6.10 Making Distinguished Name References Portable

When you use a DN in an expression in a provisioning request definition, the expression might fail if you deploy the provisioning request definition to an Identity Vault with a different structure. You typically specify DNs in:

  • Overview panel: Trustee specification.

  • User activity: Addressee and escalation addressee.

  • Entity activity: Entitlement reference and entity DN.

  • Many other expressions, for example, IDVault.get(dn, class, attribute).

Some expressions, such as recipient, are portable. The following expressions, which are used by default in the User activity, are also portable:


To ensure that your DN expressions are portable across Identity Vaults, you can use one of the following variables:

  • ROOT_CONTAINER: For example, ou=idm-prov,o=novell

  • PROVISIONING_DRIVER: For example, cn=UserApplication,cn=TestDrivers,o=novell

  • USER_CONTAINER: For example, ou=users,ou=idm-prov,o=novell

  • GROUP_CONTAINER: For example, ou=groups,ou=idm-prov,o=novell

These variables are defined during installation of the user application and are resolved at runtime by the ECMAScript engine. You can find them in the ECMA Expression Builder under the process node. Suppose you wanted to reference an entitlement at the following DN:


You could use the following expression to make the DN portable to any identity vault:

''cn=MyEntitlement,' + PROVISIONING_DRIVER

You can use this technique for users and groups also.

NOTE:Trustees are not expressions so you cannot use this technique with Trustees.