Symantec IGA

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

Sync AD Manager Attribute with the IM Userstore Manager Attribute

  • 1.  Sync AD Manager Attribute with the IM Userstore Manager Attribute

    Posted Jun 27, 2012 10:40 AM
      |   view attached
    Below is an excellent example to sync the AD manager attribute with the IM userstore manager attribute when this attribute has Changed.

    Selectively choose and manually enter the PX rule or you may import the below rule:

    Save the complete XML to a text file.
    Then use the IM Management Console / Select an IME / Select "Role and Task Settings / Import the below XML.
    Validate no errors on import / Restart the IME / Log into the IME and validate the PX rule exist.

    Assumption: To use this PX rule, an Active Directory endpoint must exist and is viewable in the IME & have been explored/correlated.

    As always, deploy & confirm in the following order: dev -> qa -> stage -> production



    <?xml version="1.0" encoding="UTF-8"?>
    <ims:ImsTemplate xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://imsenvironmentobjects/xsd imsconfig://schema/ImsEnvironmentObjects.xsd" xmlns:ims="http://imsenvironmentobjects/xsd" xmlns:imsrule="http://imsmemberrule/xsd" xmlns:imsscope="http://imsscoperule/xsd" xmlns:imschange="http://imschangeaction/xsd">

    <ManagedObject type="POLICY XPRESS EXPORT" friendlyName="PX-101.01 AD Manager DN Sync">
    <Attribute name="friendlyName">PX-101.01 AD Manager DN Sync</Attribute>
    <Attribute name="enabled">true</Attribute>
    <Attribute name="category">AD Policies</Attribute>
    <Attribute name="description">Synchronizes the AD "manager" attribute whenever the manager attribute changes in the UserStore.</Attribute>
    <Attribute name="runOnce">false</Attribute>
    <Attribute name="priority">101</Attribute>
    <Attribute name="type">SUBMITTED_TASK</Attribute>
    <Attribute name="system">false</Attribute>
    <Attribute name="template">PolicyXpress</Attribute>
    <Attribute name="templateData"></Attribute>
    <Attribute name="whenToRun"><![CDATA[<Related>
    <WhenToRun>
    <Attribute name="type">SUBMITTED_TASK</Attribute>
    <Attribute name="step">TASK_COMPLETED</Attribute>
    <Attribute name="eventName">Modify_Employee</Attribute>
    </WhenToRun>
    </Related>
    ]]></Attribute>
    <Attribute name="dataElements"><![CDATA[<Related>
    <DataElement>
    <Attribute name="friendlyName">user landomain</Attribute>
    <Attribute name="elementType">element.type.user.attribute</Attribute>
    <Attribute name="subElement">element.user.attribute.get</Attribute>
    <Attribute name="priority">5</Attribute>
    <PxParameter extraInfo="" index="1" uiType="SELECTED">landomain</PxParameter>
    </DataElement>
    <DataElement>
    <Attribute name="friendlyName">user landn</Attribute>
    <Attribute name="elementType">element.type.user.attribute</Attribute>
    <Attribute name="subElement">element.user.attribute.get</Attribute>
    <Attribute name="priority">6</Attribute>
    <PxParameter extraInfo="" index="1" uiType="SELECTED">landn</PxParameter>
    </DataElement>
    <DataElement>
    <Attribute name="friendlyName">user landn end Index</Attribute>
    <Attribute name="elementType">element.type.string.searcher</Attribute>
    <Attribute name="subElement">element.string.index.of</Attribute>
    <Attribute name="priority">7</Attribute>
    <PxParameter extraInfo="" index="1" uiType="TYPED">{'user landn'}</PxParameter>
    <PxParameter extraInfo="" index="2" uiType="TYPED">,OU=</PxParameter>
    </DataElement>
    <DataElement>
    <Attribute name="friendlyName">parse DN</Attribute>
    <Attribute name="elementType">element.type.string.parser</Attribute>
