Novell IDENTITY MANAGER 3.6.1 - ENTITLEMENTS, Руководство пользователя

Страница: 41 / 44

Writing Entitlements in XML 41
no
vd
ocx
(e
n)
13
Ma
y 20
09
<display-name>
<token-src-dn/>
</display-name>
<description>
<token-attr attr-name="Description"/>
</description>
<ent-value>
<token-association/>
</ent-value>
</result-set>
</query-app>
</values>
</entitlement>
In this example, the Group entitlement uses Union to settle conflicts if the entitlement is applied
more than once to the same object. The Union attribute merges the entitlements of all involved Role-
Based Entitlement policies, so if one policy revokes an entitlement but another policy grants an
entitlement, the entitlement is eventually granted.
The Group description is useful because of its detail, which explains what was set up through rules
in the driver’s policies. This description is a good example of the detail you need go into when
defining entitlements in the first place.
The
<display-name>
is Group Membership Entitlement, which appears in the managing agents,
such as iManager for Role-Based Entitlements. The name is the Relative Distinguished Name
(RDN) of the entitlement. If you don’t define a display name, the entitlement’s name is its RDN.
The initial query values look for the class name of Group at the top of the tree and continues through
its subtrees. These values come from the connected Active Directory server and the application
query starts at the
<nds>
tag. Under the
<query-xml>
tag, this query receives information similar to
the following:
<instance class-name="Group" src-dn="o=Blanston,cn=group1">
<association>o=Blanston,cn=group1</association>
<attr attr-name="Description"> the description for group1</attr>
</instance>
<instance class-name="Group" src-dn="o=Blanston,cn=group2">
<association>o=Blanston,cn=group2</association>
<attr attr-name="Description"> the description for group2</attr>
</instance>
<instance class-name="Group" src-dn="o=Blanston,cn=group3">
<association>o=Blanston, cn=group3</association>
<attr attr-name="Description"> the description for group3</attr>
</instance>
<!-- ... ->
Then, under the
<result-set>
tag, the information received from the query fills in the various
fields. For instance, the
<display-name>
field receives
o=Blanston,cn=group1
. The
<description>
field receives
the description for group1
, and the
<ent-value>
field
receives
o=Blanston,cn=group1
. Because more than one group existed and met the query criteria,
this information was also collected and shown as other instances.
NOTE: The association format value is unique for every external system, so the format and syntax
are different for each external system queried.
Another example is the Exchange Mailbox entitlement: