3. Content Rule
( arg-password , arg-string * )
The <do-modify-resource> action initiates a request to the Roles Based Provisioning Module (RBPM) to modify the Resource specified by resource-name. The request is made to the RBPM enabled User Application server specified by url using credentials specified by id and the first <arg-password>. This action uses IDM REST api which in turn uses the OAuth2 protocol for authentication. The OSP client id needed for this authentication should be specified by osp-clientid. And the client password should be specified by the second <arg-password>. Additional optional arguments to the Resource creation request may be specified by named <arg-string>'s.
Name Description description
A description of the Resource.
Default: Request generated by policy.approval-required
A boolean value of true if approval is required for this resource assignment, otherwise false.
Default: falserevoke-required
A boolean value of true if approval is required for this resource revocation, otherwise false.
Default: falserequest-def
Fully Qualified LDAP DN of the Request definition for resource approval.
revoke-request-def
Fully Qualified LDAP DN of the Request definition for resource revocation.
category-key
The Resource Category from one of system, default or both.
owner
The owner of the Resource in LDAP format.
Multiple owners are allowed.grant-approver
Resource assignment approver in LDAP format.
Multiple approvers are allowed.grant-quorum
Grant Qourum is the minimum % of approvals required.
revoke-approver
Resource revocation approver in LDAP format. Leave this field empty if it is same as Grant approval
Multiple approvers are allowed.revoke-quorum
Reovke Qourum is the minimum % of approvals required for the revoke to happen.
There will be one of these two local variables available to the enclosing policy
depending on the success or failure of this request.
<do-modify-resource id="CN=UAAdmin,OU=Sa,O=Data" osp-clientid="rbpm" dn="cn=CellPhone,cn=resourcedefs,cn=roleconfig,cn=appconfig,cn=user application driver,cn=driverset1,o=system" url="http://localhost:8080/IDMProv" time-out="30000"> <arg-password> <token-named-password name="resource-admin"/> </arg-password> <arg-password> <token-named-password name="osp-client-secret"/> </arg-password> <arg-string name="approval-required"> <token-text>true</token-text> </arg-string> <arg-string name="revoke-required"> <token-text>true</token-text> </arg-string> <arg-string name="category-key"> <token-text>system</token-text> </arg-string> <arg-string name="category-key"> <token-text>default</token-text> </arg-string> <arg-string name="request-def"> <token-text>CN=ApproveCellPhone,CN=RequestDefs,CN=AppConfig,CN=UserApplication,CN=DriverSet,O=novell</token-text> </arg-string> <arg-string name="revoke-request-def"> <token-text>CN=ApproveCellPhone,CN=RequestDefs,CN=AppConfig,CN=UserApplication,CN=DriverSet,O=novell</token-text> </arg-string> <arg-string name="owner"> <token-text xml:space="preserve">cn=admin,ou=sa,o=System</token-text> </arg-string> <arg-string name="owner"> <token-text xml:space="preserve">cn=uaadmin,ou=sa,o=data</token-text> </arg-string> <arg-string name="grant-approver"> <token-text xml:space="preserve">cn=manager,ou=Users,o=Data</token-text> </arg-string> <arg-string name="grant-approver"> <token-text xml:space="preserve">cn=Director,ou=Users,o=Data</token-text> </arg-string> <arg-string name="grant-quorum"> <token-text>50</token-text> </arg-string> <arg-string name="revoke-approver"> <token-text xml:space="preserve">cn=manager,ou=Users,o=Data</token-text> </arg-string> <arg-string name="revoke-approver"> <token-text xml:space="preserve">cn=Director,ou=Users,o=Data</token-text> </arg-string> <arg-string name="revoke-quorum"> <token-text>40</token-text> </arg-string> </do-modify-resource>
- arg-password
- password argument
- arg-string
- string argument
Attribute Value(s) Default Value disabled true | false
true if this element is disabledfalse id CDATA
the LDAP format DN of a user authorized to make the request
supports variable expansion#REQUIRED notrace true | false
false osp-clientid CDATA
the client id to authenticate to osp.
supports variable expansion#REQUIRED resource-name CDATA
{description of resource-name}#REQUIRED time-out CDATA
the number of milliseconds to wait to establish a connection to the User Application server before timing out.
supports variable expansion0 url CDATA
the URL of the User Application server hosting RBPM
supports variable expansion#REQUIRED
( arg-password , arg-string * )
- actions
- actions that are performed by a <rule>
- arg-actions
- actions argument
Top Elements || All Elements || Tree