Skip to main content

NetIQ IDM - Strip unwanted group member values from current operation


This code example shows how to remove unwanted group members from current operation based on some business logic.


Optimization group members add to avoid  "ALREADY_EXIST_VALUE" kind of errors. when IDM engine fails to do so.

Here I am doing look up in AD for members, and for each added member from IDM if user is already member of AD group, i am just striping out current member value from the current operaiton.


<do-set-local-variable name="group-dn" scope="policy"> <arg-string> <token-src-dn /> </arg-string> </do-set-local-variable> <do-set-local-variable name="group-members" scope="policy"> <arg-node-set> <token-dest-attr class-name="Group" name="Member" /> </arg-node-set> </do-set-local-variable> <do-trace-message> <arg-string> <token-text xml:space="preserve">NUMBER OF MEMBERS GROUP =&gt; </token-text> <token-xpath expression="count($group-members)" /> </arg-string> </do-trace-message> <do-for-each> <arg-node-set> <token-op-attr name="Member" /> </arg-node-set> <arg-actions> <do-set-local-variable name="current-member" scope="policy"> <arg-string> <token-local-variable name="current-node" /> </arg-string> </do-set-local-variable> <do-trace-message> <arg-string> <token-text xml:space="preserve">CURRENT MEMBER =&gt; </token-text> <token-local-variable name="current-node" /> </arg-string> </do-trace-message> <do-if> <arg-conditions> <and> <if-local-variable mode="src-dn" name="group-members" op="equal">$current-member$</if-local-variable> </and> </arg-conditions> <arg-actions> <do-strip-xpath expression="modify-attr[@attr-name=&quot;Member&quot;]/add-value/value[text()=$current-node]" /> </arg-actions> <arg-actions /> </do-if> </arg-actions> </do-for-each> <do-strip-xpath expression="modify-attr[@attr-name='Member']/add-value/value[not(text())]" />

Comments

Popular posts from this blog

Experience writing a Java based DirXML Driver

Based on the customer project, I wrote a DirXML driver which provision users through Novell Identity Manager 3.5.1 to their company intranet portal ( A Plone System). The portal exposed the RESTful API interfaces. So I started looking first at the Novell SOAP driver to see if it fit our needs. But while reading the driver documentation i felt it required too much XSLT knowledge + more customization and testing on the driver. And again it used the Apache HttpClient, Which is more a HttpClient rather then it targets to any specific protocol implementation. So If you could build SOAP messages at your own so it would help you in transporting these message back and forth between IDM and Application. The Novell SOAP driver comes up with two built in configurations "SPML and DSML", but in my case none of them were suitable. I had always wished to write my own DirXML driver at my own, so I thought why not just take this opportunity to fulfill my wish and at the same time get s...

NetIQ IDM - JDBC statemens using policy builder

Few examples of using JDBC statements using dirxml policies On the Output policy: Handling matching policies with operation-data support: < rule > < description > [DB] Convert Query to DDL doc </ description > < comment name = "author" xml:space = "preserve" > Maqsood Ali Bhatti </ comment > < comment name = "version" xml:space = "preserve" > 5 </ comment > < comment name = "lastchanged" xml:space = "preserve" > Dec 20, 2017 </ comment > < conditions > < and > < if-operation mode = "case" op = "equal" > query </ if-operation > </ and > </ conditions > < actions > < do-append-xml-element expression = ".." name = "jdbc:statement" /> < do-append-xml-element expression = "../jdbc:statement[las...

NetIQ IDM - How to read String type data from Query nodeset done from command transformation

Suppose  query nodeset: <do-set-local-variable name="local.sub.etp.q.User" scope="policy"> <arg-node-set> <token-query class-name="User" scope="entry"> <arg-match-attr name="CN"> <arg-value type="string"> <token-src-attr class-name="User" name="CN"/> </arg-value> </arg-match-attr> </token-query> </arg-node-set> </do-set-local-variable> Output: <nds dtdversion="3.0"> <source> <product build="20180222_0635" version="1.0.0.2">Identity Manager REST Driver</product> <contact>NetIQ Corporation.</contact> </source> <output> <status event-id="0" level="success" type="driver-general"> <operation-data prop.pub.itp.matac...