Hi all,

I have a rule that trigger a role add event and send an email, and it
works fine. Then, I use the same rule with small change to trigger the
role remove event, but it does'nt work.
I cannot find what's wrong, any idea ?

Here is the trace that works with "role add":

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.6">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20141126151330.200Z" class-name="User"
event-id="srvlidmp01#20141126151330#2#3:21655a4c-0f1f-405c-8481-4c5a65211f0f"
qualified-src-dn="dc=data\O=TEST\dc=auth\dc=users\OU=internal\CN =Yorke.Thom"
src-dn="\TESTPROD\data\TEST\auth\users\internal\Yorke. Thom"
src-entry-id="498682" timestamp="1417014810#1">
<modify-attr attr-name="nrfAssignedRoles">
<add-value>
<value timestamp="1417014810#1" type="structured">
<component name="nameSpace">0</component>
<component
name="volume">\TESTPROD\system\services\idm\Active DriverSet\UserApp\AppConfig\RoleConfig\RoleDefs\Le vel30\TEST
Roles\TESTstaff</component>
<component
name="path">&lt;assignment>&lt;start_tm>2014112615 1330Z&lt;/start_tm>&lt;req_tm>20141126151305Z&lt;/req_tm>&lt;req>cn=userappadmin,ou=service-accounts,dc=users,dc=auth,o=TEST,dc=data&lt;/req>&lt;req_desc>tt&lt;/req_desc>&lt;approval>&lt;start_tm>20141126151310Z &lt;/start_tm>&lt;process_id>98110d6a74e8462b9453e642d7 72866d&lt;/process_id>&lt;activity>&lt;user>cn=userappadmin,o u=service-accounts,dc=users,dc=auth,o=TEST,dc=data&lt;/user>&lt;action>approved&lt;/action>&lt;action_tm>20141126151329Z&lt;/action_tm>&lt;/activity>&lt;end_tm>20141126151330Z&lt;/end_tm>&lt;/approval>&lt;/assignment></component>
</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
[11/26/14 16:13:30.264]:lb-notification ST:Applying policy:
%+C%14Csub-ets-notify-on-resources%-C.
[11/26/14 16:13:30.264]:lb-notification ST: Applying to modify #1.
[11/26/14 16:13:30.264]:lb-notification ST: Evaluating selection
criteria for rule 'Break if not in scope'.
[11/26/14 16:13:30.265]:lb-notification ST: (if-op-attr
'nrfAssignedResources' not-changing) = TRUE.
[11/26/14 16:13:30.265]:lb-notification ST: (if-op-attr
'nrfAssignedRoles' not-changing) = FALSE.
[11/26/14 16:13:30.265]:lb-notification ST: Rule rejected.
[11/26/14 16:13:30.265]:lb-notification ST: Evaluating selection
criteria for rule 'Notification for Role TEST Staff Standard added'.
[11/26/14 16:13:30.265]:lb-notification ST: (if-op-attr
'nrfAssignedRoles' changing-to ".*") = TRUE.
[11/26/14 16:13:30.265]:lb-notification ST: Rule selected.
[11/26/14 16:13:30.266]:lb-notification ST: Applying rule
'Notification for Role TEST Staff Standard added'.
[11/26/14 16:13:30.266]:lb-notification ST: Action:
do-for-each(arg-node-set("modify-attr[@attr-name=""nrfAssignedRoles"]/add-value/value")).
[11/26/14 16:13:30.266]:lb-notification ST:
arg-node-set("modify-attr[@attr-name=""nrfAssignedRoles"]/add-value/value")
[11/26/14 16:13:30.266]:lb-notification ST:
token-text("modify-attr[@attr-name=""nrfAssignedRoles"]/add-value/value")
[11/26/14 16:13:30.266]:lb-notification ST: Token Value:
"modify-attr[@attr-name=""nrfAssignedRoles"]/add-value/value".
[11/26/14 16:13:30.267]:lb-notification ST: Arg Value:
{"modify-attr[@attr-name=&quot;&quot;nrfAssigne..."}.
[11/26/14 16:13:30.267]:lb-notification ST: Performing actions
for local-variable(current-node) =
"modify-attr[@attr-name=&quot;&quot;nrfAssigne...".
[11/26/14 16:13:30.267]:lb-notification ST: Action:
do-set-local-variable("rolevent",scope="policy",arg-node-set(token-op-attr("nrfAssignedRoles"))).
[11/26/14 16:13:30.267]:lb-notification ST:
arg-node-set(token-op-attr("nrfAssignedRoles"))
[11/26/14 16:13:30.267]:lb-notification ST:
token-op-attr("nrfAssignedRoles")
[11/26/14 16:13:30.268]:lb-notification ST: Token Value:
{<value> @timestamp = "1417014810#1" @type = "structured"}. *"Here the
nrfAssgnedRoles attribute is properly read"*
[11/26/14 16:13:30.268]:lb-notification ST: Arg Value:
{<value> @timestamp = "1417014810#1" @type = "structured"}.
[11/26/14 16:13:30.268]:lb-notification ST: Action:
do-set-local-variable("namespace",scope="policy",arg-node-set(token-xpath("$rolevent/component[1]"))).
[11/26/14 16:13:30.268]:lb-notification ST:
arg-node-set(token-xpath("$rolevent/component[1]"))
[11/26/14 16:13:30.268]:lb-notification ST:
token-xpath("$rolevent/component[1]")
[11/26/14 16:13:30.269]:lb-notification ST: Token Value:
{<component> @name = "nameSpace"}.
[11/26/14 16:13:30.269]:lb-notification ST: Arg Value:
{<component> @name = "nameSpace"}.


And here is the trace for the role removed (that does not work):

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.0.2.6">DirXML</product>
<contact>Novell, Inc.</contact>
</source>
<input>
<modify cached-time="20141126151537.518Z" class-name="User"
event-id="srvlidmp01#20141126151537#2#3:f288cfa9-8309-4e6c-0c87-a9cf88f20983"
qualified-src-dn="dc=data\O=TEST\dc=auth\dc=users\OU=internal\CN =Yorke.Thom"
src-dn="\TESTPROD\data\TEST\auth\users\internal\Yorke. Thom"
src-entry-id="498682" timestamp="0#0">
<modify-attr attr-name="nrfAssignedRoles">
<remove-value>
<value timestamp="1417014810#1" type="structured">
<component name="nameSpace">0</component>
<component
name="volume">\TESTPROD\system\services\idm\Active DriverSet\UserApp\AppConfig\RoleConfig\RoleDefs\Le vel30\TEST
Roles\TESTstaff</component>
<component
name="path">&lt;assignment>&lt;start_tm>2014112615 1330Z&lt;/start_tm>&lt;req_tm>20141126151305Z&lt;/req_tm>&lt;req>cn=userappadmin,ou=service-accounts,dc=users,dc=auth,o=TEST,dc=data&lt;/req>&lt;req_desc>tt&lt;/req_desc>&lt;approval>&lt;start_tm>20141126151310Z &lt;/start_tm>&lt;process_id>98110d6a74e8462b9453e642d7 72866d&lt;/process_id>&lt;activity>&lt;user>cn=userappadmin,o u=service-accounts,dc=users,dc=auth,o=TEST,dc=data&lt;/user>&lt;action>approved&lt;/action>&lt;action_tm>20141126151329Z&lt;/action_tm>&lt;/activity>&lt;end_tm>20141126151330Z&lt;/end_tm>&lt;/approval>&lt;/assignment></component>
</value>
</remove-value>
</modify-attr>
</modify>
</input>
</nds>
[11/26/14 16:15:37.630]:lb-notification ST:Applying policy:
%+C%14Csub-ets-notify-on-resources%-C.
[11/26/14 16:15:37.630]:lb-notification ST: Applying to modify #1.
[11/26/14 16:15:37.630]:lb-notification ST: Evaluating selection
criteria for rule 'Break if not in scope'.
[11/26/14 16:15:37.630]:lb-notification ST: (if-op-attr
'nrfAssignedResources' not-changing) = TRUE.
[11/26/14 16:15:37.631]:lb-notification ST: (if-op-attr
'nrfAssignedRoles' not-changing) = FALSE.
[11/26/14 16:15:37.631]:lb-notification ST: Rule rejected.
[11/26/14 16:15:37.631]:lb-notification ST: Evaluating selection
criteria for rule 'Notification for Role TEST Staff Standard added'.
[11/26/14 16:15:37.631]:lb-notification ST: (if-op-attr
'nrfAssignedRoles' changing-to ".*") = FALSE.
[11/26/14 16:15:37.631]:lb-notification ST: Rule rejected.
[11/26/14 16:15:37.631]:lb-notification ST: Evaluating selection
