NetIQ Documentation: Identity Manager 3.6 DTD Reference

Remarks

The target Identity is specified by either <arg-dn> or <arg-association> if specified or by the current object otherwise. If specified by <arg-dn>, the DN must in LDAP format. The request is made to the RBPM enabled User Application server specified by url using credentials specified by id and <arg-password>. Additional optional arguments to the Role assignment request may be specified by the following named <arg-string>s.

Name	Description
description	A description of the reason for the request used for auditing and (if necessary) approval purposes. Default: Request generated by policy.
effective-time	The time (in CTIME format) the role assignment should become effective. Default: now

Name

Description

description

A description of the reason for the request used for auditing and (if necessary) approval purposes.

Default: Request generated by policy.

effective-time

The time (in CTIME format) the role assignment should become effective.

Default: now

If any type of error occurs while requestion the role assignment, the error string is available to the enclosing policy in the local variable named error.do-remove-role. Otherwise that local variable is not available.

Example

<do-remove-role id="cn=RoleAdmin,o=People" url="http://localhost:8080/IDMProv"
     role-id="cn=Contractor,cn=Level30,cn=RoleDefs,cn=RoleConfig,
     cn=AppConfig,cn=UserApplication,cn=DriverSet,o=novell">
   <arg-password>
      <token-named-password name="role-admin"/>
   </arg-password>
   <arg-string name="description">
      <token-text>Requested by policy because isContractor attribute set 
       to false</token-text>
   </arg-string>
</do-remove-role>

Allowed Content

Element	Description
arg-password	Password argument.
arg-dn	DN argument.
arg-association	Association argument.
arg-string	String argument.

Attributes

Attribute	Possible Values	Default Value
disabled	true \| false True if this element is disabled.	false
id	CDATA The LDAP format DN of a user authorized to make the request. Supports variable expansion.	#REQUIRED
notrace	true \| false True if this element should not be traced during execution of the policy.	false
role-id	CDATA The LDAP format DN of the Role to assign. Supports variable expansion.	#REQUIRED
url	CDATA The URL of the User Application server hosting the Roles Based Provisioning Module. Supports variable expansion.	#REQUIRED

Content Rule

( arg-password, (arg-dn | arg-association ) ? , arg-string * )

Parent Elements

Element	Description
actions	Actions that are performed by a <rule>.
arg-actions	Association argument.