Anonymous_User Absent Member.
Absent Member.
348 views

remove all roles from user

Looking for a little code help.

When a users account in production gets disabled a loopback in the vault
moves the account to an inactive OU. Looking to automatically remove
all roles assigned to that user at that time.

How should I tackle this?


thanks



Labels (1)
0 Likes
3 Replies
afolli Absent Member.
Absent Member.

Re: remove all roles from user


Hi Chad,
I'm doing something similar in this rule.

I hope this helps. Best regards,

Alessandro



Code:
--------------------

<rule>
<description>User Account Entitlement change (Delete Option)</description>
<comment xml:space="preserve">The User Account Entitlement grants the user an enabled account in SAP. Revoking the entitlement will disable or delete the account depending on the value you select for the 'Delete Account' option. This rule executes when the entitlement is changing and you have selected the disable option.</comment>
<conditions>
<and>
<if-global-variable mode="nocase" name="drv.entitlement.UserAccount" op="equal">true</if-global-variable>
<if-global-variable name="drv.entitlement.remove" op="equal">disable</if-global-variable>
<if-class-name op="equal">User</if-class-name>
<if-operation mode="regex" op="equal">add|modify</if-operation>
<if-entitlement name="UserAccount" op="changing"/>
<if-local-variable mode="nocase" name="sub.variable.flag.delete" op="equal">TRUE</if-local-variable>
</and>
</conditions>
<actions>
<do-trace-message level="3">
<arg-string>
<token-text xml:space="preserve">User Account Entitlement change (Delete Option)</token-text>
</arg-string>
</do-trace-message>
<do-set-local-variable name="sub.variable.entitlement.removed" scope="policy">
<arg-string>
<token-text xml:space="preserve">FALSE</token-text>
</arg-string>
</do-set-local-variable>
<do-for-each>
<arg-node-set>
<token-removed-entitlement name="UserAccount"/>
</arg-node-set>
<arg-actions>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="nocase" name="sub.variable.entitlement.removed" op="equal">FALSE</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-trace-message level="3">
<arg-string>
<token-text xml:space="preserve">An entitlement will be removed.</token-text>
</arg-string>
</do-trace-message>
<do-set-local-variable name="sub.variable.entitlement.removed" scope="policy">
<arg-string>
<token-text xml:space="preserve">TRUE</token-text>
</arg-string>
</do-set-local-variable>
<do-delete-dest-object/>
<do-remove-association when="after">
<arg-association>
<token-association/>
</arg-association>
</do-remove-association>
<do-set-src-attr-value class-name="itrlSAPUser" name="itrlSAPUserDelete">
<arg-value type="string">
<token-text xml:space="preserve">FALSE</token-text>
</arg-value>
</do-set-src-attr-value>
<do-clear-src-attr-value name="sapUsername"/>
<do-clear-src-attr-value name="sapRoles"/>
<do-clear-src-attr-value name="sapProfiles"/>
</arg-actions>
<arg-actions>
<do-trace-message level="3">
<arg-string>
<token-text xml:space="preserve">Entitlement already removed.</token-text>
</arg-string>
</do-trace-message>
</arg-actions>
</do-if>
</arg-actions>
</do-for-each>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="nocase" name="sub.variable.entitlement.removed" op="equal">TRUE</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-trace-message level="3">
<arg-string>
<token-text xml:space="preserve">Ready to remove all roles.</token-text>
</arg-string>
</do-trace-message>
<do-set-local-variable name="sub.variable.role.location" scope="policy">
<arg-string>
<token-lower-case>
<token-parse-dn dest-dn-format="dot" src-dn-format="ldap">
<token-global-variable name="idv.dit.data.roles.location"/>
</token-parse-dn>
</token-lower-case>
</arg-string>
</do-set-local-variable>
<do-trace-message level="3">
<arg-string>
<token-text xml:space="preserve">SAP role location is </token-text>
<token-local-variable name="sub.variable.role.location"/>
</arg-string>
</do-trace-message>
<do-for-each>
<arg-node-set>
<token-src-attr name="nrfAssignedRoles"/>
</arg-node-set>
<arg-actions>
<do-set-local-variable name="sub.variable.user.role" scope="policy">
<arg-string>
<token-lower-case>
<token-parse-dn dest-dn-format="dot" src-dn-format="slash" start="1">
<token-xpath expression="$current-node/component[@name='volume']"/>
</token-parse-dn>
</token-lower-case>
</arg-string>
</do-set-local-variable>
<do-trace-message level="3">
<arg-string>
<token-text xml:space="preserve">Found role </token-text>
<token-local-variable name="sub.variable.user.role"/>
</arg-string>
</do-trace-message>
<do-set-local-variable name="sub.variable.user.role.delete" scope="policy">
<arg-string>
<token-xpath expression="es:endsWith($sub.variable.user.role, $sub.variable.role.location)"/>
</arg-string>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="nocase" name="sub.variable.user.role.delete" op="equal">TRUE</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="sub.variable.user.role.ldap" scope="policy">
<arg-string>
<token-parse-dn dest-dn-format="ldap" src-dn-format="qualified-slash">
<token-xpath expression="query:readObject($srcQueryProcessor, '',$current-node/component[@name='volume'],'','')/@qualified-src-dn"/>
</token-parse-dn>
</arg-string>
</do-set-local-variable>
<do-trace-message level="3">
<arg-string>
<token-text xml:space="preserve">Deleting role </token-text>
<token-local-variable name="sub.variable.user.role.ldap"/>
</arg-string>
</do-trace-message>
<do-remove-role id="$idv.workflow.user$" role-id="$sub.variable.user.role.ldap$" url="$idv.workflow.url$">
<arg-password>
<token-named-password name="administrator_password"/>
</arg-password>
<arg-string name="description">
<token-text xml:space="preserve">User removed from SAP.</token-text>
</arg-string>
<arg-string name="effective-time">
<token-time format="!CTIME" tz="UTC"/>
</arg-string>
</do-remove-role>
<do-if>
<arg-conditions>
<and>
<if-local-variable name="error.do-remove-role" op="available"/>
<if-local-variable mode="nocase" name="error.do-remove-role" op="not-equal"/>
</and>
</arg-conditions>
<arg-actions>
<do-send-email-from-template notification-dn="Security\Default Notification Collection" template-dn="Security\Default Notification Collection\SAP Driver Error">
<arg-string name="ASSOCIATION">
<token-src-dn/>
</arg-string>
<arg-string name="DRIVER">
<token-global-variable name="ConnectedSystemName"/>
</arg-string>
<arg-string name="DESCRIPTION">
<token-local-variable name="error.do-remove-role"/>
</arg-string>
<arg-string name="to">
<token-global-variable name="drv.param.notification.email"/>
</arg-string>
</do-send-email-from-template>
<do-break/>
</arg-actions>
<arg-actions>
<do-trace-message level="3">
<arg-string>
<token-text xml:space="preserve">Role removal completed without errors.</token-text>
</arg-string>
</do-trace-message>
</arg-actions>
</do-if>
</arg-actions>
<arg-actions>
<do-trace-message level="3">
<arg-string>
<token-text xml:space="preserve">Role will not be deleted.</token-text>
</arg-string>
</do-trace-message>
</arg-actions>
</do-if>
</arg-actions>
</do-for-each>
<do-trace-message level="3">
<arg-string>
<token-text xml:space="preserve">SAP Account completely removed.</token-text>
</arg-string>
</do-trace-message>
<do-send-email-from-template notification-dn="Security\Default Notification Collection" template-dn="Security\Default Notification Collection\SAP User Removed">
<arg-string name="to">
<token-global-variable name="drv.param.notification.email"/>
</arg-string>
<arg-string name="DRIVER">
<token-global-variable name="ConnectedSystemName"/>
</arg-string>
<arg-string name="NAME">
<token-src-attr name="Given Name"/>
</arg-string>
<arg-string name="SURNAME">
<token-src-attr name="Surname"/>
</arg-string>
<arg-string name="USERDN">
<token-src-dn/>
</arg-string>
</do-send-email-from-template>
</arg-actions>
<arg-actions>
<do-trace-message level="3">
<arg-string>
<token-text xml:space="preserve">Entitlement has not been removed.</token-text>
</arg-string>
</do-trace-message>
</arg-actions>
</do-if>
</actions>
</rule>


