Remove Role

Initiates a request to the Roles Based Provisioning Module (RBPM) to revoke the specified role (in the Role DN field) from the specified user (in the Authorized User DN field). This field is only available if the Identity Manager server version is set to 3.6 or later. If a policy containing this action encounters an error, Designer generates the error as the local variable error.do-remove-role. For more information about local error variables, see Local Variable Selector.

Fields

Role DN

Specify the name of the role to revoke, in LDAP format. Supports variable expansion. For more information, see Variable Selector.

User Application URL

Specify the URL of the User Application server hosting the Roles Based Provisioning module. Supports variable expansion. For more information, see Variable Selector.

Authorized User DN

Specify the name of the user authorized to request the role assignment, in LDAP format. Supports variable expansion. For more information, see Variable Selector.

Timeout Value

Specify the number of milliseconds you want Identity Manager to try to establish a connection to the User Application server before timing out. The default value is 0.

Password

Specify the authorized user password. You can enter a clear text password (not recommended) or use the Argument Builder to specify a Named Password.

Object

Select the target object type. This object can be the current object, or can be specified by a DN or an association.

DN or Association

Select the DN or association as the target object.

Strings

(Optional) Specify additional argument strings for the Role assignment request. You can enter the strings manually, or select the Edit the Strings icon Edit the Strings to open the Named String Builder and specify the strings. For more information about the Named String Builder, see Named String Builder.

The Remove Role action supports the following string arguments:

String Name

Description

role-assignment-type

The type of the role assignment. You can choose from the following options:

  • USER_TO_ROLE

  • GROUP_TO_ROLE

  • CONTAINER_TO_ROLE

  • ROLE_TO_ROLE

Default: USER_TO_ROLE.

description

A description of the reason for the request used for auditing and (if necessary) approval purposes.

Default: Request generated by the policy.

effective-time

The time (in CTIME format) the role assignment should become effective.

Default: now

CorrelationID

An identifier to correlate the role revocation process.

Default: Operation event Correlation ID

If no value is specified for the argument, it uses the default value.

NOTE:This string argument is not available in the Policy Builder user interface of this version.

Example

Add source attribute value