DirXMLScript DTD: do-add-role element

The <do-add-role> action initiates a request to the Roles Based Provisioning Module (RBPM) to assign the Role specified by role-id to an Identity. The target Identity is specified by either <arg-dn> or <arg-association> if specified or by the current object otherwise. If specified by <arg-dn>, the DN must in LDAP format. The request is made to the RBPM enabled User Application server specified by url using credentials specified by id and <arg-password>. Additional optional arguments to the Role assignment request may be specified by named <arg-string>'s.

Name Description

description

A description of the reason for the request used for auditing and (if necessary) approval purposes.
Default: Request generated by policy.

effective-time

The time (in CTIME format) the role assignment should become effective.
Default: now

expiration-time

The time (in CTIME format) the role assignment will automatically expire.
Default: never

sod-justification

A justification for requesting an exception for any Separation of Duty (SOD) violations this assignment will trigger.
Default: No exception will be requested and the request will fail if it would cause on SOD violation.

Name	Description
description	A description of the reason for the request used for auditing and (if necessary) approval purposes. Default: Request generated by policy.
effective-time	The time (in CTIME format) the role assignment should become effective. Default: now
expiration-time	The time (in CTIME format) the role assignment will automatically expire. Default: never
sod-justification	A justification for requesting an exception for any Separation of Duty (SOD) violations this assignment will trigger. Default: No exception will be requested and the request will fail if it would cause on SOD violation.

If any type of error occurs while requestion the role assignment, the error string will be available to the enclosing policy in the local variable named error.do-add-role. Otherwise that local variable will be unavailable.

Example

<do-add-role
    id="cn=RoleAdmin,o=People"
	url="http://localhost:8080/IDMProv"
	role-id="cn=Contractor,cn=Level30,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DriverSet,o=novell">
  <arg-password>
    <token-named-password name="role-admin"/>
  </arg-password>
  <arg-string name="description">
    <token-text>Requested by policy because isContractor attribute set to true</token-text>
  </arg-string>
  <arg-string name="effective-time">
    <token-src-attr name="Hire Date"/>
  </arg-string>
  <arg-string name="expiration-time">
    <token-convert-time dest-format="!CTIME" dest-tz="UTC" offset="6" offset-unit="month" src-format="!CTIME" src-tz="UTC">
	  <token-src-attr name="Hire Date"/>
	</token-convert-time>
  </arg-string>
</do-add-role>

Attribute	Value(s)	Default Value
disabled	true \| false true if this element is disabled	false
id	CDATA the LDAP format DN of a user authorized to make the request supports variable expansion	#REQUIRED
notrace	true \| false trueif this element should not be traced during execution of policy	false
role-id	CDATA the LDAP format DN of the Role to assign supports variable expansion	#REQUIRED
url	CDATA the URL of the User Application server hosting RBPM supports variable expansion	#REQUIRED

do-add-role

Example

1. Allowed Content

2. Attributes

3. Content Rule

4. Parent Elements