do-add-role

The <do-add-role> action initiates a request to the Roles Based Provisioning Module (RBPM) to assign the Role specified by role-id to an Identity. The target Identity is specified by either <arg-dn> or <arg-association> if specified or by the current object otherwise. If specified by <arg-dn>, the DN must in LDAP format. If the target identity is specified by either <arg-dn> or <arg-association>, then the role-assignment-type must be specifed from one of USER_TO_ROLE, GROUP_TO_ROLE, CONTAINER_TO_ROLE or ROLE_TO_ROLE. If the role-assignment-type is not specified, then the assignment type is defaulted to USER_TO_ROLE. The request is made to the RBPM enabled User Application server specified by url using credentials specified by id and <arg-password>. Additional optional arguments to the Role assignment request may be specified by named <arg-string>'s.

Name Description

role-assignment-type

The role assignment type from one of USER_TO_ROLE, GROUP_TO_ROLE, CONTAINER_TO_ROLE or ROLE_TO_ROLE.
Default: USER_TO_ROLE

description

A description of the reason for the request used for auditing and (if necessary) approval purposes.
Default: Request generated by policy.

effective-time

The time (in CTIME format) the role assignment should become effective.
Default: now

expiration-time

The time (in CTIME format) the role assignment will automatically expire.
The expiration-time is only supported for the role-assignment-type USER_TO_ROLE
Default: never

sod-justification

A justification for requesting an exception for any Separation of Duty (SOD) violations this assignment will trigger.
Default: No exception will be requested and the request will fail if it would cause on SOD violation.

:CorrelationID

An identifier used to correlate role assignment. Default: Operation event correlation id is used if no value is specified.

originator

Specify the originator.

There will be one of these two local variables available to the enclosing policy depending on the success or failure of this request.

Example 

<do-add-role
    id="cn=RoleAdmin,o=People"
	url="http://localhost:8080/IDMProv"
	role-id="cn=Contractor,cn=Level30,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet,o=novell"
	time-out="30000">
  <arg-password>
    <token-named-password name="role-admin"/>
  </arg-password>
  <arg-dn>
    <token-text xml:space="preserve">cn=Victor,ou=Users,o=Data</token-text>
  </arg-dn>
  <arg-string name="role-assignment-type">
    <token-text>USER_TO_ROLE</token-text>
  </arg-string>
  <arg-string name="description">
    <token-text>Requested by policy because isContractor attribute set to true</token-text>
  </arg-string>
  <arg-string name="effective-time">
    <token-src-attr name="Hire Date"/>
  </arg-string>
  <arg-string name="expiration-time">
    <token-convert-time dest-format="!CTIME" dest-tz="UTC" offset="6" offset-unit="month" src-format="!CTIME" src-tz="UTC">
	  <token-src-attr name="Hire Date"/>
	</token-convert-time>
  </arg-string>
</do-add-role>

1. Allowed Content

arg-password
password argument
arg-dn
DN argument
arg-association
association argument
arg-string
string argument

2. Attributes

AttributeValue(s)Default Value
disabled true   |  false
true if this element is disabled
false
id CDATA
the LDAP format DN of a user authorized to make the request
supports variable expansion
#REQUIRED
notrace true   |  false
trueif this element should not be traced during execution of policy
false
role-id CDATA
the LDAP format DN of the Role to assign
supports variable expansion
#REQUIRED
time-out CDATA
the number of milliseconds to wait to establish a connection to the User Application server before timing out.
supports variable expansion
0
url CDATA
the URL of the User Application server hosting RBPM
supports variable expansion
#REQUIRED

3. Content Rule

( arg-password , ( arg-dn | arg-association ) ? , arg-string * )

4. Parent Elements

actions
  actions that are performed by a <rule>
arg-actions
  actions argument

Top Elements || All Elements || Tree

DirXMLScript DTD