criteria for rule 'Notification for Role TEST Staff Standard removed'.
[11/26/14 16:15:37.632]:lb-notification ST: (if-op-attr
'nrfAssignedRoles' changing-from ".*") = TRUE.
[11/26/14 16:15:37.632]:lb-notification ST: Rule selected.
[11/26/14 16:15:37.632]:lb-notification ST: Applying rule
'Notification for Role TEST Staff Standard removed'.
[11/26/14 16:15:37.632]:lb-notification ST: Action:
do-for-each(arg-node-set("modify-attr[@attr-name=""nrfAssignedRoles"]/remove-value/value")).
[11/26/14 16:15:37.633]:lb-notification ST:
arg-node-set("modify-attr[@attr-name=""nrfAssignedRoles"]/remove-value/value")
[11/26/14 16:15:37.633]:lb-notification ST:
token-text("modify-attr[@attr-name=""nrfAssignedRoles"]/remove-value/value")
[11/26/14 16:15:37.633]:lb-notification ST: Token Value:
"modify-attr[@attr-name=""nrfAssignedRoles"]/remove-value/value".
[11/26/14 16:15:37.633]:lb-notification ST: Arg Value:
{"modify-attr[@attr-name=&quot;&quot;nrfAssigne..."}.
[11/26/14 16:15:37.633]:lb-notification ST: Performing actions
for local-variable(current-node) =
"modify-attr[@attr-name=&quot;&quot;nrfAssigne...".
[11/26/14 16:15:37.634]:lb-notification ST: Action:
do-set-local-variable("rolevent",scope="policy",arg-node-set(token-op-attr("nrfAssignedRoles"))).
[11/26/14 16:15:37.634]:lb-notification ST:
arg-node-set(token-op-attr("nrfAssignedRoles"))
[11/26/14 16:15:37.634]:lb-notification ST:
token-op-attr("nrfAssignedRoles")
[11/26/14 16:15:37.634]:lb-notification ST: Token Value:
{}.*Here the nrfAssgnedRoles attribute is not found ???? *
[11/26/14 16:15:37.634]:lb-notification ST: Arg Value: {}.
[11/26/14 16:15:37.634]:lb-notification ST: Action:
do-set-local-variable("namespace",scope="policy",arg-node-set(token-xpath("$rolevent/component[1]"))).
[11/26/14 16:15:37.635]:lb-notification ST:
arg-node-set(token-xpath("$rolevent/component[1]"))
[11/26/14 16:15:37.635]:lb-notification ST:
token-xpath("$rolevent/component[1]")
[11/26/14 16:15:37.635]:lb-notification ST: Token Value:
{}.
[11/26/14 16:15:37.635]:lb-notification ST: Arg Value: {}.

I guess there is something wrong in my rule...

Thanks

Sylvain


--
sma
------------------------------------------------------------------------
sma's Profile: https://forums.netiq.com/member.php?userid=174
View this thread: https://forums.netiq.com/showthread.php?t=52306