Anonymous_User Absent Member.
Absent Member.
236 views

Veto Users based on specific sAMAccountName


Hi Guys

Im making use of IDM 4.0.2 with Active Directory as the Authorative
Source.

When the organisation creates users they would specify a Personnel
number as the sAMAccountName ie P123456 which is then used as the CN in
the Identity Vault however they would also use S123456 as the
sAMAccountName for Service Accounts.

I would like to VETO account creations starting with anything other than
a "P".

As an example the following accounts should be created from AD in the
Metadirectory
P123456
P123
P1234
P1234567

However anything else should be blocked ie.
S123456
F123456
Z123456

etc etc.

What would be the best way to deal with this please any help would be
appreciated.


--
Hendrik
------------------------------------------------------------------------
Hendrik's Profile: https://forums.netiq.com/member.php?userid=2773
View this thread: https://forums.netiq.com/showthread.php?t=48294

Labels (1)
0 Likes
8 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Veto Users based on specific sAMAccountName

Since you want to block things from being created, go into the Creation
policyset, create a new rule as the first rule, and create a rule that
matches based on (probably) the "personnel number" that you referenced.
Add a rule stating something like (pseudocode alert) if not match
type=regex ^p.+ then veto. The ^p portion is looking for something that
starts (^) with a p, and vetoing if it does not match.

Good luck.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Veto Users based on specific sAMAccountName

On 7/30/2013 11:40 AM, ab wrote:
> Since you want to block things from being created, go into the Creation
> policyset, create a new rule as the first rule, and create a rule that
> matches based on (probably) the "personnel number" that you referenced.
> Add a rule stating something like (pseudocode alert) if not match
> type=regex ^p.+ then veto. The ^p portion is looking for something that
> starts (^) with a p, and vetoing if it does not match.


And watch out for case, since the P is upper in their example. It is
best NOT to rely on the Regex parsers case insensitive mode. You can
control it with (?-i) I think. Or define a 'set' with {Pp} I think.

The options in Regex go on for a long while.

Also, Aaron notes, "if not match" which is how it will show in trace.

in Designer/iMan it will show as if Not Equal, then on the next line,
change compare mode from Case insensitive to Regular Expression.

If you want more info on how to use these tokens, you could always try a
copy of my book all about how this stuff works:

http://www.ninja-tools.com/definitive-guide-to-netiq-idm-tokens-hard-copy-p8.php




0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Veto Users based on specific sAMAccountName

On Tue, 30 Jul 2013 15:14:02 +0000, Hendrik wrote:

> What would be the best way to deal with this please any help would be
> appreciated.


Publisher Create Rule is where I'd put this. Something like:

<rule>
<description>Block Non Accounts</description>
<conditions>
<and>
<if-attr mode="regex" name="sAMAccountName" op="not-equal">P.+</if-
attr>
</and>
</conditions>
<actions>
<do-veto/>
</actions>
</rule>

Depending on the rest of your plans, you might want to check to see if
this is a User or some other kind of object.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Veto Users based on specific sAMAccountName


Thanks for the help. at the moment I added the following xml rule

<rule>
<description>Block Non P Number Accounts - NETCB</description>
<conditions>
<and>
<if-attr mode="regex" name="sAMAccountName"
op="not-equal">^P.+</if-attr>
</and>
</conditions>
<actions>
<do-veto/>
</actions>
</rule>

However this seems to be vetoeing all user creations.


--
Hendrik
------------------------------------------------------------------------
Hendrik's Profile: https://forums.netiq.com/member.php?userid=2773
View this thread: https://forums.netiq.com/showthread.php?t=48294

0 Likes
Knowledge Partner
Knowledge Partner

Re: Veto Users based on specific sAMAccountName

On 7/31/2013 8:34 AM, Hendrik wrote:
>
> Thanks for the help. at the moment I added the following xml rule
>
> <rule>
> <description>Block Non P Number Accounts - NETCB</description>
> <conditions>
> <and>
> <if-attr mode="regex" name="sAMAccountName"
> op="not-equal">^P.+</if-attr>
> </and>
> </conditions>
> <actions>
> <do-veto/>
> </actions>
> </rule>
>
> However this seems to be vetoeing all user creations.


As always, show the trace of a failure case to see what data is coming
in, and why this is vetoing it.

0 Likes
Highlighted
Anonymous_User Absent Member.
Absent Member.

Re: Veto Users based on specific sAMAccountName

Hendrik <Hendrik@no-mx.forums.netiq.com> wrote:
> Thanks for the help. at the moment I added the following xml rule
>
> <rule>
> <description>Block Non P Number Accounts - NETCB</description>
> <conditions>
> <and>
> <if-attr mode="regex" name="sAMAccountName"
> op="not-equal">^P.+</if-attr>
> </and>
> </conditions>
> <actions>
> <do-veto/>
> </actions>
> </rule>
>
> However this seems to be vetoeing all user creations.
>


1. Post a level 3 trace

2. Try case insensitive regex

3. IIRC, By the time the event gets to publisher create rule,
sAMAccountName is schema mapped to CN, so you should be using the
corresponding eDirectory attribute name in your condition.

<rule>
<description>Block Non P Number Accounts - NETCB</description>
<conditions>
<and>
<if-attr mode="regex" name="CN" op="not-equal">(?i)^P.+</if-attr>
</and>
</conditions>
<actions>
<do-veto/>
</actions>
</rule>

--
NetIQ Knowledge Partner http://forums.netiq.com
Please post questions in the forums.
No support is provided via email.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Veto Users based on specific sAMAccountName

Alex McHugh wrote:

> 3. IIRC, By the time the event gets to publisher create rule,
> sAMAccountName is schema mapped to CN, so you should be using the
> corresponding eDirectory attribute name in your condition.


Exactly. And I should read threads to the end before replying, I guess...
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: Veto Users based on specific sAMAccountName

Hendrik wrote:

> Thanks for the help. at the moment I added the following xml rule
>
> <rule>
> <description>Block Non P Number Accounts - NETCB</description>
> <conditions>
> <and>
> <if-attr mode="regex" name="sAMAccountName"
> op="not-equal">^P.+</if-attr>
> </and>
> </conditions>
> <actions>
> <do-veto/>
> </actions>
> </rule>
>
> However this seems to be vetoeing all user creations.


Publisher Creation rules operate on IDV attr names, not AD attribute names,
since Schema Mapping has already been performed. Depending on how you map
sAMAccountName you have to use the appropriate Edir attribute in that rule.
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.