Hi,

I have implemented a logic for my requirement and it's giving upexpected
result while testing, Could anyone please guide me on fine tuning it?

I have a requirement where i have some resources and having many roles
under each resources. The driver i have used is loopback driver(we call
it as SystemView) for dynamic assignment of roles that act as when user
request a role through userapp, direct manager gets an approval
notification and approves it hence role gets assigned to the user once
approved by manager. For serving this purpose we have bind generic
workflow with each role in userapp. My code works for adding and
removing role both purpose but the trouble is, when i requested role
called role dpk1 from the resource res1 and had manager to approves it
the role got assigned. Next i requested role dpk2 from the same the
resource res1. We found something unexpected happening, manager got
approval notification for dpk1(that was already requested, approved and
added to the user profile) and dpk2(which was only requested) both.

Could anyone please help me understand what could be wrong here?
Workflow i have used here is very simple and generic that has just 2
activity for approval and deny of the request.

This is the code that i have implemented in my policy:

<rule>
<description>Check for the roles being granted or
revoked</description>
<conditions>
<or>
<if-class-name op="equal">User</if-class-name>
<if-operation op="equal">modify</if-operation>
<if-entitlement name="res1" op="changing"/>
</or>
</conditions>
<actions>
<do-for-each>
<arg-node-set>
<token-added-entitlement name="Res1"/>
</arg-node-set>
<arg-actions>
<do-trace-message>
<arg-string>
<token-src-dn/>
</arg-string>
</do-trace-message>
<do-for-each>
<arg-node-set>
<token-src-dn start="1"/>
</arg-node-set>
<arg-actions>
<do-set-local-variable name="recipient-nodeset" scope="policy">
<arg-node-set>
<token-query datastore="src" max-result-count="1"
scope="entry">
<arg-dn>
<token-local-variable name="current-node"/>
</arg-dn>
</token-query>
</arg-node-set>
</do-set-local-variable>
<do-set-local-variable name="recipient-qualified-dn-lv"
scope="policy">
<arg-string>
<token-xpath
expression="$recipient-nodeset/@qualified-src-dn"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="lv_userdngrpmod" scope="driver">
<arg-string>
<token-parse-dn dest-dn-format="ldap"
src-dn-format="qualified-slash">
<token-local-variable name="recipient-qualified-dn-lv"/>
</token-parse-dn>
</arg-string>
</do-set-local-variable>
</arg-actions>
</do-for-each>
<do-trace-message>
<arg-string>
<token-local-variable name="recipient-qualified-dn-lv"/>
</arg-string>
</do-trace-message>
<do-trace-message>
<arg-string>
<token-local-variable name="lv_userdngrpmod"/>
</arg-string>
</do-trace-message>
<do-trace-message>
<arg-string>
<token-local-variable name="current-node"/>
</arg-string>
</do-trace-message>
<do-for-each>
<arg-node-set>
<token-local-variable name="current-node"/>
</arg-node-set>
<arg-actions>
<do-set-local-variable name="role-nodeset" scope="policy">
<arg-node-set>
<token-query datastore="src" max-result-count="1"
scope="entry">
<arg-dn>
<token-local-variable name="current-node"/>
</arg-dn>
</token-query>
</arg-node-set>
</do-set-local-variable>
<do-set-local-variable name="role-qualified-dn-lv"
scope="policy">
<arg-string>
<token-xpath expression="$role-nodeset/@qualified-src-dn"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="lv_roledngrpmod" scope="driver">
<arg-string>
<token-parse-dn dest-dn-format="ldap"
src-dn-format="qualified-slash">
<token-local-variable name="role-qualified-dn-lv"/>
</token-parse-dn>
</arg-string>
</do-set-local-variable>
</arg-actions>
</do-for-each>
<do-trace-message>
<arg-string>
<token-local-variable name="lv_roledngrpmod"/>
</arg-string>
</do-trace-message>
<do-add-role id="CN=uaadmin,OU=sa,O=company"
role-id="$lv_roledngrpmod$" time-out="0" url="$User_Application_URL$">
<arg-password>
<token-named-password name="UAPasswd"/>
</arg-password>
<arg-dn>
<token-local-variable name="lv_userdngrpmod"/>
</arg-dn>
<arg-string name="description">
<token-text xml:space="preserve">Assign user to
role</token-text>
</arg-string>
</do-add-role>
</arg-actions>
</do-for-each>
<do-veto notrace="true"/>
</actions>
</rule>

same code for each removed entitlement with remove role.

Thanks,
Dipika


--
dpkagajjar
------------------------------------------------------------------------
dpkagajjar's Profile: https://forums.netiq.com/member.php?userid=13018
View this thread: https://forums.netiq.com/showthread.php?t=57405