Hi all ,
I'm changing the behavior of an old driver for SAP UM and I have some
doubts.
First of all, I have performed the following operations on IDM:
1. I have disabled the user on IDM and the driver has removed him from
SAP
2. I have cleaned up the user on IDM (roles, resources, etc..)
3. I have enabled the user again on IDM

At this point, the driver has created the user on SAP but it has
returned the message "UserModify :
com.novell.nds.dirxml.driver.sapumshim.BapiExcepti on: Invalid object
association".
The driver has produced the following XML:


Code:
--------------------

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.1.0">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<add class-name="US" dest-dn="\SAPSYS100\S.USERNAME" event-id="srvm170#20120111104610#2#2:f2d4f545-ebb7-4291-45b7-45f5d4f2b7eb#0" src-dn="\IDV-TEST\Company\Users\S.USERNAME">
<add-attr attr-name="USERNAME:BAPIBNAME" xmlns:stru="http://www.novell.com/nxsl/java/com.company.drivers.StringUtils">
<value type="string">S.USERNAME</value>
</add-attr>
<add-attr attr-name="ADDRESS:FULLNAME">
<value timestamp="1291733136#757" type="string">System Username</value>
</add-attr>
<add-attr attr-name="ADDRESS:FIRSTNAME">
<value timestamp="1291733136#758" type="string">System</value>
</add-attr>
<add-attr attr-name="ADDRESS:INITIALS">
<value timestamp="1291733136#759" type="string">SU</value>
</add-attr>
<add-attr attr-name="ADDSMTP:E_MAIL">
<value timestamp="1326277631#2" type="string">email@email.com</value>
</add-attr>
<add-attr attr-name="ADDRESSEPARTMENT">
<value timestamp="1291733136#746" type="string">External Sales</value>
</add-attr>
<add-attr attr-name="ADDRESS:LASTNAME">
<value timestamp="1291733136#754" type="string">Username</value>
</add-attr>
<add-attr attr-name="ADDRESS:FUNCTION">
<value timestamp="1291733136#756" type="string">External Sales</value>
</add-attr>
<add-attr attr-name="LOCKUSER">
<value timestamp="1291733136#725" type="state">0</value>
</add-attr>
<add-attr attr-name="COMPANY:COMPANY">
<value timestamp="1301395515#92" type="string">COMPANY</value>
</add-attr>
<add-attr attr-name="ADDRESS:TITLE_P">
<value type="string">Mr.</value>
</add-attr>
<add-attr attr-name="LOGONDATA:USTYP">
<value type="string">A</value>
</add-attr>
<password><!-- content suppressed --></password>
<operation-data accountAction="accountEnableByEntitlementGrant" association="" attempt-to-match="true" guid="1w8H9du0BkFWgNcPB/XbtA==" lsname="SAPSYS100" objectClass="User" sourceDN="\IDV-TEST\Company\Users\S.USERNAME">
<entitlement-impl id="Company\Services\DriverSet\Entitlement Policies\SAPU" name="UserAccount" src="RBE" src-dn="\IDV-TEST\Company\Users\S.USERNAME" state="1">LSNAME=SAPSYS100</entitlement-impl>
<password-subscribe-status>
<association/>
</password-subscribe-status>
</operation-data>
</add>
<modify class-name="US" dest-dn="\SAPSYS100\S.USERNAME" event-id="srvm170#20120111104610#2#2:f2d4f545-ebb7-4291-45b7-45f5d4f2b7eb#0" src-dn="\IDV-TEST\Company\Users\S.USERNAME">
<modify-attr attr-name="ACTIVITYGROUPS">
<remove-value>
<value type="structured">
<component name="AGR_NAME">ROLE_FI_CORPORATE_FINANCE</component>
<component name="FROM_DAT"/>
<component name="TO_DAT"/>
</value>
</remove-value>
</modify-attr>
<modify-attr attr-name="ACTIVITYGROUPS">
<remove-value>
<value type="structured">
<component name="AGR_NAME">ROLE_PP_GLOBAL</component>
<component name="FROM_DAT"/>
<component name="TO_DAT"/>
</value>
</remove-value>
</modify-attr>
<modify-attr attr-name="ACTIVITYGROUPS">
<remove-value>
<value type="structured">
<component name="AGR_NAME">ROLE_SENTINEL_TABLES</component>
<component name="FROM_DAT"/>
<component name="TO_DAT"/>
</value>
</remove-value>
</modify-attr>
<operation-data>
<entitlement-impl id="" name="ActivityGroup" src="UA" src-dn="\IDV-TEST\Company\Users\S.USERNAME" state="0">AG=ROLE_FI_CORPORATE_FINANCE|LSNAME=SAPS YS100|FROM=|TO=</entitlement-impl>
<entitlement-impl id="" name="ActivityGroup" src="UA" src-dn="\IDV-TEST\Company\Users\S.USERNAME" state="0">AG=ROLE_PP_GLOBAL|LSNAME=SAPSYS100|FROM= |TO=</entitlement-impl>
<entitlement-impl id="" name="ActivityGroup" src="UA" src-dn="\IDV-TEST\Company\Users\S.USERNAME" state="0">AG=ROLE_SENTINEL_TABLES|LSNAME=SAPSYS100 |FROM=|TO=</entitlement-impl>
<entitlement-impl id="Company\Services\DriverSet\Entitlement Policies\SAPU" name="UserAccount" src="RBE" src-dn="\IDV-TEST\Company\Users\S.USERNAME" state="1">LSNAME=SAPSYS100</entitlement-impl>
</operation-data>
</modify>
</input>
</nds>