--------------------


Chad;2191030 Wrote:
> Looking for a little code help.
>
> When a users account in production gets disabled a loopback in the
> vault
> moves the account to an inactive OU. Looking to automatically remove
> all roles assigned to that user at that time.
>
> How should I tackle this?
>
>
> thanks



--
afolli
------------------------------------------------------------------------
afolli's Profile: http://forums.novell.com/member.php?userid=6964
View this thread: http://forums.novell.com/showthread.php?t=454994

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: remove all roles from user


Thanks
I'll give it a try

In article <afolli.5biqso@no-mx.forums.novell.com>, afolli@no-
mx.forums.novell.com says...
>
> Hi Chad,
> I'm doing something similar in this rule.
>
> I hope this helps. Best regards,
>
> Alessandro
>
>
>
> Code:
> --------------------
>
> <rule>
> <description>User Account Entitlement change (Delete Option)</description>
> <comment xml:space="preserve">The User Account Entitlement grants the user an enabled account in SAP. Revoking the entitlement will disable or delete the account depending on the value you select for the 'Delete Account' option. This rule executes when the entitlement is changing and you have selected the disable option.</comment>
> <conditions>
> <and>
> <if-global-variable mode="nocase" name="drv.entitlement.UserAccount" op="equal">true</if-global-variable>
> <if-global-variable name="drv.entitlement.remove" op="equal">disable</if-global-variable>
> <if-class-name op="equal">User</if-class-name>
> <if-operation mode="regex" op="equal">add|modify</if-operation>
> <if-entitlement name="UserAccount" op="changing"/>
> <if-local-variable mode="nocase" name="sub.variable.flag.delete" op="equal">TRUE</if-local-variable>
> </and>
> </conditions>
> <actions>
> <do-trace-message level="3">
> <arg-string>
> <token-text xml:space="preserve">User Account Entitlement change (Delete Option)</token-text>
> </arg-string>
> </do-trace-message>
> <do-set-local-variable name="sub.variable.entitlement.removed" scope="policy">
> <arg-string>
> <token-text xml:space="preserve">FALSE</token-text>
> </arg-string>
> </do-set-local-variable>
> <do-for-each>
> <arg-node-set>
> <token-removed-entitlement name="UserAccount"/>
> </arg-node-set>
> <arg-actions>
> <do-if>
> <arg-conditions>
> <and>
> <if-local-variable mode="nocase" name="sub.variable.entitlement.removed" op="equal">FALSE</if-local-variable>
> </and>
> </arg-conditions>
> <arg-actions>
> <do-trace-message level="3">



0 Likes
mickelarsson1 Absent Member.
Absent Member.

Re: remove all roles from user


This is one approach as well:
'Important Notice'
(http://www.novell.com/communities/node/12912/revoking-roles-and-resources)


--
mickelarsson
------------------------------------------------------------------------
mickelarsson's Profile: http://forums.novell.com/member.php?userid=4659
View this thread: http://forums.novell.com/showthread.php?t=454994

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.