IDM 3.5 Work Order Driver Example: Inactivating and Deleting Users



By: fpatterson

May 9, 2007 7:37 am

Reads: 238

Comments:2

Rating:0

This IDM 3.5 Work Order Driver example moves a user to an inactive container, when user is disabled, and deletes that same user x days later. The example also provides a template for an administrator to build a functional WorkOrder driver.

Please read the online documenatation for the WorkOrder Driver prior to going through this example:
http://www.novell.com/documentation/idm35drivers/index.html

Policies

Subscriber Creation Policy

Leave the default policy in place.

Subscriber Placement Policy

Leave the default policy in place. Note that the placement is to the WorkOrder Driver object, not to a WorkOrder container.

Subscriber Command Transformation Policy

Conditions: Apply logic to look for user objects being set to disabled. Additional logic may need to include a source dn for the object, so that the policy is limited to only users in a given container or subtree.

<conditions>
  <and>
    <if-class-name op="equal">User</if-class-name>
    <if-op-attr name="Login Disabled" op="changing-to">True</if-op-attr>
  </and>
</conditions>

Actions: Move the user to the inactive container and create the WorkOrder object.

<do-move-src-object>
  <arg-dn>
    <token-text xml:space="preserve">Meta\employees\inactive</token-text>
  </arg-dn>
</do-move-src-object>

The following local variable builds the context of the moved object, so that the WorkOrder object has a reference to know what object to delete:

<do-set-local-variable name="order-dest-dn">
  <arg-string>
    <token-text xml:space="preserve">\fpatterson1-tree\Meta\Employees\inactive\</token-text>
    <token-src-name/>
  </arg-string>
</do-set-local-variable>

The following local variable builds the work order object’s name. The key to remember is that the Driver objects name is used to build the context, so you need to specify the driver objects name, which is case-sensitive. Then specify additional items to help keep the name unique.

<do-set-local-variable name="wo-dest-dn" scope="policy">
  <arg-string>
    <token-text xml:space="preserve">\WorkOrder</token-text>
    <token-text xml:space="preserve">\Scheduled Delete - </token-text>
    <token-attr name="CN"/>
    <token-text xml:space="preserve"> - </token-text>
    <token-xpath expression="jformat:format(jformat:new('MM/dd/yyyy'),jdate:new())"/>
  </arg-string>
</do-set-local-variable>

The action creates the DirXML-WorkOrder object.

<do-add-dest-object class-name="DirXML-WorkOrder" when="after">
  <arg-dn>
    <token-local-variable name="wo-dest-dn"/>
  </arg-dn>
</do-add-dest-object>

The DirXML-nwoContent attribute that contains the location of the object to be deleted.

<do-add-dest-attr-value class-name="DirXML-WorkOrder" name="DirXML-nwoContent" when="after">
  <arg-dn>
    <token-local-variable name="wo-dest-dn"/>
  </arg-dn>
  <arg-value type="string">
    <token-local-variable name="order-dest-dn"/>
  </arg-value>
</do-add-dest-attr-value>

The DueDate attribute is used to trigger when the deletion of the user should be triggered. This example deleted the users after 60 seconds. After testing this, you will want to increase the seconds to push out the deletion as needed. If the value was set to 7776000 seconds, it would be the same as 90 days.

<do-add-dest-attr-value class-name="DirXML-WorkOrder" name="DirXML-DueDate" when="after">
  <arg-dn>
    <token-local-variable name="wo-dest-dn"/>
  </arg-dn>
  <arg-value type="string">
    <token-xpath expression="round(jdate:getTime(jdate:new()) div 1000)+60"/>
  </arg-value>
</do-add-dest-attr-value>

When the Work Order Object is completed, it will change this value to the state of “configured”.

<do-add-dest-attr-value class-name="DirXML-WorkOrder" name="DirXML-nwoStatus" when="after">
  <arg-dn>
    <token-local-variable name="wo-dest-dn"/>
  </arg-dn>
  <arg-value type="string">
    <token-text xml:space="preserve">pending</token-text>
  </arg-value>
</do-add-dest-attr-value>

This is the amount of time to wait until the Work Order object is deleted:

<do-add-dest-attr-value class-name="DirXML-WorkOrder" name="DirXML-nwoDeleteDueDate" when="after">
  <arg-dn>
    <token-local-variable name="wo-dest-dn"/>
  </arg-dn>
  <arg-value type="string">
    <token-xpath expression="round(jdate:getTime(jdate:new()) div 1000)+1200"/>
  </arg-value>
</do-add-dest-attr-value>

The following attribute enables the events to be processed on the publisher channel at the time of the due date, if the nwoDoItNowFlag is set to false or is not available.

<do-add-dest-attr-value class-name="DirXML-WorkOrder" name="DirXML-nwoSendToPublisher" when="after">
  <arg-dn>
    <token-local-variable name="wo-dest-dn"/>
  </arg-dn>
  <arg-value type="string">
    <token-text xml:space="preserve">TRUE</token-text>
  </arg-value>
</do-add-dest-attr-value>

The following attribute helps force the event through, even though the due date has not been reached:

<do-add-dest-attr-value class-name="DirXML-WorkOrder" name="DirXML-nwoDoItNowFlag" when="after">
  <arg-dn>
    <token-local-variable name="wo-dest-dn"/>
  </arg-dn>
  <arg-value type="string">
    <token-text xml:space="preserve">FALSE</token-text>
  </arg-value>
</do-add-dest-attr-value>

Publisher Placement Policy

Rule 1: Leave this default rule in place.

<conditions>
  <and>
    <if-class-name op="equal">DirXML-WorkOrder</if-class-name>
    <if-src-dn op="in-subtree" xml:space="preserve">\WorkOrder\</if-src-dn>
    <if-src-dn op="not-equal" xml:space="preserve">\WorkOrder\</if-src-dn>
  </and>
</conditions>
<actions>
  <do-set-op-dest-dn>
    <arg-dn>
      <token-text xml:space="preserve">meta\services\IDM\WorkOrder</token-text>
      <token-text xml:space="preserve">\</token-text>
      <token-src-name/>
    </arg-dn>
  </do-set-op-dest-dn>
  <do-break/>
</actions>

Rule 2: This rule looks for the WorkToDo that is generated from the WorkOrder driver when the due date is reached. This is a default rule. I recommend that it be disabled, as the logic in this example does not require the creation of the object.

<conditions>
  <and>
    <if-class-name op="equal">DirXML-WorkToDo</if-class-name>
    <if-src-dn op="in-subtree">\WorkOrder\</if-src-dn>
  </and>
</conditions>
<actions>
  <do-set-op-dest-dn>
    <arg-dn>
      <token-text xml:space="preserve">meta\services\IDM\WorkToDo</token-text>
      <token-text xml:space="preserve">\</token-text>
      <token-src-name/>
    </arg-dn>
  </do-set-op-dest-dn>
  <do-break/>
</actions>

Rule 3: This last rule is the one that deletes the scheduled inactive user. Note that the “in subtree” statement is again pointing to the WorkOrder driver object and not to a specific context to find the object. The rule then generates a delete operation for the object that is stored in the DirXML-nwoContent attribute.

<conditions>
  <and>
    <if-class-name op="equal">DirXML-WorkToDo</if-class-name>
    <if-src-dn op="in-subtree">\WorkOrder</if-src-dn>
  </and>
</conditions>
<actions>
  <do-delete-dest-object direct="true">
    <arg-dn>
      <token-op-attr name="DirXML-nwoContent"/>
    </arg-dn>
  </do-delete-dest-object>
  <do-veto/>
</actions>

Filter: Don’t forget to modify your filter to include the User class and the cn and “Login Disabled” attributes.

<filter-class class-name="User" publisher="ignore" publisher-create-homedir="true" publisher-track-template-member="false" subscriber="sync">
  <filter-attr attr-name="CN" merge-authority="default" publisher="ignore" publisher-optimize-modify="true" subscriber="notify"/>
  <filter-attr attr-name="Login Disabled" merge-authority="default" publisher="ignore" publisher-optimize-modify="true" subscriber="notify"/>
</filter-class>
VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: , ,

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

2 Comments

  1. By:arbask

    I get this error when I try to test this driver:

    Message: Code(-9131) Error in vnd.nds.stream://IDV-TREE/myco/services/idm/myco-Driverset/WorkOrder/Subscriber/Command+Transformation+Policy#XmlData:27 : Error evaluating XPATH expression ‘token-xpath(“jformat:format(jformat:new(‘MM/dd/yyyy’),jdate:new())”)’ : com.novell.xml.xpath.XPathEvaluationException: function ‘jformat:new’ not found.

    Solution: In the policy xml namespace must be declared correctly for jformat and jdate.

  2. By:arbask

    I had to modify the rule which adds the destination attribute value DirXML-nwoContent. It was pointing to the context. After changing it to the DN of the deleting object, it worked.

    \





    \


    Thanks for sharing. It helped me understand the WorkOrder Driver.

Comment