DirXMLScript DTD: do-create-resource element

The <do-create-resource> action initiates a request to the Roles Based Provisioning Module (RBPM) to create the Resource specified by resource-name. If entitlement-dn is specified, resource will be created with entitlement, otherwise resource will be created without entitlement. The entitlement-dn must be in LDAP format. If static is set to true, static resource will be created with the value which is provided in entitlement-value. If static is set to false, dynamic resource will created and entitlement-value is not needed. The request is made to the RBPM enabled User Application server specified by url using credentials specified by id and <arg-password>. Additional optional arguments to the Resource creation request may be specified by named <arg-string>'s.

Name Description

description

A description of the Resource.
Default: Request generated by policy.

display-name

Display Name of the Resource.
Default: Resource Name.

entitlement-dn

The entitlement in LDAP format.

static

A boolean value of true if this is a static resource, otherwise false.
Default: true

entitlement-value

The value of the entitlement in JSON format.
Needed only if this is a static resource.

category-key

The Resource Category from one of system, default or both.

owner

The owner of the Resource in LDAP format.
Multiple owners are allowed.
May contain a semi colon(;) separated list of owners.

grant-approver

Resource assignment approver in LDAP format.
Multiple approvers are allowed.
May contain a semi colon(;) separated list of approvers which forms serial approval process.

grant-quorum

Grant Qourum is the minimum % of approvals required.

revoke-approver

Resource revocation approver in LDAP format. Leave this field empty if it is same as Grant approval
Multiple approvers are allowed.
May contain a semi colon(;) separated list of approvers which forms serial approval process.

revoke-quorum

Reovke Qourum is the minimum % of approvals required for the revoke to happen.

allow-override

A boolean value of true if role approval overrides resource approval.
Default: false

multi-valued

A boolean value of true if this resource can have multiple entitlement values, otherwise false.
Default: false

prd-dn

DN of Provisionig Request Def in LDAP format.

Name	Description
description	A description of the Resource. Default: Request generated by policy.
display-name	Display Name of the Resource. Default: Resource Name.
entitlement-dn	The entitlement in LDAP format.
static	A boolean value of true if this is a static resource, otherwise false. Default: true
entitlement-value	The value of the entitlement in JSON format. Needed only if this is a static resource.
category-key	The Resource Category from one of system, default or both.
owner	The owner of the Resource in LDAP format. Multiple owners are allowed. May contain a semi colon(;) separated list of owners.
grant-approver	Resource assignment approver in LDAP format. Multiple approvers are allowed. May contain a semi colon(;) separated list of approvers which forms serial approval process.
grant-quorum	Grant Qourum is the minimum % of approvals required.
revoke-approver	Resource revocation approver in LDAP format. Leave this field empty if it is same as Grant approval Multiple approvers are allowed. May contain a semi colon(;) separated list of approvers which forms serial approval process.
revoke-quorum	Reovke Qourum is the minimum % of approvals required for the revoke to happen.
allow-override	A boolean value of true if role approval overrides resource approval. Default: false
multi-valued	A boolean value of true if this resource can have multiple entitlement values, otherwise false. Default: false
prd-dn	DN of Provisionig Request Def in LDAP format.

There will be one of these two local variables available to the enclosing policy depending on the success or failure of this request.

success.do-create-resource : This local variable will be available only if the resource is created successfully. And it contains the DN of the created resource.
error.do-create-resource : This local variable will be available only if any type of error occurs while creating the resource. And it contains the error string.

Example

<do-create-resource 
	id="CN=UAAdmin,OU=Sa,O=Data"
	url="http://localhost:8080/IDMProv"
	resource-name="Printer"
	time-out="30000">
  <arg-password>
    <token-named-password name="resource-admin"/>
  </arg-password>
  <arg-string name="description">
    <token-text>Requested by policy</token-text>
  </arg-string>
  <arg-string name="static">
    <token-text>true</token-text>
  </arg-string>
  <arg-string name="category-key">
    <token-text>system;default</token-text>
  </arg-string>
  <arg-string name="entitlement-dn">
    <token-text>cn=Group,cn=ldapdriver,cn=driverset1,o=system</token-text>
  </arg-string>
  <arg-string name="entitlement-value">
    <token-text>{"ID":"25713f856ecfb24986ebc35bcd581906","ID2":"CN=Administrators,CN=Builtin,DC=idmseup2,DC=org"}</token-text>
  </arg-string>
  <arg-string name="owner">
    <token-text xml:space="preserve">cn=admin,ou=sa,o=System;cn=uaadmin,ou=sa,o=data</token-text>
  </arg-string>
  <arg-string name="grant-approver">
    <token-text xml:space="preserve">cn=manager,ou=Users,o=Data;cn=Director,ou=Users,o=Data</token-text>
  </arg-string>
  <arg-string name="grant-quorum">
    <token-text>50</token-text>
  </arg-string>
  <arg-string name="revoke-approver">
    <token-text xml:space="preserve">cn=manager,ou=Users,o=Data;cn=Director,ou=Users,o=Data</token-text>
  </arg-string>
  <arg-string name="revoke-quorum">
    <token-text>40</token-text>
  </arg-string>
</do-add-resource>

Attribute	Value(s)	Default Value
disabled	true \| false true if this element is disabled	false
id	CDATA the LDAP format DN of a user authorized to make the request supports variable expansion	#REQUIRED
notrace	true \| false trueif this element should not be traced during execution of policy	false
resource-name	CDATA the Name of the Resource to create supports variable expansion	#REQUIRED
time-out	CDATA the number of milliseconds to wait to establish a connection to the User Application server before timing out. supports variable expansion	0
url	CDATA the URL of the User Application server hosting RBPM supports variable expansion	#REQUIRED

do-create-resource

Example

1. Allowed Content

2. Attributes

3. Content Rule

4. Parent Elements