What is the best way to remove rol to user from policy using a NullDriver

Hi Team.

I am creating a policy to remove all roles from specific user.

I am using a Query funtion for read the nrfAssignedRoles attribute from user's CN.

It return a node set (xml) value, then I do a "for each" for iterate in each node and get each DN Rol, then execute the "remove rol" funcion.

The problen is that return one (first) Rol, don't itera for each rol.

Exists other way to remove all roles.

I tried using a remove attribute value, but the  nrfAssignedRoles is not present in the User Class.

Some idea to do its?

Regards,

  • 0

    Hi, I did something very similar just yesterday. You're on the right track with the "remove role" action, but the first thing to keep in mind is that "nrfAssignedRoles" is a structured attribute, same as DirXML-Associations.

    If you just want to remove all roles from a user, do a "for each" on the users nrfAssignedRoles, use XPath into current-node (something like $current-node/component[@name="volume"]/text() ) to get the role DN, and execute "remove role" on "Current object" with the role DN from current-node. Something like this:

    <do-for-each>
    <arg-node-set>
    <token-src-attr name="nrfAssignedRoles"/>
    </arg-node-set>
    <arg-actions>
    <do-set-local-variable name="roleDN" scope="policy">
    <arg-string>
    <token-xpath expression='$current-node/component[@name="volume"]/text()'/>
    </arg-string>
    </do-set-local-variable>
    <do-remove-role id="~service-account-dn~" role-id="$roleDN$" time-out="0" url="URL~UAProvURL~">
    <arg-password>
    <token-named-password name="~service-account-password~"/>
    </arg-password>
    </do-remove-role>
    </arg-actions>
    </do-for-each>

    If you want to be more selective, you could parse current-node/component[@name="path"] as XML right after setting the role DN with this

    <do-set-local-variable name="assignment" scope="policy">
    <arg-node-set>
    <token-xml-parse>
    <token-replace-all regex="&amp;lt;" replace-with="&lt;">
    <token-replace-all regex="req_desc.*req_desc" replace-with="req_desc/">
    <token-xpath expression='$current-node/component[@name="path"]/text()'/>
    </token-replace-all>
    </token-replace-all>
    </token-xml-parse>
    </arg-node-set>
    </do-set-local-variable>

    This allows you to check the request, update, start, and end time of the assignment. I'm removing the request description, as that often contains non-ascii characters, causing problems with XMLParse

  • 0   in reply to 

    And now, you will begin to see why RRSD is so slow.

    This will only work for direct assigned Roles.  nrfMemberIOf will show a list of DN's of all assigned roles in total.

    There are nrfGroupAssignedRoles, and nrfContainerRoles and nrfInheritedRoles.  You will not be able to simply remove those via Remove Role.  But if you move them to Inactive container, Container roles will likely drop off.  If you clear their Group Memberships then likely nrfGroupAssignedRoles (I think that is the attribute, I might be wrong, but it is something like that) and then nrfInheritedRoles should go away once everything is finally removed.

    RRSD has to consider ALL this + SOD for every Role on the user, every time a user change is sent to it. Kind of a slow process. And why the IGA collector for IDM is so slow as well. It collects so much data thathas to be parsed to figure out how the role was assigned and how it might be removed if needed.

  • 0 in reply to   

    Thank you for the clarification. In my particular case, we were only concerned about the direct assigned roles, which is why I didn't (or failed to) consider the other options