3. Content Rule
( arg-password , ( arg-dn | arg-association ) ? , arg-string * )
The <do-remove-role> action initiates a request to the Roles Based Provisioning Module (RBPM) to revoke the Role specified by role-id from an Identity. The target Identity is specified by either <arg-dn> or <arg-association> if specified or by the current object otherwise. If specified by <arg-dn>, the DN must in LDAP format. If the target identity is specified by either <arg-dn> or <arg-association>, then the role-assignment-type must be specifed from one of USER_TO_ROLE, GROUP_TO_ROLE, CONTAINER_TO_ROLE or ROLE_TO_ROLE. If the role-assignment-type is not specified, then the assignment type is defaulted to USER_TO_ROLE. The request is made to the RBPM enabled User Application server specified by url using credentials specified by id and <arg-password>. Additional optional arguments to the Role assignment request may be specified by named <arg-string>'s.
Name Description role-assignment-type
The role assignment type from one of from one of USER_TO_ROLE, GROUP_TO_ROLE, CONTAINER_TO_ROLE or ROLE_TO_ROLE.
Default: USER_TO_ROLEdescription
A description of the reason for the request used for auditing purposes.
Default: Request generated by policy.effective-time
The time (in CTIME format) the role revocation should become effective.
Default: now
There will be one of these two local variables available to the enclosing policy
depending on the success or failure of this request.
<do-remove-role id="cn=RoleAdmin,o=People" url="http://localhost:8080/IDMProv" role-id="cn=Contractor,cn=Level30,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet,o=novell" time-out="30000"> <arg-password> <token-named-password name="role-admin"/> </arg-password> <arg-dn> <token-text xml:space="preserve">cn=Contractors,ou=Groups,o=Data</token-text> </arg-dn> <arg-string name="role-assignment-type"> <token-text>GROUP_TO_ROLE</token-text> </arg-string> <arg-string name="description"> <token-text>Requested by policy because isContractor set to false</token-text> </arg-string> </do-remove-role>
- arg-password
- password argument
- arg-dn
- DN argument
- arg-association
- association argument
- arg-string
- string argument
Attribute Value(s) Default Value disabled true | false
true if this element is disabledfalse id CDATA
the LDAP format DN of a user authorized to make the request
supports variable expansion#REQUIRED notrace true | false
false role-id CDATA
the LDAP format DN of the Role to revoke
supports variable expansion#REQUIRED time-out CDATA
the number of milliseconds to wait to establish a connection to the User Application server before timing out.
supports variable expansion0 url CDATA
the URL of the User Application server hosting RBPM
supports variable expansion#REQUIRED
( arg-password , ( arg-dn | arg-association ) ? , arg-string * )
- actions
- actions that are performed by a <rule>
- arg-actions
- actions argument
Top Elements || All Elements || Tree