Hi there,

as the title states I would like to now how it is possible to revoke a
specific resource from a user via a driver policy. I've managed to
assign a ressource and even revoke ressources via policy, but it always
revokes ALL resources of that type. If I assign a resource via UserApp
AND the driver policy, and the resource from the driver should be
revoked later, it always revokes both.

This is how my revoke policy looks like:

Code:
--------------------
<do-set-local-variable name="lvDN" scope="policy">
<arg-string>
<token-global-variable name="idv.dit.driver.userapp"/>
<token-text xml:space="preserve">\AppConfig\RoleConfig\Resourc eRequests\</token-text>
<token-convert-time dest-format="yyyyMMddHHmmss" dest-tz="Europe/Berlin" src-format="!CTIME" src-tz="UTC">
<token-local-variable name="lvNow"/>
</token-convert-time>
<token-text xml:space="preserve">-</token-text>
<token-local-variable name="lvUUID"/>
<token-text xml:space="preserve">-</token-text>
<token-local-variable name="lvI"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="lvResDN" scope="policy">
<arg-string>
<token-global-variable name="idv.dit.driver.userapp"/>
<token-text xml:space="preserve">\AppConfig\RoleConfig\Resourc eDefs\E-Mail Mailbox</token-text>
</arg-string>
</do-set-local-variable>
<do-add-dest-object class-name="nrfResourceRequest">
<arg-dn>
<token-local-variable name="lvDN"/>
</arg-dn>
</do-add-dest-object>
<do-add-dest-attr-value class-name="nrfResourceRequest" name="nrfRequestDate">
<arg-dn>
<token-local-variable name="lvDN"/>
</arg-dn>
<arg-value type="time">
<token-local-variable name="lvNow"/>
</arg-value>
</do-add-dest-attr-value>
<do-add-dest-attr-value class-name="nrfResourceRequest" name="nrfStatus">
<arg-dn>
<token-local-variable name="lvDN"/>
</arg-dn>
<arg-value type="int">
<token-text xml:space="preserve">0</token-text>
</arg-value>
</do-add-dest-attr-value>
<do-add-dest-attr-value class-name="nrfResourceRequest" name="nrfCategory">
<arg-dn>
<token-local-variable name="lvDN"/>
</arg-dn>
<arg-value type="int">
<token-text xml:space="preserve">15</token-text>
</arg-value>
</do-add-dest-attr-value>
<do-add-dest-attr-value class-name="nrfResourceRequest" name="nrfCorrelationId">
<arg-dn>
<token-local-variable name="lvDN"/>
</arg-dn>
<arg-value type="string">
<token-local-variable name="lvUUID"/>
</arg-value>
</do-add-dest-attr-value>
<do-add-dest-attr-value class-name="nrfResourceRequest" name="nrfDescription">
<arg-dn>
<token-local-variable name="lvDN"/>
</arg-dn>
<arg-value type="string">
<token-text xml:space="preserve">Resource assigned</token-text>
</arg-value>
</do-add-dest-attr-value>
<do-add-dest-attr-value class-name="nrfResourceRequest" name="nrfDynamicParmVals">
<arg-dn>
<token-local-variable name="lvDN"/>
</arg-dn>
<arg-value type="string">
<token-text xml:space="preserve">&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?>
&lt;parameter>
&lt;value parm-key="EntitlementParamKey">addresslistvisible=true| usemapi=true&lt;/value>
&lt;/parameter>
</token-text>
</arg-value>
</do-add-dest-attr-value>
<do-add-dest-attr-value class-name="nrfResourceRequest" name="nrfEntitlementRef">
<arg-dn>
<token-local-variable name="lvDN"/>
</arg-dn>
<arg-value type="structured">
<arg-component name="volume">
<token-text xml:space="preserve">idv\AD-Scripting\ExchangeMailbox</token-text>
</arg-component>
<arg-component name="nameSpace">
<token-text xml:space="preserve">0</token-text>
</arg-component>
<arg-component name="path">
<token-text xml:space="preserve">&lt;?xml version="1.0" encoding="UTF-8"?>
&lt;ref>
&lt;src>UA&lt;/src>
&lt;id/>
&lt;param>addresslistvisible=true|usemapi=true& lt;/param>
&lt;/ref>
</token-text>
</arg-component>
</arg-value>
</do-add-dest-attr-value>
<do-add-dest-attr-value class-name="nrfResourceRequest" name="nrfOriginator">
<arg-dn>
<token-local-variable name="lvDN"/>
</arg-dn>
<arg-value type="string">
<token-text xml:space="preserve">Resource assigned</token-text>
</arg-value>
</do-add-dest-attr-value>
<do-add-dest-attr-value class-name="nrfResourceRequest" name="nrfRequester">
<arg-dn>
<token-local-variable name="lvDN"/>
</arg-dn>
<arg-value type="dn">
<token-global-variable name="dirxml.auto.driverdn"/>
</arg-value>
</do-add-dest-attr-value>
<do-add-dest-attr-value class-name="nrfResourceRequest" name="nrfSourceDN">
<arg-dn>
<token-local-variable name="lvDN"/>
</arg-dn>
<arg-value type="dn">
<token-local-variable name="lvResDN"/>
</arg-value>
</do-add-dest-attr-value>
<do-add-dest-attr-value class-name="nrfResourceRequest" name="nrfTargetDN">
<arg-dn>
<token-local-variable name="lvDN"/>
</arg-dn>
<arg-value type="dn">
<token-dest-dn/>
</arg-value>
</do-add-dest-attr-value>
--------------------


The assign policy looks pretty much the same, except the "nrfCategory"
is set to 10 instead. I've noticed, that the UserApp sets the
"nrfResourceInstanceGUID" Attribute in the request if I select only a
specific resource to be revoked. But I have no clue where this
InstanceGUID comes from. I've tried the GUID from the initial request,
but that isn't working.

Does anyone know, where the "nrfResourceInstanceGUID" does come from? If
you need any more detail, just ask me please.

Thanks in advance!


--
d_redner
------------------------------------------------------------------------
d_redner's Profile: https://forums.netiq.com/member.php?userid=790
View this thread: https://forums.netiq.com/showthread.php?t=47643