Novell Home

Vetoing Group-Modifies for Users without DirXML Associations

Novell Cool Solutions: Tip
By Perry Nuffer

Digg This - Slashdot This

Posted: 19 Jul 2006
 

Problem

A Forum reader asked the following question:

I need to veto group-modifies for users who don't yet have a DirXML association. This stems from creating users in eDirectory with a template that contains group memberships. I need to get the users added and associated before I get them into the groups.

I am running IDM 3 with Lotus Notes as the connected system. How can I get this logic into Policy Builder?"

And here's a tip from Novell's Perry Nuffer ...

Solution

Try this sample in the Output Transformation Policy set. It simply strips Group Members that do not have association-ref attributes.

<rule>
  <description>Fix Unassociated Group Members 2</description>
  <conditions>
    <and>
      <if-class-name op="equal">Group</if-class-name>
      <if-xpath
op="true">modify-attr[@attr-name="Members"]/add-value/value[not(@association
-ref)]</if-xpath>
    </and>
  </conditions>
  <actions>
    <do-for-each>
      <arg-node-set>
        <token-text
xml:space="preserve">modify-attr[@attr-name="Members"]/add-value/value[not(@
association-ref)]</token-text>
      </arg-node-set>
      <arg-actions>
        <do-strip-xpath
expression='modify-attr[@attr-name="Members"]/add-value/value[not(@associati
on-ref)]'/>
      </arg-actions>
    </do-for-each>
  </actions>
</rule>


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell