policy: %+C%14CauSet Full
Name%-C.

[...]

[12/03/15 16:37:59.057]:ADExch-Alvernia ST: Applying rule 'Strip special
char out of Last name'.
[12/03/15 16:37:59.057]:ADExch-Alvernia ST: Action:
do-reformat-op-attr("Surname",token-replace-all("[^\w.]+","",token-op-attr("Surn
ame"))).
[12/03/15 16:37:59.057]:ADExch-Alvernia ST:
arg-string(token-replace-all("[^\w.]+","",token-op-attr("Surname")))
[12/03/15 16:37:59.057]:ADExch-Alvernia ST:
token-replace-all("[^\w.]+","",token-op-attr("Surname"))
[12/03/15 16:37:59.057]:ADExch-Alvernia ST:
token-replace-all("[^\w.]+","",token-op-attr("Surname"))
[12/03/15 16:37:59.057]:ADExch-Alvernia ST:
token-op-attr("Surname")
[12/03/15 16:37:59.057]:ADExch-Alvernia ST: Token Value:
"Anderson".
[12/03/15 16:37:59.057]:ADExch-Alvernia ST: Arg Value: "Anderson".
[12/03/15 16:37:59.057]:ADExch-Alvernia ST: Token Value: "Anderson".
[12/03/15 16:37:59.057]:ADExch-Alvernia ST: Arg Value: "Anderson".
[12/03/15 16:37:59.057]:ADExch-Alvernia ST:
arg-string(token-replace-all("[^\w.]+","",token-op-attr("Surname")))
[12/03/15 16:37:59.057]:ADExch-Alvernia ST:
token-replace-all("[^\w.]+","",token-op-attr("Surname"))
[12/03/15 16:37:59.057]:ADExch-Alvernia ST:
token-replace-all("[^\w.]+","",token-op-attr("Surname"))
[12/03/15 16:37:59.057]:ADExch-Alvernia ST:
token-op-attr("Surname")
[12/03/15 16:37:59.057]:ADExch-Alvernia ST: Token Value:
"Anderson".
[12/03/15 16:37:59.057]:ADExch-Alvernia ST: Arg Value: "Anderson".
[12/03/15 16:37:59.057]:ADExch-Alvernia ST: Token Value: "Anderson".
[12/03/15 16:37:59.057]:ADExch-Alvernia ST: Arg Value: "Anderson".
[12/03/15 16:37:59.057]:ADExch-Alvernia ST: Evaluating selection criteria
for rule 'Strip special char out of First name'.
[12/03/15 16:37:59.057]:ADExch-Alvernia ST: (if-class-name equal "User") =
TRUE.
[12/03/15 16:37:59.057]:ADExch-Alvernia ST: (if-op-attr 'Given Name'
available) = FALSE.
[12/03/15 16:37:59.057]:ADExch-Alvernia ST: Rule rejected.
[12/03/15 16:37:59.057]:ADExch-Alvernia ST:Policy returned:

[...]

<modify-attr attr-name="Surname">
<remove-value>
<value type="string">Anderson</value>
</remove-value>
<add-value>
<value type="string">Anderson</value>
</add-value>
</modify-attr>


Instead of


do-reformat-op-attr("Surname",token-replace-all("[^\w.]+","",token-op-attr("Surn
ame"))).

you should use the local variable current-value:


do-reformat-op-attr("Surname",token-replace-all("[^\w.]+","","$current-value$"))
).

Nevertheless, your rule DOES get triggered:

[12/03/15 16:37:59.057]:ADExch-Alvernia ST:Applying policy: %+C%14CauName
Changes%-C.
[12/03/15 16:37:59.057]:ADExch-Alvernia ST: Applying to modify #1.
[12/03/15 16:37:59.057]:ADExch-Alvernia ST: Evaluating selection criteria
for rule 'givenName is changing'.
[12/03/15 16:37:59.057]:ADExch-Alvernia ST: (if-op-attr 'Given Name'
available) = FALSE.
[12/03/15 16:37:59.057]:ADExch-Alvernia ST: Rule rejected.
[12/03/15 16:37:59.057]:ADExch-Alvernia ST: Evaluating selection criteria
for rule 'surname is changing'.
[12/03/15 16:37:59.057]:ADExch-Alvernia ST: (if-op-attr 'Surname'
available) = TRUE.
[12/03/15 16:37:59.057]:ADExch-Alvernia ST: (if-op-attr 'Surname'
changing) = TRUE.
[12/03/15 16:37:59.057]:ADExch-Alvernia ST: (if-class-name equal "User") =
TRUE.
[12/03/15 16:37:59.057]:ADExch-Alvernia ST: (if-operation not-equal "add")
= TRUE.
[12/03/15 16:37:59.057]:ADExch-Alvernia ST: Rule selected.
[12/03/15 16:37:59.057]:ADExch-Alvernia ST: Applying rule 'surname is
changing'.

Not sure if it WORKS the way you want it, though. Why do out this rule in place
in the first pllace and not simply sync the attribute through unmodified?
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Understanding of HR driver updating field vs manual update.


Are you referring to the set full name? I saw that reformat option
there. The allow future users policy is below. I was not involved when
the set full name was implemented, but that would make sense as I could
pass that through. In regards to passing the Surname through
unmodified, I'm not exactly why the reasoning was there for so many
rules. I know I ran into an issue when trying that and got a LDAP value
exists error. However, instead of trying to reinvent the wheel, I
thought I would put the name change policy in there. The referring to
the rule getting triggered, is due to me changing the name manually on
the user in the IDV.

I am going to update our HR system to get the Full Name there and sync
it that way. Which should make things work easier. Before I started
working where I am at, the IDM system was for adds only (no
modify's/renames/moves) were allowed.

Expand or collapse the rule's view Remove existing assn if no longer a
future user
Move this rule up.
Move this rule down.
Conditions
Enabled.Traced.if class name equal "User"
And Enabled.Traced.if operation attribute 'dxFutureUser' changing to
"N"
And Enabled.Traced.if association associated

Actions
Enabled.Traced.
remove association (when="before", association (Association () ) )
Enabled.Traced.
remove association (association (Association () ) )


--
richreitenauer
------------------------------------------------------------------------
richreitenauer's Profile: https://forums.netiq.com/member.php?userid=7038
View this thread: https://forums.netiq.com/showthread.php?t=54792

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.