Creating New Multi-Valued Groups in IDM

coolguys_netiq

By: coolguys_netiq

January 31, 2007 3:20 am

Reads: 311

Comments:0

Rating:0

Problem

A Forum reader recently asked:

“I have two rules which read the value of a single-valued attribute, check to see if a group exists with the name of the value that was read, and create the group if necessary.

I need to do the same thing with multi-valued attributes. For example, I would read attribute “MutliValuedAttribute” which contains 3 values, “One” “Two” and “Three”. Then I check to see if groups exist named “One”, “Two” or “Three”, and I create the groups if necessary.”

And here’s the response from IDM expert Father Ramon …

Solution

This is how I would do it with a single rule rather than two:

 <rule>
   <description>Create MultiValuedAttribute groups that don't 
exist</description>
   <conditions>
    <and>
     <if-op-attr name="MultiValuedAttribute" op="available"/>
    </and>
   </conditions>
   <actions>
    <do-for-each>
     <arg-node-set>
      <token-op-attr name="MultiValuedAttribute"/>
     </arg-node-set>
     <arg-actions>
      <do-set-local-variable name="desiredGroup" scope="policy">
       <arg-string>
        <token-global-variable name="group-container"/>
        <token-local-variable name="current-node"/>
       </arg-string>
      </do-set-local-variable>
      <do-set-local-variable name="desiredGroupObjectClass" scope="policy">
       <arg-node-set>
        <token-dest-attr name="Object Class">
         <arg-dn>
          <token-local-variable name="desiredGroup"/>
         </arg-dn>
        </token-dest-attr>
       </arg-node-set>
      </do-set-local-variable>
      <do-for-each>
       <arg-node-set>
        <token-xpath 
expression="$current-node[not($desiredGroupObjectClass = 'Group')]"/>
       </arg-node-set>
       <arg-actions>
        <do-add-dest-object class-name="Group">
         <arg-dn>
          <token-local-variable name="desiredGroup"/>
         </arg-dn>
        </do-add-dest-object>
       </arg-actions>
      </do-for-each>
     </arg-actions>
    </do-for-each>
   </actions>
  </rule>
VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags:
Categories: Identity Manager, Technical Solutions

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment