Provision and Deprovision Users with the WorkOrder Driver – Part 2



By: joakim_ganse

June 11, 2010 6:04 pm

Reads: 187

Comments:1

Rating:0

This entry is part 2 of 2 in the series Provision and Deprovision Users with the WorkOrder Driver

In this Cool Solution series we will see how we can set up the workorder driver together with a loopback driver to activate and deactivate user accounts based on the starting date and end date of the user account.

In part 1 we went through the basic add event of a new user. In part 2 we will start with giving the new user a password and moving the user to the active users container.

We will then see how the deprovisioning workorder will work.

There are some good cool solutions written about the WorkOrder driver:

To set the new user up we will give the user a password, rename, move the user to the active user container and mail the information to the manager.

This will all go into the Subscriber Event Transform of the loopback driver.

<rule>
		<description>Move new accounts</description>
		<conditions>
			<and>
				<if-src-dn op="in-container">Idv\Inactive\Newusers</if-src-dn>
				<if-class-name mode="nocase" op="equal">User</if-class-name>
				<if-operation mode="case" op="equal">modify</if-operation>
				<if-attr mode="nocase" name="Login Disabled" op="equal">False</if-attr>
			</and>
		</conditions>
		<actions>
			<do-set-local-variable name="name" scope="policy">
				<arg-string>
					<token-unique-name counter-digits="2" counter-pattern="first" counter-use="fallback" name="CN" on-unavailable="error" scope="subtree">
						<arg-string>
							<token-lower-case>
								<token-substring length="3">
									<token-attr name="Given Name"/>
								</token-substring>
								<token-substring length="3">
									<token-attr name="Surname"/>
								</token-substring>
							</token-lower-case>
						</arg-string>
					</token-unique-name>
				</arg-string>
			</do-set-local-variable>
			<do-rename-src-object>
				<arg-string>
					<token-local-variable name="name"/>
				</arg-string>
			</do-rename-src-object>
			<do-move-src-object>
				<arg-dn>
					<token-text xml:space="preserve">Corp\Active\Users</token-text>
				</arg-dn>
			</do-move-src-object>
		</actions>
	</rule>

That was the rename and move.

This is also the reason for this being done in a loopback driver instead of in a null driver.

The token-unique-name we use in the rename has to query destination and not source.

Now on to the password. Setting a new password at the same time as moving an account is a bad idea. The account has to be fully functional before the password setting so here we do a sleep before setting the password.

Just a little word of caution, that means that the whole driver stops for that moment, in this case I don’t create that many accounts per day so it won’t matter.

<rule>
		<description>Set initial pwd and send credential notification</description>
		<conditions>
			<and>
				<if-src-dn op="in-container">Idv\Inactive\newusers</if-src-dn>
				<if-class-name mode="nocase" op="equal">User</if-class-name>
				<if-operation mode="case" op="equal">modify</if-operation>
				<if-attr mode="nocase" name="Login Disabled" op="equal">False</if-attr>
			</and>
		</conditions>
		<actions>
			<do-set-local-variable name="sleep-result" scope="policy">
				<arg-string>
					<token-xpath expression="java.lang.Thread:sleep(10000)"/>
				</arg-string>
			</do-set-local-variable>
			<do-set-local-variable name="pwd" scope="policy">
				<arg-string>
					<token-generate-password policy-dn="\[root]\Security\Password Policies\new-users"/>
				</arg-string>
			</do-set-local-variable>
			<do-set-src-password>
				<arg-dn>
					<token-text xml:space="preserve">Idv\Active\Users\</token-text>
					<token-local-variable name="name"/>
				</arg-dn>
				<arg-string>
					<token-local-variable name="pwd"/>
				</arg-string>
			</do-set-src-password>
<do-set-local-variable name="manager-email" scope="policy">
				<arg-string>
					<token-src-attr name="Internet EMail Address">
						<arg-dn>
							<token-attr name="manager"/>
						</arg-dn>
					</token-src-attr>
				</arg-string>
			</do-set-local-variable>
			<do-set-local-variable name="manager-fullname" scope="policy">
				<arg-string>
					<token-src-attr name="Full Name">
						<arg-dn>
							<token-attr name="manager"/>
						</arg-dn>
					</token-src-attr>
				</arg-string>
			</do-set-local-variable>
			<do-send-email-from-template notification-dn="Security\Default Notification Collection" template-dn="Security\Default Notification Collection\NewUserCredentials">
				<arg-string name="to">
					<token-local-variable name="manager-email"/>
				</arg-string>
				<arg-string name="CurrentPassword">
					<token-local-variable name="pwd"/>
				</arg-string>
				<arg-string name="UserFullName">
					<token-attr name="Full Name"/>
				</arg-string>
				<arg-string name="UserLoginID">
					<token-local-variable name="name"/>
				</arg-string>
				<arg-string name="UserManager">
					<token-local-variable name="manager-fullname"/>
				</arg-string>
			</do-send-email-from-template>
		</actions>
	</rule>

To go with this we need a nice email template, I created one called Security\Default Notification Collection” template-dn=”Security\Default Notification Collection\NewUserCredentials that has the variables CurrentPassword, UserFullName, UserLoginID and UserManager.

I forgot to mention the Veto rule in the first part.

We want to veto everything but queries since we use the loopback driver as a null driver with the exception for the rename query that has to go through.

This is the veto that we will add last in the event transform:

	<rule>
		<description>Veto all but query</description>
		<conditions>
			<and>
				<if-operation mode="case" op="not-equal">query</if-operation>
			</and>
		</conditions>
		<actions>
			<do-veto/>
		</actions>
	</rule>

Now we got ourself a user.

In the next part we will handle the deprovisioning of the user with some more workorders.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
Series Navigation<< Baby talk and the cost of disaster recovery…

Tags: ,
Categories: Identity Manager, Technical Solutions

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

1 Comment

  1. By:mratcliffe

    This is a good series but whatever happened to Part 3 Deprovisioning the user, can’t find it anywhere on cool solutions site.

Comment