--------------------



The error is obviously caused by the modify operation that has been
added by the command transformation policy 'ActivityGroup (Role)
Entitlement change' of the driver. Roles removed during the second step
has left some pending entitlement operations (role membership has been
revoked). For that, the policy has added the removal of these role after
the add operation.

Do you see any valid reasons why a role should be removed while adding
the user on SAP? I think that I can define a different rule for the add
operation and remove the for-each loop related to the removed
entitlements.

Any suggestions will be appreciated. Best regards,

Alessandro


Code:
--------------------

<rule>
<description>ActivityGroup (Role) Entitlement change</description>
<comment xml:space="preserve">Check for role membership being granted or revoked</comment>
<conditions>
<and>
<if-global-variable mode="nocase" name="drv.entitlement.ActivityGroup" op="equal">true</if-global-variable>
<if-class-name op="equal">User</if-class-name>
<if-entitlement name="ActivityGroup" op="changing"/>
<if-operation op="equal">modify</if-operation>
</and>
<and>
<if-global-variable mode="nocase" name="drv.entitlement.ActivityGroup" op="equal">true</if-global-variable>
<if-class-name op="equal">User</if-class-name>
<if-operation mode="nocase" op="equal">add</if-operation>
</and>
</conditions>
<actions>
<do-set-local-variable name="dvn" scope="policy">
<arg-string>
<token-text xml:space="preserve">$lsname$-ctype</token-text>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="event-ctype" scope="policy">
<arg-string>
<token-local-variable name="$dvn$"/>
</arg-string>
</do-set-local-variable>
<do-for-each>
<arg-node-set>
<token-removed-entitlement name="ActivityGroup"/>
</arg-node-set>
<arg-actions>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="regex" name="event-ctype" op="equal">cua-central|cua-child</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-if>
<arg-conditions>
<and>
<if-xpath op="true">string-length(es:getParamValue($current-node, 'AG'))>0</if-xpath>
</and>
</arg-conditions>
<arg-actions>
<do-remove-dest-attr-value class-name="US" name="LOCACTIVITYGROUPS">
<arg-value type="structured">
<arg-component name="SUBSYSTEM">
<token-xpath expression="es:getParamValue($current-node, 'LSNAME')"/>
</arg-component>
<arg-component name="AGR_NAME">
<token-xpath expression="es:getParamValue($current-node, 'AG')"/>
</arg-component>
<arg-component name="FROM_DAT">
<token-xpath expression="es:getParamValue($current-node, 'FROM')"/>
</arg-component>
<arg-component name="TO_DAT">
<token-xpath expression="es:getParamValue($current-node, 'TO')"/>
</arg-component>
</arg-value>
</do-remove-dest-attr-value>
</arg-actions>
<arg-actions>
<do-remove-dest-attr-value class-name="US" name="ACTIVITYGROUPS">
<arg-value type="structured">
<arg-component name="AGR_NAME">
<token-local-variable name="current-node"/>
</arg-component>
<arg-component name="FROM_DAT"/>
<arg-component name="TO_DAT"/>
</arg-value>
</do-remove-dest-attr-value>
</arg-actions>
</do-if>
</arg-actions>
<arg-actions>
<do-if>
<arg-conditions>
<and>
<if-xpath op="true">string-length(es:getParamValue($current-node, 'AG'))>0</if-xpath>
</and>
</arg-conditions>
<arg-actions>
<do-remove-dest-attr-value class-name="US" name="ACTIVITYGROUPS">
<arg-value type="structured">
<arg-component name="AGR_NAME">