    <Attribute name="subElement">element.string.manipulation.substring</Attribute>
    <Attribute name="priority">8</Attribute>
    <PxParameter extraInfo="" index="1" uiType="TYPED">{'user landn'}</PxParameter>
    <PxParameter extraInfo="" index="2" uiType="TYPED">3</PxParameter>
    <PxParameter extraInfo="" index="3" uiType="TYPED">{'user landn end Index'}</PxParameter>
    </DataElement>
    <DataElement>
    <Attribute name="friendlyName">landn</Attribute>
    <Attribute name="elementType">element.type.attribute.of.a.specific.user</Attribute>
    <Attribute name="subElement">element.attribute.of.user.get</Attribute>
    <Attribute name="priority">4</Attribute>
    <PxParameter extraInfo="" index="1" uiType="TYPED">{'newManager'}</PxParameter>
    <PxParameter extraInfo="" index="2" uiType="SELECTED">landn</PxParameter>
    </DataElement>
    <DataElement>
    <Attribute name="friendlyName">getADAccount</Attribute>
    <Attribute name="elementType">element.type.constant</Attribute>
    <Attribute name="subElement">element.constant.get</Attribute>
    <Attribute name="priority">9</Attribute>
    <PxParameter extraInfo="" index="1" uiType="TYPED">{'user landomain'}:{'parse DN'}</PxParameter>
    </DataElement>
    <DataElement>
    <Attribute name="friendlyName">adMangerSyncLoopVariable</Attribute>
    <Attribute name="elementType">element.type.variable.value</Attribute>
    <Attribute name="subElement">element.variable.get</Attribute>
    <Attribute name="priority">10</Attribute>
    <PxParameter extraInfo="" index="1" uiType="TYPED">adMangerSyncLoopVariable</PxParameter>
    </DataElement>
    <DataElement>
    <Attribute name="friendlyName">adMangerSyncLoopVariable2</Attribute>
    <Attribute name="elementType">element.type.variable.value</Attribute>
    <Attribute name="subElement">element.variable.get</Attribute>
    <Attribute name="priority">11</Attribute>
    <PxParameter extraInfo="" index="1" uiType="TYPED">adMangerSyncLoopVariable2</PxParameter>
    </DataElement>
    <DataElement>
    <Attribute name="friendlyName">ifManagerChanging</Attribute>
    <Attribute name="elementType">element.type.has.user.attribute.changed</Attribute>
    <Attribute name="subElement">element.has.user.attribute.changed.get</Attribute>
    <Attribute name="priority">1</Attribute>
    <PxParameter extraInfo="" index="1" uiType="SELECTED">manager</PxParameter>
    </DataElement>
    <DataElement>
    <Attribute name="friendlyName">lanid</Attribute>
    <Attribute name="elementType">element.type.user.attribute</Attribute>
    <Attribute name="subElement">element.user.attribute.get</Attribute>
    <Attribute name="priority">0</Attribute>
    <PxParameter extraInfo="" index="1" uiType="SELECTED">lanid</PxParameter>
    </DataElement>
    <DataElement>
    <Attribute name="friendlyName">oldManager</Attribute>
    <Attribute name="elementType">element.type.has.user.attribute.changed</Attribute>
    <Attribute name="subElement">element.has.user.attribute.changed.removed.values</Attribute>
    <Attribute name="priority">2</Attribute>
    <PxParameter extraInfo="" index="1" uiType="SELECTED">manager</PxParameter>
    </DataElement>
    <DataElement>
    <Attribute name="friendlyName">newManager</Attribute>
    <Attribute name="elementType">element.type.has.user.attribute.changed</Attribute>
    <Attribute name="subElement">element.has.user.attribute.changed.added.values</Attribute>
    <Attribute name="priority">3</Attribute>
    <PxParameter extraInfo="" index="1" uiType="SELECTED">manager</PxParameter>
    </DataElement>
    </Related>
    ]]></Attribute>
    <Attribute name="entryRules"><![CDATA[<Related>
    <EntryRule>
    <Attribute name="friendlyName">lanid exists</Attribute>
    <Attribute name="priority">0</Attribute>
