Home

Results 1 to 7 of 7

Thread: Add user to Group in Active Directory

Hybrid View

  1. #1
    dinatechmnovell NNTP User

    Add user to Group in Active Directory


    Hi,

    We are using NetIQ IDM 4.0.2. We use AD driver to sync only users from
    IDM to Active Directory and not the Groups. Groups will be maintained by
    AD team.

    As per our requirement, The user will raise request for share access
    thru workflow and if gets approved the user will be added to the
    respective share group in AD.

    Please help if this can be done with driver policy and a sample policy
    of that.

    Thanks,
    DK


    --
    dinatechmnovell
    ------------------------------------------------------------------------
    dinatechmnovell's Profile: https://forums.netiq.com/member.php?userid=6777
    View this thread: https://forums.netiq.com/showthread.php?t=50284


  2. #2
    Alex McHugh NNTP User

    Re: Add user to Group in Active Directory

    dinatechmnovell wrote:

    >
    > Hi,
    >
    > We are using NetIQ IDM 4.0.2. We use AD driver to sync only users from
    > IDM to Active Directory and not the Groups. Groups will be maintained by
    > AD team.
    >
    > As per our requirement, The user will raise request for share access
    > thru workflow and if gets approved the user will be added to the
    > respective share group in AD.
    >
    > Please help if this can be done with driver policy and a sample policy
    > of that.


    There shouldn't need to be any major changes to driver policy for this.

    I'd use the AD group entitlement object, link it to a resource with the set value at assignment and do most of the heavy lifting in the userapp/workflow


    --
    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  3. #3
    dinatechmnovell NNTP User

    Re: Add user to Group in Active Directory


    Below is the code, I am using. But it gives Src-dn missing error. Please
    help to build the correct rule/policy.

    <policy>
    <rule>
    <description>Group Provisioning</description>
    <conditions>
    <and>
    <if-operation mode="case" op="equal">modify</if-operation>
    <if-class-name mode="nocase" op="equal">User</if-class-name>
    <if-association op="associated"/>
    <if-entitlement name="entADGroup" op="available"/>
    </and>
    </conditions>
    <actions>
    <do-add-dest-attr-value class-name="Group" name="Member">
    <arg-dn>
    <token-text
    xml:space="preserve">CN=TestGrp,cn=Users,dc=esecla b,dc=Com</token-text>
    </arg-dn>
    <arg-value type="string">
    <token-dest-dn/>
    </arg-value>
    </do-add-dest-attr-value>
    </actions>
    </rule>
    </policy>


    --
    dinatechmnovell
    ------------------------------------------------------------------------
    dinatechmnovell's Profile: https://forums.netiq.com/member.php?userid=6777
    View this thread: https://forums.netiq.com/showthread.php?t=50284


  4. #4
    Join Date
    Dec 2007
    Location
    Brooklyn, NY
    Posts
    6,213

    Re: Add user to Group in Active Directory

    On 3/16/2014 6:35 AM, dinatechmnovell wrote:
    >
    > Below is the code, I am using. But it gives Src-dn missing error. Please
    > help to build the correct rule/policy.
    >
    > <policy>
    > <rule>
    > <description>Group Provisioning</description>
    > <conditions>
    > <and>
    > <if-operation mode="case" op="equal">modify</if-operation>
    > <if-class-name mode="nocase" op="equal">User</if-class-name>
    > <if-association op="associated"/>
    > <if-entitlement name="entADGroup" op="available"/>
    > </and>
    > </conditions>
    > <actions>
    > <do-add-dest-attr-value class-name="Group" name="Member">
    > <arg-dn>
    > <token-text
    > xml:space="preserve">CN=TestGrp,cn=Users,dc=esecla b,dc=Com</token-text>
    > </arg-dn>
    > <arg-value type="string">
    > <token-dest-dn/>
    > </arg-value>
    > </do-add-dest-attr-value>
    > </actions>
    > </rule>
    > </policy>


    Modify events on an associated object do not have a Dest DN in the
    event. The Token-dest-dn seems like it should magically figure that out
    for you, alas, it is a simple alias for the XPATH @dest-dn (Discussed in
    my book in fact).

    So you would need to use the Resolve token to resolve the Association
    value to the DN and use that value. So in your add-dest-attr you
    specify the group DN explicit, replace the value of token-dest-dn with
    local variable DEST-DN that you get in the previous action:

    <do-set-local-variable name="DEST-DN" scope="policy">
    <arg-string>
    <token-resolve datastore="dest">
    <arg-association>
    <token-association/>
    </arg-association>
    </token-resolve>
    </arg-string>
    </do-set-local-variable>

    My book on IDM tokens is available at:

    http://www.ninja-tools.com/Definitiv...-Copy-2001.htm



  5. #5
    Alex McHugh NNTP User

    Re: Add user to Group in Active Directory

    Geoffrey Carman wrote:

    > Modify events on an associated object do not have a Dest DN in the event. The Token-dest-dn seems like it should magically figure that out for you, alas, it is a simple alias for the XPATH @dest-dn (Discussed in my book in fact).
    >
    > So you would need to use the Resolve token to resolve the Association value to the DN and use that value. So in your add-dest-attr you specify the group DN explicit, replace the value of token-dest-dn with local variable DEST-DN that you get in the previous action:
    >
    > <do-set-local-variable name="DEST-DN" scope="policy">
    > <arg-string>
    > <token-resolve datastore="dest">
    > <arg-association>
    > <token-association/>
    > </arg-association>
    > </token-resolve>
    > </arg-string>
    > </do-set-local-variable>


    All true, but actually - in your scenario, you don't even need to resolve the dest-dn of the user object. You can set the association-ref on the member attribute value and let the driver shim handle this for you. This is faster (as long as the current operation is already associated)
    <do-set-xml-attr expression="../modify[last()]/modify-attr[last()]/add-value[last()]/value[last()]" name="association-ref">
    <arg-string>
    <token-association/>
    </arg-string>
    </do-set-xml-attr>


    The other problem with your code is the way you test for entitlements

    <if-entitlement name="entADGroup" op="available"/>

    This means that this code will execute each every modify - which is inefficent and may cause warnings/errors to be reported from AD that the user is already a member of the group.

