3. Content Rule
( arg-password , ( arg-dn | arg-association ) ? , arg-string * )
The <do-add-role> action initiates a request to the Roles Based Provisioning Module (RBPM) to assign the Role specified by role-id to an Identity. The target Identity is specified by either <arg-dn> or <arg-association> if specified or by the current object otherwise. If specified by <arg-dn>, the DN must in LDAP format. If the target identity is specified by either <arg-dn> or <arg-association>, then the role-assignment-type must be specifed from one of USER_TO_ROLE, GROUP_TO_ROLE, CONTAINER_TO_ROLE or ROLE_TO_ROLE. If the role-assignment-type is not specified, then the assignment type is defaulted to USER_TO_ROLE. The request is made to the RBPM enabled User Application server specified by url using credentials specified by id and <arg-password>. Additional optional arguments to the Role assignment request may be specified by named <arg-string>'s.
Name Description role-assignment-type
The role assignment type from one of USER_TO_ROLE, GROUP_TO_ROLE, CONTAINER_TO_ROLE or ROLE_TO_ROLE.
Default: USER_TO_ROLEdescription
A description of the reason for the request used for auditing and (if necessary) approval purposes.
Default: Request generated by policy.effective-time
The time (in CTIME format) the role assignment should become effective.
Default: nowexpiration-time
The time (in CTIME format) the role assignment will automatically expire.
The expiration-time is only supported for the role-assignment-type USER_TO_ROLE
Default: neversod-justification
A justification for requesting an exception for any Separation of Duty (SOD) violations this assignment will trigger.
Default: No exception will be requested and the request will fail if it would cause on SOD violation.:CorrelationID
An identifier used to correlate role assignment. Default: Operation event correlation id is used if no value is specified.
originator
Specify the originator.
There will be one of these two local variables available to the enclosing policy
depending on the success or failure of this request.
<do-add-role id="cn=RoleAdmin,o=People" url="http://localhost:8080/IDMProv" role-id="cn=Contractor,cn=Level30,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet,o=novell" time-out="30000"> <arg-password> <token-named-password name="role-admin"/> </arg-password> <arg-dn> <token-text xml:space="preserve">cn=Victor,ou=Users,o=Data</token-text> </arg-dn> <arg-string name="role-assignment-type"> <token-text>USER_TO_ROLE</token-text> </arg-string> <arg-string name="description"> <token-text>Requested by policy because isContractor attribute set to true</token-text> </arg-string> <arg-string name="effective-time"> <token-src-attr name="Hire Date"/> </arg-string> <arg-string name="expiration-time"> <token-convert-time dest-format="!CTIME" dest-tz="UTC" offset="6" offset-unit="month" src-format="!CTIME" src-tz="UTC"> <token-src-attr name="Hire Date"/> </token-convert-time> </arg-string> </do-add-role>
- arg-password
- password argument
- arg-dn
- DN argument
- arg-association
- association argument
- arg-string
- string argument
Attribute Value(s) Default Value disabled true | false
true if this element is disabledfalse id CDATA
the LDAP format DN of a user authorized to make the request
supports variable expansion#REQUIRED notrace true | false
false role-id CDATA
the LDAP format DN of the Role to assign
supports variable expansion#REQUIRED time-out CDATA
the number of milliseconds to wait to establish a connection to the User Application server before timing out.
supports variable expansion0 url CDATA
the URL of the User Application server hosting RBPM
supports variable expansion#REQUIRED
( arg-password , ( arg-dn | arg-association ) ? , arg-string * )
- actions
- actions that are performed by a <rule>
- arg-actions
- actions argument
Top Elements || All Elements || Tree