do-modify-resource

The <do-modify-resource> action initiates a request to the Roles Based Provisioning Module (RBPM) to modify the Resource specified by resource-name. The request is made to the RBPM enabled User Application server specified by url using credentials specified by id and the first <arg-password>. This action uses IDM REST api which in turn uses the OAuth2 protocol for authentication. The OSP client id needed for this authentication should be specified by osp-clientid. And the client password should be specified by the second <arg-password>. Additional optional arguments to the Resource creation request may be specified by named <arg-string>'s.

Name Description

description

A description of the Resource.
Default: Request generated by policy.

approval-required

A boolean value of true if approval is required for this resource assignment, otherwise false.
Default: false

revoke-required

A boolean value of true if approval is required for this resource revocation, otherwise false.
Default: false

request-def

Fully Qualified LDAP DN of the Request definition for resource approval.

revoke-request-def

Fully Qualified LDAP DN of the Request definition for resource revocation.

category-key

The Resource Category from one of system, default or both.

owner

The owner of the Resource in LDAP format.
Multiple owners are allowed.

grant-approver

Resource assignment approver in LDAP format.
Multiple approvers are allowed.

grant-quorum

Grant Qourum is the minimum % of approvals required.

revoke-approver

Resource revocation approver in LDAP format. Leave this field empty if it is same as Grant approval
Multiple approvers are allowed.

revoke-quorum

Reovke Qourum is the minimum % of approvals required for the revoke to happen.

There will be one of these two local variables available to the enclosing policy depending on the success or failure of this request.

Example 

<do-modify-resource 
	id="CN=UAAdmin,OU=Sa,O=Data"
	osp-clientid="rbpm"
	dn="cn=CellPhone,cn=resourcedefs,cn=roleconfig,cn=appconfig,cn=user application driver,cn=driverset1,o=system"
	url="http://localhost:8080/IDMProv"
	time-out="30000">
  <arg-password>
    <token-named-password name="resource-admin"/>
  </arg-password>
  <arg-password>
    <token-named-password name="osp-client-secret"/>
  </arg-password>
  <arg-string name="approval-required">
    <token-text>true</token-text>
  </arg-string>
  <arg-string name="revoke-required">
    <token-text>true</token-text>
  </arg-string>
  <arg-string name="category-key">
    <token-text>system</token-text>
  </arg-string>
  <arg-string name="category-key">
    <token-text>default</token-text>
  </arg-string>
  <arg-string name="request-def">
    <token-text>CN=ApproveCellPhone,CN=RequestDefs,CN=AppConfig,CN=UserApplication,CN=DriverSet,O=novell</token-text>
  </arg-string>
  <arg-string name="revoke-request-def">
    <token-text>CN=ApproveCellPhone,CN=RequestDefs,CN=AppConfig,CN=UserApplication,CN=DriverSet,O=novell</token-text>
  </arg-string>
  <arg-string name="owner">
    <token-text xml:space="preserve">cn=admin,ou=sa,o=System</token-text>
  </arg-string>
  <arg-string name="owner">
    <token-text xml:space="preserve">cn=uaadmin,ou=sa,o=data</token-text>
  </arg-string>
  <arg-string name="grant-approver">
    <token-text xml:space="preserve">cn=manager,ou=Users,o=Data</token-text>
  </arg-string>
  <arg-string name="grant-approver">
    <token-text xml:space="preserve">cn=Director,ou=Users,o=Data</token-text>
  </arg-string>
  <arg-string name="grant-quorum">
    <token-text>50</token-text>
  </arg-string>
  <arg-string name="revoke-approver">
    <token-text xml:space="preserve">cn=manager,ou=Users,o=Data</token-text>
  </arg-string>
  <arg-string name="revoke-approver">
    <token-text xml:space="preserve">cn=Director,ou=Users,o=Data</token-text>
  </arg-string>
  <arg-string name="revoke-quorum">
    <token-text>40</token-text>
  </arg-string>
</do-modify-resource>

1. Allowed Content

arg-password
password argument
arg-string
string argument

2. Attributes

AttributeValue(s)Default Value
disabled true   |  false
true if this element is disabled
false
id CDATA
the LDAP format DN of a user authorized to make the request
supports variable expansion
#REQUIRED
notrace true   |  false
trueif this element should not be traced during execution of policy
false
osp-clientid CDATA
the client id to authenticate to osp.
supports variable expansion
#REQUIRED
resource-name CDATA
{description of resource-name}
#REQUIRED
time-out CDATA
the number of milliseconds to wait to establish a connection to the User Application server before timing out.
supports variable expansion
0
url CDATA
the URL of the User Application server hosting RBPM
supports variable expansion
#REQUIRED

3. Content Rule

( arg-password , arg-string * )

4. Parent Elements

actions
  actions that are performed by a <rule>
arg-actions
  actions argument

Top Elements || All Elements || Tree

DirXMLScript DTD