Scheduling an IDM Rename



By: bstumpp

January 9, 2008 2:11 pm

Reads: 198

Comments:1

Rating:0

Problem

One problem that I have had with customers is how to do a rename of a user with Identity Manager. You do not want to just rename the account in the middle of the day, and that can happen when the account name is based on the last name, and HR is the one that does the update.

WorkOrder from IDM 3.5 was the answer I needed.

IDM 3.5 introduced WorkOrders, which allow you schedule events to happen at a future time. The code example below enables you to intercept a rename event and create a WorkOrder that will trigger at midnight, 7 days in the future. Also, it sends an email message to the end user (using a mail template) saying that the rename will occur. This email notification alerts the end user to the upcoming change.

Then you use the attached WorkOrder driver (RenameWorkOrder.txt) to actually do the rename. The driver verifies that the rename still needs to be done (does the old account name still exist?). The driver even cleans up after itself; when the WorkToDo objects are deleted, the associated WorkOrder objects are also deleted.

The two attached files are:

1. RenameWorkOrder.txt is actually the RenameWorkOrder Driver. Change the extension to .XML and import the driver.
2. GenerateRenameWorker.txt is the code snippet from below.

Place the below code to capture the Rename Event and create the WorkOrder Object. This code with create the WorkOrder object with a due date of seven days in the future at midnight (change the Time codes to your local time zone, or it will be Midnight US Central Standard Time). The Work Order also has a delete date of 14 days in the future (also at midnight).

