Skip to main content

NetIQ IDM - Strip unwanted group member values from current operation


This code example shows how to remove unwanted group members from current operation based on some business logic.


Optimization group members add to avoid  "ALREADY_EXIST_VALUE" kind of errors. when IDM engine fails to do so.

Here I am doing look up in AD for members, and for each added member from IDM if user is already member of AD group, i am just striping out current member value from the current operaiton.


<do-set-local-variable name="group-dn" scope="policy"> <arg-string> <token-src-dn /> </arg-string> </do-set-local-variable> <do-set-local-variable name="group-members" scope="policy"> <arg-node-set> <token-dest-attr class-name="Group" name="Member" /> </arg-node-set> </do-set-local-variable> <do-trace-message> <arg-string> <token-text xml:space="preserve">NUMBER OF MEMBERS GROUP =&gt; </token-text> <token-xpath expression="count($group-members)" /> </arg-string> </do-trace-message> <do-for-each> <arg-node-set> <token-op-attr name="Member" /> </arg-node-set> <arg-actions> <do-set-local-variable name="current-member" scope="policy"> <arg-string> <token-local-variable name="current-node" /> </arg-string> </do-set-local-variable> <do-trace-message> <arg-string> <token-text xml:space="preserve">CURRENT MEMBER =&gt; </token-text> <token-local-variable name="current-node" /> </arg-string> </do-trace-message> <do-if> <arg-conditions> <and> <if-local-variable mode="src-dn" name="group-members" op="equal">$current-member$</if-local-variable> </and> </arg-conditions> <arg-actions> <do-strip-xpath expression="modify-attr[@attr-name=&quot;Member&quot;]/add-value/value[text()=$current-node]" /> </arg-actions> <arg-actions /> </do-if> </arg-actions> </do-for-each> <do-strip-xpath expression="modify-attr[@attr-name='Member']/add-value/value[not(text())]" />

Comments

Post a Comment

Popular posts from this blog

NetIQ IDM - Adding operation-data to subscriber command transformaiton custom commands

Recently i had to execute EOL cmdlets using psexecute though new NetIQ azure ad driver, since this operation is fire and forget in nature, i would like to track whole request and response for my own generated commands from subscriber command transofrmaiton policy, so i solved it by following policy: < do-set-dest-attr-value direct = "true" name = "psexecute" > < arg-association > < token-resolve datastore = "src" > < arg-dn > < token-text xml:space = "preserve" > {userref} </ token-text > </ arg-dn > </ token-resolve > </ arg-association > < arg-value type = "string" > < token-local-variable name = "cmdlet" /> </ arg-value > </ do-set-dest-attr-value > < do-append-xml-element expression = "../modify[@direct]" na
2 comments
Read more

NetIQ IDM - JDBC driver - SQL calls from driver (Publisher channel) using XSLT

Recently I was working on a task where we had to call some SQL statements from publisher channel on a JDBC driver to different tables than the ones driver was configured to sync. The official documentation suggest to achieve this using jdbc-statement but it only schedules them on the subscriber channel, best suited for calling some SQL for stored procedure. The way I solved it was using XSLT and enabling Subscriber channel. On the publisher  Command Transformation Channel , I have following XSLT: < xsl:stylesheet xmlns:xsl = "http://www.w3.org/1999/XSL/Transform" xmlns:jdbc = "urn:dirxml:jdbc" xmlns:query = "http://www.novell.com/nxsl/java/com.novell.nds.dirxml.driver.XdsQueryProcessor" version = "1.0" > < xsl:param name = "srcQueryProcessor" /> < xsl:param name = "destQueryProcessor" /> < xsl:template match = "node()|@*" > < xsl:copy > &
Post a Comment
Read more