Article
Search
Share This
Popular content
Recent comments
Who's online
User login
Creating New Multi-Valued Groups in IDM
article
Reads:
1544
Score:
Problem
A Forum reader recently asked:
"I have two rules which read the value of a single-valued attribute, check to see if a group exists with the name of the value that was read, and create the group if necessary.
I need to do the same thing with multi-valued attributes. For example, I would read attribute "MutliValuedAttribute" which contains 3 values, "One" "Two" and "Three". Then I check to see if groups exist named "One", "Two" or "Three", and I create the groups if necessary."
And here's the response from IDM expert Father Ramon ...
Solution
This is how I would do it with a single rule rather than two:
<rule>
<description>Create MultiValuedAttribute groups that don't
exist</description>
<conditions>
<and>
<if-op-attr name="MultiValuedAttribute" op="available"/>
</and>
</conditions>
<actions>
<do-for-each>
<arg-node-set>
<token-op-attr name="MultiValuedAttribute"/>
</arg-node-set>
<arg-actions>
<do-set-local-variable name="desiredGroup" scope="policy">
<arg-string>
<token-global-variable name="group-container"/>
<token-local-variable name="current-node"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="desiredGroupObjectClass" scope="policy">
<arg-node-set>
<token-dest-attr name="Object Class">
<arg-dn>
<token-local-variable name="desiredGroup"/>
</arg-dn>
</token-dest-attr>
</arg-node-set>
</do-set-local-variable>
<do-for-each>
<arg-node-set>
<token-xpath
expression="$current-node[not($desiredGroupObjectClass = 'Group')]"/>
</arg-node-set>
<arg-actions>
<do-add-dest-object class-name="Group">
<arg-dn>
<token-local-variable name="desiredGroup"/>
</arg-dn>
</do-add-dest-object>
</arg-actions>
</do-for-each>
</arg-actions>
</do-for-each>
</actions>
</rule>
0