Initiates a request to the Roles Based Provisioning Module (RBPM) to assign the Role specified by role-id to an Identity.
The target Identity is specified by either <arg-dn> or <arg-association> if specified or by the current object otherwise. If specified by <arg-dn>, the DN must be in the LDAP format. If the target identity is specified by either <arg-dn> or <arg-association>, then the role-assignment-type must be specifed from one of USER_TO_ROLE, GROUP_TO_ROLE, CONTAINER_TO_ROLE or ROLE_TO_ROLE. If the role-assignment-type is not specified, then the assignment type is defaulted to USER_TO_ROLE. The request is made to the RBPM enabled User Application server specified by url using credentials specified by id and <arg-password>. Additional optional arguments to the Role assignment request might be specified by the following named <arg-string>s.
|
Name |
Description |
|---|---|
|
role-assignment-type |
The role assignment type from one of from one of USER_TO_ROLE, GROUP_TO_ROLE, CONTAINER_TO_ROLE or ROLE_TO_ROLE.Default: USER_TO_ROLE |
|
description |
A description of the reason for the request used for auditing and (if necessary) approval purposes. Default: Request generated by policy. |
|
effective-time |
The time (in CTIME format) the role assignment should become effective. Default: now |
|
expiration-time |
The time (in CTIME format) the role assignment automatically expires. Default: never |
|
sod-justification |
A justification for requesting an exception for any Separation of Duty violations this assignment will trigger. Default: No exception will be requested and the request will fail if it causes a violation. |
If any type of error occurs while requesting the role assignment, the error string is available to the enclosing policy in the local variable named error.do-add-role. Otherwise that local variable is not available.
<do-add-role
id="cn=RoleAdmin,o=People"
url="http://localhost:8080/IDMProv"
role-id="cn=Contractor,cn=Level30,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet,o=novell"
time-out="5000">
<arg-password>
<token-named-password name="role-admin"/>
</arg-password>
<arg-dn>
<token-text xml:space="preserve">cn=Contractors,ou=Groups,o=Data</token-text>
</arg-dn>
<arg-string name="role-assignment-type">
<token-text>GROUP_TO_ROLE</token-text>
</arg-string>
<arg-string name="description">
<token-text>Requested by policy because isContractor attribute set to true</token-text>
</arg-string>
<arg-string name="effective-time">
<token-src-attr name="Hire Date"/>
</arg-string>
<arg-string name="expiration-time">
<token-convert-time dest-format="!CTIME" dest-tz="UTC" offset="6" offset-unit="month" src-format="!CTIME" src-tz="UTC">
<token-src-attr name="Hire Date"/>
</token-convert-time>
</arg-string>
</do-add-role
|
Element |
Description |
|---|---|
|
Password argument. |
|
|
DN argument. |
|
|
Association argument. |
|
|
String argument. |
|
Attribute |
Possible Values |
Default Value |
|---|---|---|
|
disabled |
true | false True if this element is disabled. |
false |
|
id |
CDATA The LDAP format DN of a user authorized to make the request. Supports variable expansion. |
#REQUIRED |
|
notrace |
true | false True if this element should not be traced during execution of the policy. |
false |
|
role-id |
CDATA The LDAP format DN of the Role to assign. Supports variable expansion. |
#REQUIRED |
|
time-out |
CDATA The number of milliseconds you want Identity Manager to try to establish a connection to the User Application server before timing out. Supports variable expansion. |
0 |
|
url |
CDATA The URL of the User Application server hosting the Roles Based Provisioning Module. Supports variable expansion. |
#REQUIRED |
( arg-password, (arg-dn | arg-association ) ? , arg-string * )
|
Element |
Description |
|---|---|
|
Actions that are performed by a <rule>. |
|
|
Actions argument. |