<rule>
  <description>Generate Rename Work Order</description>
  <comment xml:space="preserve">On a rename event, from the Source of Authority, build a rename workorder, also verify that the rename workorder does not already exist.</comment>
  <conditions>
    <and>
      <if-class-name op="equal">User</if-class-name>
      <if-operation mode="nocase" op="equal">rename</if-operation>
    </and>
  </conditions>
  <actions>
    <do-set-local-variable name="lv-workorderdn" scope="policy">
      <arg-string>
        <token-text xml:space="preserve">IDV\Services\WorkOrders\WorkOrder-</token-text>
        <token-dest-attr name="workforceID"/>
      </arg-string>
    </do-set-local-variable>
    <do-set-local-variable name="lv-check" scope="policy">
      <arg-string>
        <token-dest-attr class-name="DirXML-WorkOrder" name="DirXML-nwoContent">
          <arg-dn>
            <token-local-variable name="lv-workorderdn"/>
          </arg-dn>
        </token-dest-attr>
      </arg-string>
    </do-set-local-variable>
    <do-set-local-variable name="lv-newname" scope="policy">
      <arg-string>
        <token-xpath expression="./new-name/text()"/>
      </arg-string>
    </do-set-local-variable>
    <do-set-local-variable name="lv-status" scope="policy">
      <arg-string>
        <token-dest-attr class-name="DirXML-WorkOrder" name="DirXML-nwoStatus">
          <arg-dn>
            <token-local-variable name="lv-workorderdn"/>
          </arg-dn>
        </token-dest-attr>
      </arg-string>
    </do-set-local-variable>
    <do-set-local-variable name="lv-oldname" scope="policy">
      <arg-string>
        <token-parse-dn length="1" start="-1">
          <token-xpath expression="@old-src-dn"/>
        </token-parse-dn>
      </arg-string>
    </do-set-local-variable>
    <do-set-local-variable name="lv-time" scope="policy">
      <arg-string>
        <token-time format="!CTIME" tz="SystemV/CST6CDT"/>
      </arg-string>
    </do-set-local-variable>
    <do-set-local-variable name="lv-time" scope="policy">
      <arg-string>
        <token-xpath expression="ceiling($lv-time div 86400) * 86400"/>
      </arg-string>
    </do-set-local-variable>
    <do-set-local-variable name="lv-due" scope="policy">
      <arg-string>
        <token-xpath expression="$lv-time+612000"/>
      </arg-string>
    </do-set-local-variable>
    <do-set-local-variable name="lv-delete" scope="policy">
      <arg-string>
        <token-xpath expression="$lv-time+1224000"/>
      </arg-string>
    </do-set-local-variable>
    <do-if>
      <arg-conditions>
        <and>
          <if-xpath op="true">$lv-check=$lv-newname</if-xpath>
          <if-local-variable mode="nocase" name="lv-status" op="equal">pending</if-local-variable>
        </and>
      </arg-conditions>
      <arg-actions>
        <do-trace-message level="0">
          <arg-string>
            <token-text xml:space="preserve">Work Order already exists for user rename. See </token-text>
            <token-local-variable name="lv-workorderdn"/>
            <token-text xml:space="preserve">for more details.</token-text>
          </arg-string>
        </do-trace-message>
        <do-veto/>
      </arg-actions>
      <arg-actions/>
    </do-if>
    <do-if>
      <arg-conditions>
        <and>
          <if-local-variable mode="regex" name="lv-status" op="equal">.+</if-local-variable>
        </and>
      </arg-conditions>
      <arg-actions>
        <do-trace-message level="0">
          <arg-string>
            <token-text xml:space="preserve">Old Work Order already exists for user rename. Deleting </token-text>
            <token-local-variable name="lv-workorderdn"/>
            <token-text xml:space="preserve">prior to creation of new Work Order.</token-text>
          </arg-string>
        </do-trace-message>
        <do-delete-dest-object direct="true">
          <arg-dn>
            <token-local-variable name="lv-workorderdn"/>
          </arg-dn>
        </do-delete-dest-object>
      </arg-actions>
    </do-if>
    <do-add-dest-object class-name="DirXML-WorkOrder" when="after">
      <arg-dn>
        <token-local-variable name="lv-workorderdn"/>
      </arg-dn>
    </do-add-dest-object>
    <do-add-dest-attr-value class-name="DirXML-WorkOrder" name="DirXML-nwoContent" when="after">
      <arg-dn>
        <token-local-variable name="lv-workorderdn"/>
      </arg-dn>
      <arg-value>
        <token-local-variable name="lv-newname"/>
      </arg-value>
    </do-add-dest-attr-value>
    <do-add-dest-attr-value class-name="DirXML-WorkOrder" name="DirXML-Other1" when="after">
      <arg-dn>
        <token-local-variable name="lv-workorderdn"/>
      </arg-dn>
      <arg-value>
        <token-local-variable name="lv-oldname"/>
      </arg-value>
    </do-add-dest-attr-value>
    <do-add-dest-attr-value class-name="DirXML-WorkOrder" name="DirXML-DueDate" when="after">
      <arg-dn>
        <token-local-variable name="lv-workorderdn"/>
      </arg-dn>
      <arg-value type="time">
        <token-local-variable name="lv-due"/>
      </arg-value>
    </do-add-dest-attr-value>
    <do-add-dest-attr-value class-name="DirXML-WorkOrder" name="DirXML-nwoDeleteDueDate" when="after">
      <arg-dn>
        <token-local-variable name="lv-workorderdn"/>
      </arg-dn>
      <arg-value type="time">
        <token-local-variable name="lv-delete"/>
      </arg-value>
    </do-add-dest-attr-value>
    <do-add-dest-attr-value class-name="DirXML-WorkOrder" name="DirXML-nwoStatus" when="after">
      <arg-dn>
        <token-local-variable name="lv-workorderdn"/>
      </arg-dn>
      <arg-value>
        <token-text xml:space="preserve">pending</token-text>
      </arg-value>
    </do-add-dest-attr-value>
    <do-add-dest-attr-value class-name="DirXML-WorkOrder" name="DirXML-nwoSendToPublisher" when="after">
      <arg-dn>
        <token-local-variable name="lv-workorderdn"/>
      </arg-dn>
      <arg-value>
        <token-text xml:space="preserve">false</token-text>
      </arg-value>
    </do-add-dest-attr-value>
    <do-add-dest-attr-value class-name="DirXML-WorkOrder" name="DirXML-nwoDeleteOnError" when="after">
      <arg-dn>
        <token-local-variable name="lv-workorderdn"/>
      </arg-dn>
      <arg-value>
        <token-text xml:space="preserve">true</token-text>
      </arg-value>
    </do-add-dest-attr-value>
    <do-send-email-from-template notification-dn="Security\Default Notification Collection" template-dn="Security\Default Notification Collection\RenameEmail">
      <arg-string name="to">
        <token-dest-attr name="Internet EMail Address"/>
      </arg-string>
      <arg-string name="oldname">
        <token-local-variable name="lv-oldname"/>
      </arg-string>
      <arg-string name="newname">
        <token-local-variable name="lv-newname"/>
      </arg-string>
      <arg-string name="timedue">
        <token-convert-time dest-format="!FULL.DATETIME" dest-tz="UTC" src-format="!CTIME" src-tz="CST6CDT">
          <token-local-variable name="lv-due"/>
        </token-convert-time>
      </arg-string>
    </do-send-email-from-template>
    <do-veto/>
  </actions>
</rule>

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags:
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

1 Comment

  1. By:Gracal

    A very nice example of how to deal with an action with a timed component in IDM.

Comment