3. Content Rule
( arg-password , ( arg-dn | arg-association ) ? , arg-string * )
The <do-remove-role> action initiates a request to the Roles Based Provisioning Module (RBPM) to revoke the Role specified by role-id from an Identity. The target Identity is specified by either <arg-dn> or <arg-association> if specified or by the current object otherwise. If specified by <arg-dn>, the DN must in LDAP format. If the target identity is specified by either <arg-dn> or <arg-association>, then the role-assignment-type must be specifed from one of USER_TO_ROLE, GROUP_TO_ROLE, CONTAINER_TO_ROLE or ROLE_TO_ROLE. If the role-assignment-type is not specified, then the assignment type is defaulted to USER_TO_ROLE. The request is made to the RBPM enabled User Application server specified by url using credentials specified by id and <arg-password>. Additional optional arguments to the Role assignment request may be specified by named <arg-string>'s.
Name Description role-assignment-type
The role assignment type from one of from one of USER_TO_ROLE, GROUP_TO_ROLE, CONTAINER_TO_ROLE or ROLE_TO_ROLE.
Default: USER_TO_ROLEdescription
A description of the reason for the request used for auditing purposes.
Default: Request generated by policy.effective-time
The time (in CTIME format) the role revocation should become effective.
Default: now:CorrelationID
An identifier used to correlate role revocation. Default: Operation event correlation id is used if no value is specified.
There will be one of these two local variables available to the enclosing policy
depending on the success or failure of this request.
<do-remove-role id="cn=RoleAdmin,o=People" url="http://localhost:8080/IDMProv" role-id="cn=Contractor,cn=Level30,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet,o=novell" time-out="30000"> <arg-password> <token-named-password name="role-admin"/> </arg-password> <arg-dn> <token-text xml:space="preserve">cn=Contractors,ou=Groups,o=Data</token-text> </arg-dn> <arg-string name="role-assignment-type"> <token-text>GROUP_TO_ROLE</token-text> </arg-string> <arg-string name="description"> <token-text>Requested by policy because isContractor set to false</token-text> </arg-string> </do-remove-role>
- arg-password
- password argument
- arg-dn
- DN argument
- arg-association
- association argument
- arg-string
- string argument
Attribute Value(s) Default Value disabled true | false
true if this element is disabledfalse id CDATA
the LDAP format DN of a user authorized to make the request
supports variable expansion#REQUIRED notrace true | false
false role-id CDATA
the LDAP format DN of the Role to revoke
supports variable expansion#REQUIRED time-out CDATA
the number of milliseconds to wait to establish a connection to the User Application server before timing out.
supports variable expansion0 url CDATA
the URL of the User Application server hosting RBPM
supports variable expansion#REQUIRED
( arg-password , ( arg-dn | arg-association ) ? , arg-string * )
- actions
- actions that are performed by a <rule>
- arg-actions
- actions argument
Top Elements || All Elements || Tree