Vetoing Group-Modifies for Users without DirXML Associations
Novell Cool Solutions: Tip
By Perry Nuffer
Digg This -
Posted: 19 Jul 2006
A Forum reader asked the following question:
I need to veto group-modifies for users who don't yet have a DirXML association. This stems from creating users in eDirectory with a template that contains group memberships. I need to get the users added and associated before I get them into the groups.
I am running IDM 3 with Lotus Notes as the connected system. How can I get this logic into Policy Builder?"
And here's a tip from Novell's Perry Nuffer ...
Try this sample in the Output Transformation Policy set. It simply strips Group Members that do not have association-ref attributes.
<rule> <description>Fix Unassociated Group Members 2</description> <conditions> <and> <if-class-name op="equal">Group</if-class-name> <if-xpath op="true">modify-attr[@attr-name="Members"]/add-value/value[not(@association -ref)]</if-xpath> </and> </conditions> <actions> <do-for-each> <arg-node-set> <token-text xml:space="preserve">modify-attr[@attr-name="Members"]/add-value/value[not(@ association-ref)]</token-text> </arg-node-set> <arg-actions> <do-strip-xpath expression='modify-attr[@attr-name="Members"]/add-value/value[not(@associati on-ref)]'/> </arg-actions> </do-for-each> </actions> </rule>
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com