    I would instead use the following code.

    NOTE: wrapping added/removed entitlement in a foreach is good practice even if the value is single valued as it implicitly calls <do-implement-entitlement> which is a special action that ensures that entitlement activities are written to the DirXML-EntitlementResult attribute on the user.

    <rule>
    <description>Group Provisioning</description>
    <conditions>
    <and>
    <if-class-name mode="nocase" op="equal">User</if-class-name>
    <if-operation mode="nocase" op="equal">modify</if-operation>
    <if-association op="associated"/>
    <if-entitlement name="entADGroup" op="changing"/>
    </and>
    </conditions>
    <actions>
    <do-for-each>
    <arg-node-set>
    <token-added-entitlement name="entADGroup"/>
    </arg-node-set>
    <arg-actions>
    <do-add-dest-attr-value class-name="Group" name="Member">
    <arg-dn>
    <token-text xml:space="preserve">CN=TestGrp,cn=Users,dc=esecla b,dc=Com</token-text>
    </arg-dn>
    <arg-value type="string">
    <token-src-dn/>
    </arg-value>
    </do-add-dest-attr-value>
    <do-set-xml-attr expression="../modify[last()]/modify-attr[last()]/add-value[last()]/value[last()]" name="association-ref">
    <arg-string>
    <token-association/>
    </arg-string>
    </do-set-xml-attr>
    <do-break/>
    </arg-actions>
    </do-for-each>
    </actions>
    </rule>


    --
    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  6. #6
    Join Date
    Dec 2007
    Location
    Brooklyn, NY
    Posts
    6,213

    Re: Add user to Group in Active Directory

    > All true, but actually - in your scenario, you don't even need to resolve the dest-dn of the user object. You can set the association-ref on the member attribute value and let the driver shim handle this for you. This is faster (as long as the current operation is already associated)
    > <do-set-xml-attr expression="../modify[last()]/modify-attr[last()]/add-value[last()]/value[last()]" name="association-ref">
    > <arg-string>
    > <token-association/>
    > </arg-string>
    > </do-set-xml-attr>


    That is true as well. I suspect my approach might be simpler to digest,
    but your way is more efficient.


    > The other problem with your code is the way you test for entitlements
    >
    > <if-entitlement name="entADGroup" op="available"/>
    >
    > This means that this code will execute each every modify - which is inefficent and may cause warnings/errors to be reported from AD that the user is already a member of the group.
    >
    > I would instead use the following code.
    >
    > NOTE: wrapping added/removed entitlement in a foreach is good practice even if the value is single valued as it implicitly calls <do-implement-entitlement> which is a special action that ensures that entitlement activities are written to the DirXML-EntitlementResult attribute on the user.
    >
    > <rule>
    > <description>Group Provisioning</description>
    > <conditions>
    > <and>
    > <if-class-name mode="nocase" op="equal">User</if-class-name>
    > <if-operation mode="nocase" op="equal">modify</if-operation>
    > <if-association op="associated"/>
    > <if-entitlement name="entADGroup" op="changing"/>
    > </and>
    > </conditions>
    > <actions>
    > <do-for-each>
    > <arg-node-set>
    > <token-added-entitlement name="entADGroup"/>
    > </arg-node-set>
    > <arg-actions>
    > <do-add-dest-attr-value class-name="Group" name="Member">
    > <arg-dn>
    > <token-text xml:space="preserve">CN=TestGrp,cn=Users,dc=esecla b,dc=Com</token-text>
    > </arg-dn>
    > <arg-value type="string">
    > <token-src-dn/>
    > </arg-value>
    > </do-add-dest-attr-value>
    > <do-set-xml-attr expression="../modify[last()]/modify-attr[last()]/add-value[last()]/value[last()]" name="association-ref">
    > <arg-string>
    > <token-association/>
    > </arg-string>
    > </do-set-xml-attr>
    > <do-break/>
    > </arg-actions>
    > </do-for-each>
    > </actions>
    > </rule>
    >
    >



  7. #7
    David Gersic NNTP User

    Re: Add user to Group in Active Directory

    On Fri, 14 Mar 2014 09:14:02 +0000, dinatechmnovell wrote:

    > Hi,
    >
    > We are using NetIQ IDM 4.0.2. We use AD driver to sync only users from
    > IDM to Active Directory and not the Groups. Groups will be maintained by
    > AD team.


    You may want to re-think this.


    > As per our requirement, The user will raise request for share access
    > thru workflow and if gets approved the user will be added to the
    > respective share group in AD.


    If you're intending to do group manipulations from within IDM, it's
    somewhat easier to do if you sync the groups.


    > Please help if this can be done with driver policy and a sample policy
    > of that.


    You might find some ideas here:

    http://www.novell.com/communities/no...primary-group-
    active-directory


    --
    --------------------------------------------------------------------------
    David Gersic dgersic_@_niu.edu
    Knowledge Partner http://forums.netiq.com

    Please post questions in the forums. No support provided via email.
    If you find this post helpful, please click on the star below.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •