3. Content Rule
( arg-password , arg-string * )
The <do-create-role> action initiates a request to the Roles Based Provisioning Module (RBPM) to create the Role specified by role-name. The request is made to the RBPM enabled User Application server specified by url using credentials specified by id and <arg-password>. Additional optional arguments to the Role creation request may be specified by named <arg-string>'s.
Name Description role-level
The role level from one of 10, 20 or 30.
Default: 10display-name
Display Name of the Role.
Default: Role Namedescription
A description of the Role.
Default: Request generated by policy.category-key
The Role Category from one of system, default or both.
owner
The owner of the Role in LDAP format.
Multiple owners are allowed.
May contain a semi colon(;) separated list of owners.grant-approver
Role assignment approver in LDAP format.
Multiple approvers are allowed.
May contain a semi colon(;) separated list of approvers which forms serial approval process.grant-quorum
Grant Qourum is the minimum % of approvals required.
sub-container
Directory container under the role level where this role will be stored.
resource-association
Resource association for this role. It should have resource name, resource association description
and the entitlement value separated by semi colon(;) as mentioned below.
Resource Name in LDAP format;Resource association description;Entitlement Value.
For Static resource, entitlement value is not needed.
Multiple resource-association elements can be added to associate multiple resources with this role.role-association
Role assignment for this role. It should have role name, role assignment description
and the Role relationship separated by semi colon(;) as mentioned below.
Role Name in LDAP format;Role assignment description;Relationship.
Relationship can be one of child or parent.
Multiple role-association elements can be added to assign multiple roles to this role.:CorrelationID
An identifier used to correlate resource assignment. Default: Operation event correlation id is used if no value is specified.
request-def
Full qualified DN of the Request definition in LDAP format.
revoke-request-def
Full qualified DN of the Revoke Request definition in LDAP format.
locale
Locale used in Role name
There will be one of these two local variables available to the enclosing policy
depending on the success or failure of this request.
<do-create-role id="CN=UAAdmin,OU=Sa,O=Data" url="http://localhost:8080/IDMProv" role-name="Administrator" time-out="30000"> <arg-password> <token-named-password name="role-admin"/> </arg-password> <arg-dn> <token-text xml:space="preserve">cn=Contractors,ou=Groups,o=Data</token-text> </arg-dn> <arg-string name="role-level"> <token-text>30</token-text> </arg-string> <arg-string name="description"> <token-text>Requested by policy to create a new Resource</token-text> </arg-string> <arg-string name="category-key"> <token-text>"system;default"/> </arg-string> <arg-string name="owner"> <token-text xml:space="preserve">cn=Contractors,ou=Groups,o=Data</token-text> </arg-string> <arg-string name="grant-approver"> <token-text xml:space="preserve">cn=manager,ou=Users,o=Data;cn=Director,ou=Users,o=Data</token-text> </arg-string> <arg-string name="grant-quorum"> <token-text>50</token-text> </arg-string> <arg-string name="resource-association"> <token-text xml:space="preserve">cn=Group,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=User Application Driver,cn=driverset1,o=system;Test Description;{"ID":"25713f856ecfb24986ebc35bcd581906","ID2":"CN=Administrators,CN=Builtin,DC=idmseup2,DC=org"}</token-text> lt;/arg-string> <arg-string name="role-association"> <token-text xml:space="preserve">cn=Auditor,cn=Level20,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=User Application Driver,cn=driverset1,o=system;Test Description;child</token-text> lt;/arg-string> <arg-string name="request-def"> <token-text xml:space="preserve">cn=requestRole,cn=RequestDefs,cn=AppConfig,cn=User Application Driver,cn=driverset1,o=system</token-text> </arg-string> <arg-string name="revoke-request-def"> <token-text xml:space="preserve">cn=requestRoleRevoke,cn=RequestDefs,cn=AppConfig,cn=User Application Driver,cn=driverset1,o=system</token-text> </arg-string> <arg-string name="locale"> <token-text>en</token-text> </arg-string> </do-create-role>
- arg-password
- password argument
- arg-string
- string argument
Attribute Value(s) Default Value disabled true | false
true if this element is disabledfalse id CDATA
the LDAP format DN of a user authorized to make the request
supports variable expansion#REQUIRED notrace true | false
false role-name CDATA
the Name of the Role to create
supports variable expansion#REQUIRED time-out CDATA
the number of milliseconds to wait to establish a connection to the User Application server before timing out.
supports variable expansion0 url CDATA
the URL of the User Application server hosting RBPM
supports variable expansion#REQUIRED
( arg-password , arg-string * )
- actions
- actions that are performed by a <rule>
- arg-actions
- actions argument
Top Elements || All Elements || Tree