Highlighted
Respected Contributor.
Respected Contributor.
417 views

Assign a Password Policy to user

Hi All,

 

Hope you all are doing good and safe :-).

 

I was actually looking for a solution to the follwoing requirement:

Assign/Revoke a password policy to a user when a role is assigned/revoked to the user using Null Driver.

For this i need to set the nspmPasswordPolicyDN attribute of the user, when the corresponding role is assigned to the user.

I tried to implement this by the following method"

In the Null driver, i created a policy which checks the nrfMemberOf attribute. And i am checking if the nrfmember of is of the role which i am looking for by using the contains function in XPath. like (contains(localvariable,abc)) where local variable holds the operation attribute value (i.e, nrfmemberof attribute which is being added) and abc is the role which i am looking for.

But the problem here is that the contains functions always returns true value, even though the source attribute nrfmember of attribute does not contains abc value.

 

This is where i am stuck now.

It will be great if anyone can help me in this.

 

Thanks.

7 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Do it  from an entitlement implementation instead of trying to match role names.

Also set the corresponding attribute on the password policy to the DN of the User you're assigning it to.

Show us  trace, it's easier to see what you're doing that way.

 

Highlighted
Respected Contributor.
Respected Contributor.

Actually, due to some restrictions, i cannot use entitlement assignment or cannot modify the roles.
Thats why the requirement was to do it in null driver by capturing the change in nrfmemberof attribute and by checking the role cn name.
Unfortunately i cannot change this requirement.
Highlighted
Knowledge Partner
Knowledge Partner

Post a level 3 trace of what you're trying, then. It's possible, just not the best way to implement it.

 

Highlighted
Respected Contributor.
Respected Contributor.

Thanks for your reply.

Do you know if there is a way to check the role addition/revoke of a particular role using Null Driver?

I thought to check it by checking the change in nrfmemberof attribute and using contains function in Xpath.

Like when a role is added, the role name will be available both in the source attribute (IDV) and in operation attribute.

But if the rle is being revoked, then the role name will not be available in source attribute (IDV) but will be availble in operation attribute.

I think using this way we can confirm it is a role addition/revoke.

Is my understanding correct?

Highlighted
Knowledge Partner
Knowledge Partner

Watch for changes in nrfMemberOf attribute in your null driver.

For each removed op-attr nrfMemberOf

do something for a removal. Simply a DN so check if it your role of interest.

 

For each op-attr nrfMemberof

do something for a role grant.

 

nrfAssignedRoles changes when a user is direct assigned a role, but is Path syntax.

nrfGroupRoles canges when a Role is granted due to it being assigned to a Group.

nrfContainerRoles changes when a role granted due to it being assigned to a Container.

nrfDynamicRoles (Or somesuch) for when you get it from a Dynamic Group being assigned a Role.

 

Highlighted
Knowledge Partner
Knowledge Partner

JUst so you know, the forum you were looking for, was the Identity Manager User Discussions not Identity Tracking.

Not like we won't help, but it might help you find messages if you are looking in the more correct space.

Highlighted
Respected Contributor.
Respected Contributor.

Thank you guys for your help.
I implemented the solution by checking the value of operation attribute when nrfmember of is getting added or removed.
Thank you and take care 🙂
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.