DirXMLScript DTD: do-create-resource element

The <do-create-resource> action initiates a request to the Roles Based Provisioning Module (RBPM) to create the Resource specified by resource-name. If entitlement-dn is specified, resource will be created with entitlement, otherwise resource will be created without entitlement. The entitlement-dn must be in LDAP format. If static is set to true, static resource will be created with the value which is provided in entitlement-value. If static is set to false, dynamic resource will created and entitlement-value is not needed. The request is made to the RBPM enabled User Application server specified by url using credentials specified by id and <arg-password>. Additional optional arguments to the Resource creation request may be specified by named <arg-string>'s.

Name Description

description

A description of the Resource.
Default: Request generated by policy.

display-name

Display Name of the Resource.
Default: Resource Name.

entitlement-dn

The entitlement in LDAP format.

static

A boolean value of true if this is a static resource, otherwise false.
Default: true

entitlement-value

The value of the entitlement in JSON format.
Needed only if this is a static resource.

category-key

The Resource Category from one of system, default or both.

owner

The owner of the Resource in LDAP format.
Multiple owners are allowed.
May contain a semi colon(;) separated list of owners.

grant-approver

Resource assignment approver in LDAP format.
Multiple approvers are allowed.
May contain a semi colon(;) separated list of approvers which forms serial approval process.

grant-quorum

Grant Qourum is the minimum % of approvals required.

revoke-approver

Resource revocation approver in LDAP format. Leave this field empty if it is same as Grant approval
Multiple approvers are allowed.
May contain a semi colon(;) separated list of approvers which forms serial approval process.

revoke-quorum

Reovke Qourum is the minimum % of approvals required for the revoke to happen.

allow-override

A boolean value of true if role approval overrides resource approval.
Default: false

multi-valued

A boolean value of true if this resource can have multiple entitlement values, otherwise false.
Default: false

prd-dn

DN of Provisionig Request Def in LDAP format.

sub-container

LDAP DN of sub container in which resource needs to be created. This is available only while using REST api

locale

Locale used in Resource name

Name	Description
description	A description of the Resource. Default: Request generated by policy.
display-name	Display Name of the Resource. Default: Resource Name.
entitlement-dn	The entitlement in LDAP format.
static	A boolean value of true if this is a static resource, otherwise false. Default: true
entitlement-value	The value of the entitlement in JSON format. Needed only if this is a static resource.
category-key	The Resource Category from one of system, default or both.
owner	The owner of the Resource in LDAP format. Multiple owners are allowed. May contain a semi colon(;) separated list of owners.
grant-approver	Resource assignment approver in LDAP format. Multiple approvers are allowed. May contain a semi colon(;) separated list of approvers which forms serial approval process.
grant-quorum	Grant Qourum is the minimum % of approvals required.
revoke-approver	Resource revocation approver in LDAP format. Leave this field empty if it is same as Grant approval Multiple approvers are allowed. May contain a semi colon(;) separated list of approvers which forms serial approval process.
revoke-quorum	Reovke Qourum is the minimum % of approvals required for the revoke to happen.
allow-override	A boolean value of true if role approval overrides resource approval. Default: false
multi-valued	A boolean value of true if this resource can have multiple entitlement values, otherwise false. Default: false
prd-dn	DN of Provisionig Request Def in LDAP format.
sub-container	LDAP DN of sub container in which resource needs to be created. This is available only while using REST api
locale	Locale used in Resource name

There will be one of these two local variables available to the enclosing policy depending on the success or failure of this request.

success.do-create-resource : This local variable will be available only if the resource is created successfully. And it contains the DN of the created resource.
error.do-create-resource : This local variable will be available only if any type of error occurs while creating the resource. And it contains the error string.

Example

<do-create-resource 
	id="CN=UAAdmin,OU=Sa,O=Data"
	url="http://localhost:8080/IDMProv"
	resource-name="Printer"
	time-out="30000">
  <arg-password>
    <token-named-password name="resource-admin"/>
  </arg-password>
  <arg-string name="description">
    <token-text>Requested by policy</token-text>
  </arg-string>
  <arg-string name="static">
    <token-text>true</token-text>
  </arg-string>
  <arg-string name="category-key">
    <token-text>system;default</token-text>
  </arg-string>
  <arg-string name="entitlement-dn">
    <token-text>cn=Group,cn=ldapdriver,cn=driverset1,o=system</token-text>
  </arg-string>
  <arg-string name="entitlement-value">
    <token-text>{"ID":"25713f856ecfb24986ebc35bcd581906","ID2":"CN=Administrators,CN=Builtin,DC=idmseup2,DC=org"}</token-text>
  </arg-string>
  <arg-string name="owner">
    <token-text xml:space="preserve">cn=admin,ou=sa,o=System;cn=uaadmin,ou=sa,o=data</token-text>
  </arg-string>
  <arg-string name="grant-approver">
    <token-text xml:space="preserve">cn=manager,ou=Users,o=Data;cn=Director,ou=Users,o=Data</token-text>
  </arg-string>
  <arg-string name="grant-quorum">
    <token-text>50</token-text>
  </arg-string>
  <arg-string name="revoke-approver">
    <token-text xml:space="preserve">cn=manager,ou=Users,o=Data;cn=Director,ou=Users,o=Data</token-text>
  </arg-string>
  <arg-string name="revoke-quorum">
    <token-text>40</token-text>
  </arg-string>
  <arg-string name="locale">
    <token-text>en</token-text>
  </arg-string>
</do-create-resource>

Attribute	Value(s)	Default Value
disabled	true \| false true if this element is disabled	false
id	CDATA the LDAP format DN of a user authorized to make the request supports variable expansion	#REQUIRED
notrace	true \| false trueif this element should not be traced during execution of policy	false
osp-clientid	CDATA the client id to authenticate to osp. Applicable only when use-rest is true. supports variable expansion
resource-name	CDATA the Name of the Resource to create supports variable expansion	#REQUIRED
time-out	CDATA the number of milliseconds to wait to establish a connection to the User Application server before timing out. supports variable expansion	0
url	CDATA the URL of the User Application server hosting RBPM supports variable expansion	#REQUIRED
use-rest	true \| false A boolean value of true if REST api has to be used, otherwise false. Default: false	false

do-create-resource

Example

1. Allowed Content

2. Attributes

3. Content Rule

4. Parent Elements