    <Attribute name="description"/>
    <Conditions>
    <Condition>
    <Attribute name="dataElement">lanid</Attribute>
    <Attribute name="operator">NOT_EQUALS</Attribute>
    <Attribute name="value"/>
    </Condition>
    </Conditions>
    </EntryRule>
    </Related>
    ]]></Attribute>
    <Attribute name="actionRules"><![CDATA[<Related>
    <ActionRule>
    <Attribute name="friendlyName">if manager changing</Attribute>
    <Attribute name="priority">0</Attribute>
    <Attribute name="description"/>
    <Conditions>
    <Condition>
    <Attribute name="dataElement">adMangerSyncLoopVariable</Attribute>
    <Attribute name="operator">EQUALS</Attribute>
    <Attribute name="value"/>
    </Condition>
    <Condition>
    <Attribute name="dataElement">adMangerSyncLoopVariable2</Attribute>
    <Attribute name="operator">EQUALS</Attribute>
    <Attribute name="value"/>
    </Condition>
    <Condition>
    <Attribute name="dataElement">ifManagerChanging</Attribute>
    <Attribute name="operator">EQUALS</Attribute>
    <Attribute name="value">true</Attribute>
    </Condition>
    </Conditions>
    <AddActions>
    <ActionElement>
    <Attribute name="friendlyName">set oldmanager variable</Attribute>
    <Attribute name="actionType">action.name.set.string.variable</Attribute>
    <Attribute name="subAction">action.string.variable.value</Attribute>
    <Attribute name="priority">0</Attribute>
    <PxParameter extraInfo="" index="1" uiType="TYPED">oldmanager</PxParameter>
    <PxParameter extraInfo="" index="2" uiType="TYPED">{'oldManager'}</PxParameter>
    </ActionElement>
    <ActionElement>
    <Attribute name="friendlyName">set newmanager value</Attribute>
    <Attribute name="actionType">action.name.set.string.variable</Attribute>
    <Attribute name="subAction">action.string.variable.value</Attribute>
    <Attribute name="priority">1</Attribute>
    <PxParameter extraInfo="" index="1" uiType="TYPED">newmanager</PxParameter>
    <PxParameter extraInfo="" index="2" uiType="TYPED">{'newManager'}</PxParameter>
    </ActionElement>
    <ActionElement>
    <Attribute name="friendlyName">Set adMangerSyncLoopVariable</Attribute>
    <Attribute name="actionType">action.name.set.string.variable</Attribute>
    <Attribute name="subAction">action.string.variable.value</Attribute>
    <Attribute name="priority">2</Attribute>
    <PxParameter extraInfo="" index="1" uiType="TYPED">adMangerSyncLoopVariable</PxParameter>
    <PxParameter extraInfo="" index="2" uiType="TYPED">complete</PxParameter>
    </ActionElement>
    <ActionElement>
    <Attribute name="friendlyName">loop</Attribute>
    <Attribute name="actionType">action.name.change.process.flow</Attribute>
    <Attribute name="subAction">action.flow.change.redo.policy</Attribute>
    <Attribute name="priority">3</Attribute>
    </ActionElement>
    </AddActions>
    <RemoveActions/>
    </ActionRule>
    <ActionRule>
    <Attribute name="friendlyName">if manager changing (second run)</Attribute>
    <Attribute name="priority">0</Attribute>
    <Attribute name="description"/>
    <Conditions>
    <Condition>
    <Attribute name="dataElement">adMangerSyncLoopVariable</Attribute>
    <Attribute name="operator">NOT_EQUALS</Attribute>
    <Attribute name="value"/>
    </Condition>
    <Condition>
    <Attribute name="dataElement">adMangerSyncLoopVariable2</Attribute>
    <Attribute name="operator">EQUALS</Attribute>
    <Attribute name="value"/>
    </Condition>
    <Condition>
    <Attribute name="dataElement">ifManagerChanging</Attribute>
    <Attribute name="operator">EQUALS</Attribute>
    <Attribute name="value">true</Attribute>
    </Condition>
    </Conditions>
    <AddActions>
    <ActionElement>
    <Attribute name="friendlyName">Set newlandn</Attribute>
    <Attribute name="actionType">action.name.set.string.variable</Attribute>
    <Attribute name="subAction">action.string.variable.value</Attribute>
    <Attribute name="priority">0</Attribute>
    <PxParameter extraInfo="" index="1" uiType="TYPED">newlandn</PxParameter>
    <PxParameter extraInfo="" index="2" uiType="TYPED">{'landn'}</PxParameter>
    </ActionElement>
    <ActionElement>
    <Attribute name="friendlyName">Set AD manger attribute</Attribute>
    <Attribute name="actionType">action.name.set.accounts.data</Attribute>
    <Attribute name="subAction">action.ace.accounts.set</Attribute>
    <Attribute name="priority">1</Attribute>
    <PxParameter extraInfo="" index="1" uiType="SELECTED">ActiveDirectory</PxParameter>
    <PxParameter extraInfo="" index="2" uiType="TYPED">{'getADAccount'}</PxParameter>
    <PxParameter extraInfo="" index="3" uiType="SELECTED">manager</PxParameter>
    <PxParameter extraInfo="" index="4" uiType="TYPED">newlandn</PxParameter>
    </ActionElement>
    <ActionElement>
    <Attribute name="friendlyName">Set adMangerSyncLoopVariable2</Attribute>
    <Attribute name="actionType">action.name.set.string.variable</Attribute>
    <Attribute name="subAction">action.string.variable.value</Attribute>
    <Attribute name="priority">2</Attribute>
    <PxParameter extraInfo="" index="1" uiType="TYPED">adMangerSyncLoopVariable2</PxParameter>
    <PxParameter extraInfo="" index="2" uiType="TYPED">complete</PxParameter>
    </ActionElement>
    <ActionElement>
    <Attribute name="friendlyName">loop2</Attribute>
    <Attribute name="actionType">action.name.change.process.flow</Attribute>
    <Attribute name="subAction">action.flow.change.redo.policy</Attribute>
    <Attribute name="priority">3</Attribute>
    </ActionElement>
    </AddActions>
    <RemoveActions/>
    </ActionRule>
    <ActionRule>
    <Attribute name="friendlyName">if manager changing (third run)</Attribute>
    <Attribute name="priority">0</Attribute>
    <Attribute name="description"/>
    <Conditions>
    <Condition>
    <Attribute name="dataElement">adMangerSyncLoopVariable</Attribute>
    <Attribute name="operator">NOT_EQUALS</Attribute>
    <Attribute name="value"/>
    </Condition>
    <Condition>
    <Attribute name="dataElement">adMangerSyncLoopVariable2</Attribute>
    <Attribute name="operator">NOT_EQUALS</Attribute>
    <Attribute name="value"/>
    </Condition>
    <Condition>
    <Attribute name="dataElement">ifManagerChanging</Attribute>
    <Attribute name="operator">EQUALS</Attribute>
    <Attribute name="value">true</Attribute>
    </Condition>
    </Conditions>
    <AddActions>
    <ActionElement>
    <Attribute name="friendlyName">Set AD manager attribute</Attribute>
    <Attribute name="actionType">action.name.set.accounts.data</Attribute>
    <Attribute name="subAction">action.ace.accounts.set</Attribute>
    <Attribute name="priority">0</Attribute>
    <PxParameter extraInfo="" index="1" uiType="SELECTED">ActiveDirectory</PxParameter>
    <PxParameter extraInfo="" index="2" uiType="TYPED">{'getADAccount'}</PxParameter>
    <PxParameter extraInfo="" index="3" uiType="SELECTED">manager</PxParameter>
    <PxParameter extraInfo="" index="4" uiType="TYPED">newlandn</PxParameter>
    </ActionElement>
    </AddActions>
    <RemoveActions/>
    </ActionRule>
    </Related>
    ]]></Attribute>
    <PropertyDict name="Exceptions">
    <Property name="exception.category.business">exception.behaviour.fail_policy</Property>
    <Property name="exception.category.validation">exception.behaviour.fail_policy</Property>
    </PropertyDict>
    </ManagedObject>
    </ims:ImsTemplate>

    Attachment(s)

    txt
    PX_rule_for_AD-Sync_Manager_change.txt   12 KB 1 version