NetIQ Documentation: Identity Manager 4.0.2 DTD Reference - do-remove-role

Remarks

The target Identity is specified by either <arg-dn> or <arg-association> if specified or by the current object otherwise. If specified by <arg-dn>, the DN must in LDAP format. If the target identity is specified by either <arg-dn> or <arg-association>, then the role-assignment-type must be specifed from one of USER_TO_ROLE, GROUP_TO_ROLE, CONTAINER_TO_ROLE or ROLE_TO_ROLE. If the role-assignment-type is not specified, then the assignment type is defaulted to USER_TO_ROLE.The request is made to the RBPM enabled User Application server specified by URL using credentials specified by id and <arg-password>. Additional optional arguments to the Role assignment request may be specified by the following named <arg-string>s.

Name	Description
role-assignment-type	The role assignment type from one of from one of USER_TO_ROLE, GROUP_TO_ROLE, CONTAINER_TO_ROLE or ROLE_TO_ROLE.Default: USER_TO_ROLE
description	A description of the reason for the request used for auditing and (if necessary) approval purposes. Default: Request generated by policy.
effective-time	The time (in CTIME format) the role assignment should become effective. Default: now

Name

Description

role-assignment-type

The role assignment type from one of from one of USER_TO_ROLE, GROUP_TO_ROLE, CONTAINER_TO_ROLE or ROLE_TO_ROLE.Default: USER_TO_ROLE

description

A description of the reason for the request used for auditing and (if necessary) approval purposes.

Default: Request generated by policy.

effective-time

The time (in CTIME format) the role assignment should become effective.

Default: now

If any type of error occurs while requesting the role assignment, the error string is available to the enclosing policy in the local variable named error.do-remove-role. Otherwise that local variable is not available.

Example

<do-remove-role
    id="cn=RoleAdmin,o=People"
  url="http://localhost:8080/IDMProv"
	role-id="cn=Contractor,cn=Level30,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet,o=novell"
  time-out="5000">
  <arg-password>
    <token-named-password name="role-admin"/>
  </arg-password>
  <arg-dn>
    <token-text xml:space="preserve">cn=Contractors,ou=Groups,o=Data</token-text>
  </arg-dn>
  <arg-string name="role-assignment-type">
    <token-text>GROUP_TO_ROLE</token-text>
  </arg-string>

  <arg-string name="description">
    <token-text>Requested by policy because isContractor set to false</token-text>
  </arg-string>
</do-remove-role>

Allowed Content

Element	Description
arg-password	Password argument.
arg-dn	DN argument.
arg-association	Association argument.
arg-string	String argument.

Attributes

Attribute	Possible Values	Default Value
disabled	true \| false True if this element is disabled.	false
id	CDATA The LDAP format DN of a user authorized to make the request. Supports variable expansion.	#REQUIRED
notrace	true \| false True if this element should not be traced during execution of the policy.	false
role-id	CDATA The LDAP format DN of the Role to revoke. Supports variable expansion.	#REQUIRED
time-out	CDATA The number of milliseconds you want Identity Manager to try to establish a connection to the User Application server before timing out. Supports variable expansion.	0
url	CDATA The URL of the User Application server hosting the Roles Based Provisioning Module. Supports variable expansion.	#REQUIRED

Content Rule

( arg-password, (arg-dn | arg-association ) ? , arg-string * )

Parent Elements

Element	Description
actions	Actions that are performed by a <rule>.
arg-actions	Actions argument.