Assign a Password Policy to user
Hope you all are doing good and safe :-).
I was actually looking for a solution to the follwoing requirement:
Assign/Revoke a password policy to a user when a role is assigned/revoked to the user using Null Driver.
For this i need to set the nspmPasswordPolicyDN attribute of the user, when the corresponding role is assigned to the user.
I tried to implement this by the following method"
In the Null driver, i created a policy which checks the nrfMemberOf attribute. And i am checking if the nrfmember of is of the role which i am looking for by using the contains function in XPath. like (contains(localvariable,abc)) where local variable holds the operation attribute value (i.e, nrfmemberof attribute which is being added) and abc is the role which i am looking for.
But the problem here is that the contains functions always returns true value, even though the source attribute nrfmember of attribute does not contains abc value.
This is where i am stuck now.
It will be great if anyone can help me in this.
Do it from an entitlement implementation instead of trying to match role names.
Also set the corresponding attribute on the password policy to the DN of the User you're assigning it to.
Show us trace, it's easier to see what you're doing that way.
Thats why the requirement was to do it in null driver by capturing the change in nrfmemberof attribute and by checking the role cn name.
Unfortunately i cannot change this requirement.
Thanks for your reply.
Do you know if there is a way to check the role addition/revoke of a particular role using Null Driver?
I thought to check it by checking the change in nrfmemberof attribute and using contains function in Xpath.
Like when a role is added, the role name will be available both in the source attribute (IDV) and in operation attribute.
But if the rle is being revoked, then the role name will not be available in source attribute (IDV) but will be availble in operation attribute.
I think using this way we can confirm it is a role addition/revoke.
Is my understanding correct?
Watch for changes in nrfMemberOf attribute in your null driver.
For each removed op-attr nrfMemberOf
do something for a removal. Simply a DN so check if it your role of interest.
For each op-attr nrfMemberof
do something for a role grant.
nrfAssignedRoles changes when a user is direct assigned a role, but is Path syntax.
nrfGroupRoles canges when a Role is granted due to it being assigned to a Group.
nrfContainerRoles changes when a role granted due to it being assigned to a Container.
nrfDynamicRoles (Or somesuch) for when you get it from a Dynamic Group being assigned a Role.
JUst so you know, the forum you were looking for, was the Identity Manager User Discussions not Identity Tracking.
Not like we won't help, but it might help you find messages if you are looking in the more correct space.
I implemented the solution by checking the value of operation attribute when nrfmember of is getting added or removed.
Thank you and take care 🙂