3. Content Rule
( description ? , ( rule | include ) * )
A <policy> operates on an XDS document and its primary purpose is to examine and modify that document. A <policy> can also get additional context from outside of the document and cause side effects that are not reflected in the result document.
The following outline describes the basic operation of a <policy>:
legal variable name. If the given variable does not exist the reference is replaced with the empty string. Where it is desirable to use a single '$' and not have it interpreted as a variable reference, it should be escaped with an additional '$' (e.g. You owe me $$100.00). Content and attributes that support variable expansion are annotated with the phrase supports variable expansion.
Name Type Description dirxml.auto.driverdn global/string Slash format DN of the current driver
dirxml.auto.driverguid global/string GUID of the current driver dirxml.auto.treename global/string Tree name of the local eDirectory instance fromNDS policy local/boolean true if the source datastore is eDirectory
false if the source datastore is the connected application
destQueryProcessor policy local/java object Instance of XdsQueryProcessor used to query the destination datastore srcQueryProcessor policy local/java object Instance of XdsQueryProcessor used to query the destination datastore destCommandProcessor policy local/java object Instance of XdsCommandProcessor used to query the destination datastore srcCommandProcessor policy local/java object Instance of XdsCommandProcessor used to query the destination datastore dnConverter policy local/java object Instance of DNConverter current-node policy local/node-set The loop variable for each iteration of <do-for-each> current-value policy local/node-set The loop variable for each iteration of <do-reformat-op-attr> current-op policy local/node-set The current operation
Setting this variable using <do-set-local-variable> causes the first operation specified by <arg-node-set> to become the current operation for the remainder of the current policy execution or until it is set to another value. The new current operation must be an element sibling of the original current operation and must have been added by the current policy.
If the format does not begin with '!', then the format is interpreted as a custom date/time format conforming to the patterns recognized by java.text.SimpleDateFormat.
Name Description !CTIME Number of seconds since Midnight, January 1, 1970. (Compatible with eDirectory time syntaxes)
Number of milliseconds since Midnight, January 1, 1970. (Compatible with Java time) !FILETIME Number of 100-nanosecond intervals since January 1, 1601 (Compatible with Win32 FILETIME) !FULL.TIME Language specific FULL time format. !LONG.TIME Language specific LONG time format. !MEDIUM.TIME Language specific MEDIUM time format. !SHORT.TIME Language specific SHORT time format. !FULL.DATE Language specific FULL date format. !LONG.DATE Language specific LONG date format. !MEDIUM.DATE Language specific MEDIUM date format. !SHORT.DATE Language specific SHORT date format. !FULL.DATETIME Language specific FULL date/time format. !LONG.DATETIME Language specific LONG date/time format. !MEDIUM.DATETIME Language specific MEDIUM date/time format. !SHORT.DATETIME Language specific SHORT date/time format.
Arguments to some conditions and actions take an XPATH 1.0 expression. This XPATH is evaluated with the following context:
<policy> <description>My policy</description> <include name="..\..\Library\My shared policy"/> <rule> <description>Rule to disallow moving a user</description> <comment>This rule was added because under no circumsances do we ever want to perform a move.</comment> <conditions> <and> <if-class-name mode="nocase" op="equal">User</if-class-name> <if-operation op="equal">move</if-operation> </and> </conditions> <actions> <veto/> </actions> </rule> <rule> <description>Rule to disallow operations on a disabled user or group</description> <conditions> <or> <if-class-name mode="nocase" op="equal">User</if-class-name> <if-class-name mode="nocase" op="equal">Group</if-class-name> </or> <or> <if-attr mode="nocase" name="Login Disabled" op="equal">true</if-attr> </or> </conditions> <actions> <veto/> </actions> </rule> </policy>
- description of a <policy> or a <rule>
- rule within a policy
- include rules from another policy
Top Elements || All Elements || Tree