3. Content Rule
( arg-password , arg-string * )
The <do-create-resource> action initiates a request to the Roles Based Provisioning Module (RBPM) to create the Resource specified by resource-name. If entitlement-dn is specified, resource will be created with entitlement, otherwise resource will be created without entitlement. The entitlement-dn must be in LDAP format. If static is set to true, static resource will be created with the value which is provided in entitlement-value. If static is set to false, dynamic resource will created and entitlement-value is not needed. The request is made to the RBPM enabled User Application server specified by url using credentials specified by id and <arg-password>. Additional optional arguments to the Resource creation request may be specified by named <arg-string>'s.
Name Description description
A description of the Resource.
Default: Request generated by policy.display-name
Display Name of the Resource.
Default: Resource Name.entitlement-dn
The entitlement in LDAP format.
static
A boolean value of true if this is a static resource, otherwise false.
Default: trueentitlement-value
The value of the entitlement in JSON format.
Needed only if this is a static resource.
category-key
The Resource Category from one of system, default or both.
owner
The owner of the Resource in LDAP format.
Multiple owners are allowed.
May contain a semi colon(;) separated list of owners.grant-approver
Resource assignment approver in LDAP format.
Multiple approvers are allowed.
May contain a semi colon(;) separated list of approvers which forms serial approval process.grant-quorum
Grant Qourum is the minimum % of approvals required.
revoke-approver
Resource revocation approver in LDAP format. Leave this field empty if it is same as Grant approval
Multiple approvers are allowed.
May contain a semi colon(;) separated list of approvers which forms serial approval process.revoke-quorum
Reovke Qourum is the minimum % of approvals required for the revoke to happen.
allow-override
A boolean value of true if role approval overrides resource approval.
Default: falsemulti-valued
A boolean value of true if this resource can have multiple entitlement values, otherwise false.
Default: falseprd-dn
DN of Provisionig Request Def in LDAP format.
There will be one of these two local variables available to the enclosing policy
depending on the success or failure of this request.
<do-create-resource id="CN=UAAdmin,OU=Sa,O=Data" url="http://localhost:8080/IDMProv" resource-name="Printer" time-out="30000"> <arg-password> <token-named-password name="resource-admin"/> </arg-password> <arg-string name="description"> <token-text>Requested by policy</token-text> </arg-string> <arg-string name="static"> <token-text>true</token-text> </arg-string> <arg-string name="category-key"> <token-text>system;default</token-text> </arg-string> <arg-string name="entitlement-dn"> <token-text>cn=Group,cn=ldapdriver,cn=driverset1,o=system</token-text> </arg-string> <arg-string name="entitlement-value"> <token-text>{"ID":"25713f856ecfb24986ebc35bcd581906","ID2":"CN=Administrators,CN=Builtin,DC=idmseup2,DC=org"}</token-text> </arg-string> <arg-string name="owner"> <token-text xml:space="preserve">cn=admin,ou=sa,o=System;cn=uaadmin,ou=sa,o=data</token-text> </arg-string> <arg-string name="grant-approver"> <token-text xml:space="preserve">cn=manager,ou=Users,o=Data;cn=Director,ou=Users,o=Data</token-text> </arg-string> <arg-string name="grant-quorum"> <token-text>50</token-text> </arg-string> <arg-string name="revoke-approver"> <token-text xml:space="preserve">cn=manager,ou=Users,o=Data;cn=Director,ou=Users,o=Data</token-text> </arg-string> <arg-string name="revoke-quorum"> <token-text>40</token-text> </arg-string> </do-add-resource>
- arg-password
- password argument
- arg-string
- string argument
Attribute Value(s) Default Value disabled true | false
true if this element is disabledfalse id CDATA
the LDAP format DN of a user authorized to make the request
supports variable expansion#REQUIRED notrace true | false
false resource-name CDATA
the Name of the Resource to create
supports variable expansion#REQUIRED time-out CDATA
the number of milliseconds to wait to establish a connection to the User Application server before timing out.
supports variable expansion0 url CDATA
the URL of the User Application server hosting RBPM
supports variable expansion#REQUIRED
( arg-password , arg-string * )
- actions
- actions that are performed by a <rule>
- arg-actions
- actions argument
Top Elements || All Elements || Tree