Highlighted
Trusted Contributor.
Trusted Contributor.
199 views

prevent remove-all-values in group membership

Jump to solution

sitrep

2 AD's, IDM in the middle

We need to be able to sync groups across from one AD to another,  but the destination AD may have different members of the same groups. destination AD does not write back to the vault.

Tried to do this on the sub OTP for groups only

 

<actions>
			<do-strip-xpath expression="modify-attr[remove-all-values and not(add-value)]"/>
		</actions>

 

 

but that didn't seem to work properly . 

Basically, we need to remove the "remove-all-values" from the transactions so that only the members from the Vault  get sync'd without overwriting the complete group membership in the destination AD 

Thanks in Advance!

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Knowledge Partner
Knowledge Partner

You can try this expression:
do-strip-xpath("modify-attr[@attr-name="memberOf"]/remove-all-values")

You can "adjust" filter according to your attribute name (in this example I used attribute "memberOf"


Example from Designer Simulator:
<?xml version="1.0" encoding="UTF-8"?><nds dtdversion="4.0" ndsversion="8.x">
<source>
<product version="4.8.0.1">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify class-name="User" qualified-src-dn="o=dirXML Test\ou=Users\cn=User1">
<association>o=dirXML Test\ou=Users\cn=User1</association>
<modify-attr attr-name="memberOf">
<remove-all-values/>
<add-value>
<value type="string">group1</value>
</add-value>
</modify-attr>
<modify-attr attr-name="Generational Qualifier">
<remove-all-values/>
<add-value>
<value type="string">Qu1</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
Generic Null :Applying policy: %+C%14Cgroup%-C.
Generic Null : Applying to modify #1.
Generic Null : Evaluating selection criteria for rule 'remove-all-group'.
Generic Null : Rule selected.
Generic Null : Applying rule 'remove-all-group'.
Generic Null : Action: do-strip-xpath("modify-attr[@attr-name="memberOf"]/remove-all-values").
Generic Null :Policy returned:
Generic Null :
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product version="4.8.0.1">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify class-name="User" qualified-src-dn="o=dirXML Test\ou=Users\cn=User1">
<association>o=dirXML Test\ou=Users\cn=User1</association>
<modify-attr attr-name="memberOf">
<add-value>
<value type="string">group1</value>
</add-value>
</modify-attr>
<modify-attr attr-name="Generational Qualifier">
<remove-all-values/>
<add-value>
<value type="string">Qu1</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>

View solution in original post

2 Replies
Highlighted
Knowledge Partner
Knowledge Partner

You can try this expression:
do-strip-xpath("modify-attr[@attr-name="memberOf"]/remove-all-values")

You can "adjust" filter according to your attribute name (in this example I used attribute "memberOf"


Example from Designer Simulator:
<?xml version="1.0" encoding="UTF-8"?><nds dtdversion="4.0" ndsversion="8.x">
<source>
<product version="4.8.0.1">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify class-name="User" qualified-src-dn="o=dirXML Test\ou=Users\cn=User1">
<association>o=dirXML Test\ou=Users\cn=User1</association>
<modify-attr attr-name="memberOf">
<remove-all-values/>
<add-value>
<value type="string">group1</value>
</add-value>
</modify-attr>
<modify-attr attr-name="Generational Qualifier">
<remove-all-values/>
<add-value>
<value type="string">Qu1</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
Generic Null :Applying policy: %+C%14Cgroup%-C.
Generic Null : Applying to modify #1.
Generic Null : Evaluating selection criteria for rule 'remove-all-group'.
Generic Null : Rule selected.
Generic Null : Applying rule 'remove-all-group'.
Generic Null : Action: do-strip-xpath("modify-attr[@attr-name="memberOf"]/remove-all-values").
Generic Null :Policy returned:
Generic Null :
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product version="4.8.0.1">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify class-name="User" qualified-src-dn="o=dirXML Test\ou=Users\cn=User1">
<association>o=dirXML Test\ou=Users\cn=User1</association>
<modify-attr attr-name="memberOf">
<add-value>
<value type="string">group1</value>
</add-value>
</modify-attr>
<modify-attr attr-name="Generational Qualifier">
<remove-all-values/>
<add-value>
<value type="string">Qu1</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>

View solution in original post

Highlighted
Trusted Contributor.
Trusted Contributor.

That's exactly what I needed,  I modified it to this 

do-strip-xpath("modify-attr[@attr-name="Member"]/remove-all-values")

 

thanks for the assistance! 

 

 

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.