<token-xpath expression="es:getParamValue($current-node, 'AG')"/>
</arg-component>
<arg-component name="FROM_DAT">
<token-xpath expression="es:getParamValue($current-node, 'FROM')"/>
</arg-component>
<arg-component name="TO_DAT">
<token-xpath expression="es:getParamValue($current-node, 'TO')"/>
</arg-component>
</arg-value>
</do-remove-dest-attr-value>
</arg-actions>
<arg-actions>
<do-remove-dest-attr-value class-name="US" name="ACTIVITYGROUPS">
<arg-value type="structured">
<arg-component name="AGR_NAME">
<token-local-variable name="current-node"/>
</arg-component>
<arg-component name="FROM_DAT"/>
<arg-component name="TO_DAT"/>
</arg-value>
</do-remove-dest-attr-value>
</arg-actions>
</do-if>
</arg-actions>
</do-if>
</arg-actions>
</do-for-each>
<do-for-each>
<arg-node-set>
<token-added-entitlement name="ActivityGroup"/>
</arg-node-set>
<arg-actions>
<do-if>
<arg-conditions>
<and>
<if-local-variable mode="regex" name="event-ctype" op="equal">cua-central|cua-child</if-local-variable>
</and>
</arg-conditions>
<arg-actions>
<do-if>
<arg-conditions>
<and>
<if-xpath op="true">string-length(es:getParamValue($current-node, 'AG'))>0</if-xpath>
</and>
</arg-conditions>
<arg-actions>
<do-add-dest-attr-value class-name="US" name="LOCACTIVITYGROUPS">
<arg-value type="structured">
<arg-component name="SUBSYSTEM">
<token-xpath expression="es:getParamValue($current-node, 'LSNAME')"/>
</arg-component>
<arg-component name="AGR_NAME">
<token-xpath expression="es:getParamValue($current-node, 'AG')"/>
</arg-component>
<arg-component name="FROM_DAT">
<token-xpath expression="es:getParamValue($current-node, 'FROM')"/>
</arg-component>
<arg-component name="TO_DAT">
<token-xpath expression="es:getParamValue($current-node, 'TO')"/>
</arg-component>
</arg-value>
</do-add-dest-attr-value>
</arg-actions>
<arg-actions>
<do-add-dest-attr-value class-name="US" name="ACTIVITYGROUPS">
<arg-value type="structured">
<arg-component name="AGR_NAME">
<token-local-variable name="current-node"/>
</arg-component>
<arg-component name="FROM_DAT"/>
<arg-component name="TO_DAT"/>
</arg-value>
</do-add-dest-attr-value>
</arg-actions>
</do-if>
</arg-actions>
<arg-actions>
<do-if>
<arg-conditions>
<and>
<if-xpath op="true">string-length(es:getParamValue($current-node, 'AG'))>0</if-xpath>
</and>
</arg-conditions>
<arg-actions>
<do-add-dest-attr-value class-name="US" name="ACTIVITYGROUPS">
<arg-value type="structured">
<arg-component name="AGR_NAME">
<token-xpath expression="es:getParamValue($current-node, 'AG')"/>
</arg-component>
<arg-component name="FROM_DAT">
<token-xpath expression="es:getParamValue($current-node, 'FROM')"/>
</arg-component>
<arg-component name="TO_DAT">
<token-xpath expression="es:getParamValue($current-node, 'TO')"/>
</arg-component>
</arg-value>
</do-add-dest-attr-value>
</arg-actions>
<arg-actions>
<do-add-dest-attr-value class-name="US" name="ACTIVITYGROUPS">
<arg-value type="structured">
<arg-component name="AGR_NAME">
<token-local-variable name="current-node"/>
</arg-component>
<arg-component name="FROM_DAT"/>
<arg-component name="TO_DAT"/>
</arg-value>
</do-add-dest-attr-value>
</arg-actions>
</do-if>
</arg-actions>
</do-if>
</arg-actions>
</do-for-each>
</actions>
</rule>

--------------------


--
afolli
------------------------------------------------------------------------
afolli's Profile: http://forums.novell.com/member.php?userid=6964
View this thread: http://forums.novell.com/showthread.php?t=450573