Initiates a request to the Roles Based Provisioning Module (RBPM) to revoke the Role specified by role-id from an Identity.
The target Identity is specified by either <arg-dn> or <arg-association> if specified or by the current object otherwise. If specified by <arg-dn>, the DN must in LDAP format. If the target identity is specified by either <arg-dn> or <arg-association>, then the role-assignment-type must be specifed from one of USER_TO_ROLE, GROUP_TO_ROLE, CONTAINER_TO_ROLE or ROLE_TO_ROLE. If the role-assignment-type is not specified, then the assignment type is defaulted to USER_TO_ROLE.The request is made to the RBPM enabled User Application server specified by URL using credentials specified by id and <arg-password>. Additional optional arguments to the Role assignment request may be specified by the following named <arg-string>s.
Name |
Description |
---|---|
role-assignment-type |
The role assignment type from one of from one of USER_TO_ROLE, GROUP_TO_ROLE, CONTAINER_TO_ROLE or ROLE_TO_ROLE.Default: USER_TO_ROLE |
description |
A description of the reason for the request used for auditing and (if necessary) approval purposes. Default: Request generated by policy. |
effective-time |
The time (in CTIME format) the role assignment should become effective. Default: now |
If any type of error occurs while requesting the role assignment, the error string is available to the enclosing policy in the local variable named error.do-remove-role. Otherwise that local variable is not available.
<do-remove-role id="cn=RoleAdmin,o=People" url="http://localhost:8080/IDMProv" role-id="cn=Contractor,cn=Level30,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet,o=novell" time-out="5000"> <arg-password> <token-named-password name="role-admin"/> </arg-password> <arg-dn> <token-text xml:space="preserve">cn=Contractors,ou=Groups,o=Data</token-text> </arg-dn> <arg-string name="role-assignment-type"> <token-text>GROUP_TO_ROLE</token-text> </arg-string> <arg-string name="description"> <token-text>Requested by policy because isContractor set to false</token-text> </arg-string> </do-remove-role>
Element |
Description |
---|---|
Password argument. |
|
DN argument. |
|
Association argument. |
|
String argument. |
Attribute |
Possible Values |
Default Value |
---|---|---|
disabled |
true | false True if this element is disabled. |
false |
id |
CDATA The LDAP format DN of a user authorized to make the request. Supports variable expansion. |
#REQUIRED |
notrace |
true | false True if this element should not be traced during execution of the policy. |
false |
role-id |
CDATA The LDAP format DN of the Role to revoke. Supports variable expansion. |
#REQUIRED |
time-out |
CDATA The number of milliseconds you want Identity Manager to try to establish a connection to the User Application server before timing out. Supports variable expansion. |
0 |
url |
CDATA The URL of the User Application server hosting the Roles Based Provisioning Module. Supports variable expansion. |
#REQUIRED |
( arg-password, (arg-dn | arg-association ) ? , arg-string * )
Element |
Description |
---|---|
Actions that are performed by a <rule>. |
|
Actions argument. |