3. Content Rule
( arg-password , arg-string * )
The <do-modify-role> action initiates a request to the Roles Based Provisioning Module (RBPM) to modify the Role specified by dn. The request is made to the RBPM enabled User Application server specified by url using credentials specified by id and the first <arg-password>. This action uses IDM REST api which in turn uses the OAuth2 protocol for authentication. The OSP client id needed for this authentication should be specified by osp-clientid. And the client password should be specified by the second <arg-password>. Additional optional arguments to the Role modification request may be specified by named <arg-string>'s.
Name Description category-key
The Role Category from one of system, default or both.
owner
The owner of the Role in LDAP format.
Multiple owners are allowed.grant-approver
Role assignment approver in LDAP format.
Multiple approvers are allowed.grant-quorum
Grant Qourum is the minimum % of approvals required.
resource-association
Resource association for this role. It should have resource name, resource association description
and the entitlement value separated by semi colon(;) as mentioned below.
Resource Name in LDAP format;Resource association description;Entitlement Value.
For Static resource, entitlement value is not needed.
Multiple resource-association elements can be added to associate multiple resources with this role.role-association
Role assignment for this role. It should have role name, role assignment description
and the Role relationship separated by semi colon(;) as mentioned below.
Role Name in LDAP format;Role assignment description;Relationship.
Relationship can be one of child or parent.
Multiple role-association elements can be added to assign multiple roles to this role.revoke-required
Is approval needed for revocation.
There will be one of these two local variables available to the enclosing policy
depending on the success or failure of this request.
<do-modify-role id="CN=UAAdmin,OU=Sa,O=Data" url="http://localhost:8080/IDMProv" osp-clientid="rbpm" dn="cn=PrinterAdmin,cn=level30,cn=roledefs,cn=roleconfig,cn=appconfig,cn=user application driver,cn=driverset1,o=system" time-out="30000"> <arg-password> <token-named-password name="role-admin"/> </arg-password> <arg-password> <token-named-password name="osp-client-secret"/> </arg-password> <arg-string name="category-key"> <token-text>system</token-text> </arg-string> <arg-string name="category-key"> <token-text>default</token-text> </arg-string> <arg-string name="owner"> <token-text xml:space="preserve">cn=Contractors,ou=Groups,o=Data</token-text> </arg-string> <arg-string name="grant-approver"> <token-text xml:space="preserve">cn=manager,ou=Users,o=Data</token-text> </arg-string> <arg-string name="grant-approver"> <token-text xml:space="preserve">cn=Director,ou=Users,o=Data</token-text> </arg-string> <arg-string name="grant-quorum"> <token-text>50</token-text> </arg-string> <arg-string name="revoke-required"> <token-text>true</token-text> </arg-string> <arg-string name="resource-association"> <token-text xml:space="preserve">cn=Group,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=User Application Driver,cn=driverset1,o=system;Test Description;{"ID":"25713f856ecfb24986ebc35bcd581906","ID2":"CN=Administrators,CN=Builtin,DC=idmseup2,DC=org"}</token-text> </arg-string> <arg-string name="role-association"> <token-text xml:space="preserve">cn=Auditor,cn=Level20,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=User Application Driver,cn=driverset1,o=system;Test Description;child</token-text> </arg-string> </do-modify-role>
- arg-password
- password argument
- arg-string
- string argument
Attribute Value(s) Default Value disabled true | false
true if this element is disabledfalse dn CDATA
{description of dn}#REQUIRED id CDATA
the LDAP format DN of a user authorized to make the request
supports variable expansion#REQUIRED notrace true | false
false osp-clientid CDATA
the client id to authenticate to osp.
supports variable expansion#REQUIRED time-out CDATA
the number of milliseconds to wait to establish a connection to the User Application server before timing out.
supports variable expansion0 url CDATA
the URL of the User Application server hosting RBPM
supports variable expansion#REQUIRED
( arg-password , arg-string * )
- actions
- actions that are performed by a <rule>
- arg-actions
- actions argument
Top Elements || All Elements || Tree