Anonymous_User Absent Member.
Absent Member.
256 views

xapth to detect adjacent operation

The following document contains status and add-assoc operations

I'm operating on the status document but via an if/then/else I want to
branch my logic depending on if there is a sibling add-assoc operation.

However my if/then/else always evaluates as false for if sibling
operation is add-association.

I can think of other ways to achieve my goals, but this way I don't need
to repeat so much code.

Feel like a n00b as this seems so simple - but I can't make it work,
I've added/modified sibling operations via xpath before, but never
detected them with an if-xpath.

<rule>
<description>Reset valid direct reports (active)</description>
<comment xml:space="preserve">blah</comment>
<conditions>
<and>
<if-operation mode="case" op="equal">status</if-operation>
<if-xml-attr mode="nocase" name="level" op="equal">success</if-xml-attr>
<if-op-property name="reset-direct-reports" op="available"/>
</and>
</conditions>
<actions>
<do-if>
<arg-conditions>
<and>
<if-xpath op="true">boolean(../add-association)</if-xpath>
</and>
</arg-conditions>
<arg-actions>
<do-set-local-variable name="varManagerAssoc" scope="policy">
<arg-string>
<token-xpath expression="./text()"/>
</arg-string>
</do-set-local-variable>
</arg-actions>
<arg-actions>
<do-set-local-variable name="varManagerAssoc" scope="policy">
<arg-string>
<token-xpath
expression="substring-after(self::*//operation-data/@reset-direct-reports,'|')"/>
</arg-string>
</do-set-local-variable>
</arg-actions>
</do-if>
<do-set-local-variable disabled="true" name="varManagerADDN"
scope="policy">
<arg-string>
<token-resolve datastore="src">
<arg-association>
<token-local-variable name="varManagerAssoc"/>
</arg-association>
</token-resolve>
</arg-string>
</do-set-local-variable>
</actions>
</rule>

<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20111208_120000"
instance="\IDVault\Corp\Services\IDM\DriverSet\AD-CORP"
version="3.5.16">AD</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<add-association dest-dn="\IDVault\CORP\Loc1\People\u123456"
dest-entry-id="34866"
event-id="OSLWVIDM001T-NDS#20121116142610#2#5:fba187cc-5849-4c40-9f45-155ed8f19167">fb03bf7e3555e04e9b8eb71003e76346<operation-data
AccountTracking-AccountStatusChanged="true"
AccountTracking-AppAccountStatus="-"
AccountTracking-IdvAccountStatus="A"
AccountTracking-LDAPDN="CN=u123456,ou=Country,ou=Users,OU=Company,DC=lab,DC=com"
AccountTracking-ObjectDN="\IDVault\CORP\Loc1\People\u123456"
AccountTracking-Operation="add"
AccountTracking-association="fb03bf7e3555e04e9b8eb71003e76346Country__Users"
AccountTracking-sAMAccountName="u123456"
AccountTracking-userPrincipalName="u123456@lab.com"
accountAction="accountCreateByEntitlementGrant" association=""
attempt-to-match="true" check-default-group-membership="true"
guid="iuYzyXKzFEK+LqFAxNFVDA==" objectClass="User"
reset-direct-reports="\IDVault\CORP\Loc1\People\u123456|"
sourceDN="\IDVault\CORP\Loc1\People\u123456" unmatched-src-dn="CN=u123456">
<entitlement-impl
id="b06028aca23c4903bac5772f1be9b4dd:6ff60b2650024340ab4314b14da5a5d3"
name="EntAD" qualified-src-dn="O=CORP\OU=Loc1\OU=People\CN=u123456"
src="AF" src-dn="\IDVault\CORP\Loc1\People\u123456" src-entry-id="34866"
state="1">Country__Users</entitlement-impl>
<password-subscribe-status>
<association/>
</password-subscribe-status>
</operation-data>
</add-association>
<status
event-id="OSLWVIDM001T-NDS#20121116142610#2#5:fba187cc-5849-4c40-9f45-155ed8f19167"
level="success">
<operation-data AccountTracking-AccountStatusChanged="true"
AccountTracking-AppAccountStatus="-"
AccountTracking-IdvAccountStatus="A"
AccountTracking-LDAPDN="CN=u123456,ou=Country,ou=Users,OU=Company,DC=lab,DC=com"
AccountTracking-ObjectDN="\IDVault\CORP\Loc1\People\u123456"
AccountTracking-Operation="add"
AccountTracking-association="fb03bf7e3555e04e9b8eb71003e76346Country__Users"
AccountTracking-sAMAccountName="u123456"
AccountTracking-userPrincipalName="u123456@lab.com"
accountAction="accountCreateByEntitlementGrant" association=""
attempt-to-match="true" check-default-group-membership="true"
guid="iuYzyXKzFEK+LqFAxNFVDA==" objectClass="User"
reset-direct-reports="\IDVault\CORP\Loc1\People\u123456|"
sourceDN="\IDVault\CORP\Loc1\People\u123456" unmatched-src-dn="CN=u123456">
<entitlement-impl
id="b06028aca23c4903bac5772f1be9b4dd:6ff60b2650024340ab4314b14da5a5d3"
name="EntAD" qualified-src-dn="O=CORP\OU=Loc1\OU=People\CN=u123456"
src="AF" src-dn="\IDVault\CORP\Loc1\People\u123456" src-entry-id="34866"
state="1">Country__Users</entitlement-impl>
<password-subscribe-status>
<association/>
</password-subscribe-status>
</operation-data>
</status>
</output>
</nds>

Labels (1)
0 Likes
2 Replies
Anonymous_User Absent Member.
Absent Member.

Re: xapth to detect adjacent operation


On 11/16/12 11:48 AM, Alex McHugh wrote:
> The following document contains status and add-assoc operations
>
> I'm operating on the status document but via an if/then/else I want to
> branch my logic depending on if there is a sibling add-assoc operation.
>
> However my if/then/else always evaluates as false for if sibling
> operation is add-association.
>
> I can think of other ways to achieve my goals, but this way I don't need
> to repeat so much code.
>
> Feel like a n00b as this seems so simple - but I can't make it work,
> I've added/modified sibling operations via xpath before, but never
> detected them with an if-xpath.
>


DirXML Script pulls each operation out of the document while it applies
policy to it, so you can't access siblings relative to the current
operation unless the sibling was added by the policy. You can reference
siblings by an absolute XPath i.e. starting at the root, e.g.
//add-association, but ...

Why not just trigger on the add-association operation in the first
place? It should have all the same operation data if as the status.


--
Shon
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: xapth to detect adjacent operation

On 16.11.2012 21:35, Shon Vella wrote:
>
> On 11/16/12 11:48 AM, Alex McHugh wrote:
> >I can't make it work,
> > I've added/modified sibling operations via xpath before, but never
> > detected them with an if-xpath.
> >

>
> DirXML Script pulls each operation out of the document while it applies
> policy to it, so you can't access siblings relative to the current
> operation unless the sibling was added by the policy. You can reference
> siblings by an absolute XPath i.e. starting at the root, e.g.
> //add-association, but ...
>
> Why not just trigger on the add-association operation in the first
> place? It should have all the same operation data if as the status.


Thanks for the response. That makes sense. I've adjusted the logic to
use add-association operation as you suggested.

The issue was that I wanted to have the same code run for add-assoc and
after a successful merge.

In other cases I would write near identical code and place in sub-ctp
(to handle merge) and in itp (triggered by add-assoc).

However this approach wasn't working due to some messy (but necessary)
reformatting code in otp that interfered.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.