## Friday, March 12, 2010

### Novell IDM XPATH

This one is a pretty fun example.  I have a user coming from a payroll system.  The user has a PayrollCode identifier on them.  Unfortunately, this Payroll identifier code is not completely unique, so I have to query another object in eDirectory to get the uniqueCode.   To do this I will be using XPATH.  I have posted the actions XML of the rule below.  I'll break it apart and explain.

<actions>
<do-set-local-variable name="lv.PRCode" scope="policy">
<arg-string>
<token-attr name="PRCode"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="facnode" scope="policy">
<arg-node-set>
<token-xpath expression='query:search($destQueryProcessor,"subordinate","","dn\of\subtree\I\want\to\search","ObjectClassName","PRCode",$lv.PRCode,"ReturnAttr1,uniqueCode,ReturnAttr3")'/>
</arg-node-set>
</do-set-local-variable>
<do-for-each>
<arg-node-set>
<token-local-variable name="facnode"/>
</arg-node-set>
<arg-actions>
<do-trace-message level="1">
<arg-string>
<token-xpath expression="$current-node[1]/attr[@attr-name='ReturnAttr1']/value"/> </arg-string> </do-trace-message> <do-set-local-variable name="lv.ReturnAttr1" scope="policy"> <arg-string> <token-xpath expression="$current-node[1]/attr[@attr-name='ReturnAttr1']/value"/>
</arg-string>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-global-variable mode="nocase" name="GCVAttr1" op="equal">$lv.ReturnAttr1$</if-global-variable>
</and>
</arg-conditions>
<arg-actions>
<do-set-dest-attr-value class-name="User" name="uniqueCode">
<arg-value>
<token-xpath expression="$current-node[1]/attr[@attr-name='uniqueCode']/value"/> </arg-value> </do-set-dest-attr-value> <do-set-dest-attr-value class-name="User" name="Attr3"> <arg-value> <token-xpath expression="$current-node[1]/attr[@attr-name='ReturnAttr3']/value"/>
</arg-value>
</do-set-dest-attr-value>
</arg-actions>
<arg-actions/>
</do-if>
</arg-actions>
</do-for-each>
<do-if>
<arg-conditions>
<or>
<if-op-attr name="uniqueCode" op="not-available"/>
<if-op-attr name="ReturnAttr3" op="not-available"/>
<if-op-attr mode="nocase" name="uniqueCode" op="equal"/>
<if-op-attr mode="nocase" name="ReturnAttr3" op="equal"/>
</or>
</arg-conditions>
<arg-actions>
<do-trace-message level="1">
<arg-string>
<token-text xml:space="preserve">No matching facility object found, uniqueCode and Attr3 not set.  Veto'ing transaction.</token-text>
</arg-string>
</do-trace-message>
<do-veto/>
</arg-actions>
<arg-actions/>
</do-if>
</actions>

Ok, now for the breakdown.  The first section actually executes the meat of  our sample, its the XPATH portion.  first I set a local variable so I don't have to query back on my JDBC driver if the attribute is not readily available.  I can just grab it and store it once in our policy.  Then, I run the XPATH query and set the nodeset to another local variable.

<do-set-local-variable name="lv.PRCode" scope="policy">
<arg-string>
<token-attr name="PRCode"/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="facnode" scope="policy">
<arg-node-set>
<token-xpath expression='query:search($destQueryProcessor,"subordinate","","dn\of\subtree\I\want\to\search","ObjectClassName","PRCode",$lv.PRCode,"ReturnAttr1,uniqueCode,ReturnAttr3")'/>
</arg-node-set>
</do-set-local-variable>

The query uses the destQueryProcessor.  We put in the DN of the subtree we want to search (so the query doesn't take forever).  We are looking specifically at objects of class "ObjectClassName".  We are matching the PRCode attribute with the value in the lv.PRCode local variable.  Finally, for each resulting object we find, we want to grab ReturnAttr1, uniqueCode, and ReturnAttr3 attributes from it.

The next thing we are going to do is loop through all of our resulting nodes.

<do-for-each>
<arg-node-set>
<token-local-variable name="facnode"/>
</arg-node-set>
<arg-actions>
<do-trace-message level="1">
<arg-string>
<token-xpath expression="$current-node[1]/attr[@attr-name='ReturnAttr1']/value"/> </arg-string> </do-trace-message> <do-set-local-variable name="lv.ReturnAttr1" scope="policy"> <arg-string> <token-xpath expression="$current-node[1]/attr[@attr-name='ReturnAttr1']/value"/>
</arg-string>
</do-set-local-variable>

We grabbed the local variable facnode that is holding our resulting set.  Foreach will loop through each result.  I put some debug code in there to echo out in the trace file the result of each loop, its not necessary but nice to help step through the code in the trace.  In the result, we grab the ReturnAttr1 value and set it to a local variable lv.ReturnAttr1.  The next thing we are going to do is verify if lv.ReturnAttr1 meets our other criteria of matching a GCV.

<do-if>
<arg-conditions>
<and>
<if-global-variable mode="nocase" name="GCVAttr1" op="equal">$lv.ReturnAttr1$</if-global-variable>
</and>
</arg-conditions>

Pretty straight forward.  If there is a match, we execute the following section of code.

<arg-actions>
<do-set-dest-attr-value class-name="User" name="uniqueCode">
<arg-value>
<token-xpath expression="$current-node[1]/attr[@attr-name='uniqueCode']/value"/> </arg-value> </do-set-dest-attr-value> <do-set-dest-attr-value class-name="User" name="Attr3"> <arg-value> <token-xpath expression="$current-node[1]/attr[@attr-name='ReturnAttr3']/value"/>
</arg-value>
</do-set-dest-attr-value>
</arg-actions>
<arg-actions/>
</do-if>
</arg-actions>
</do-for-each>

If there is a match, I grab the values of the other two attributes (uniqueCode and ReturnAttr3) and stuff them in attributes on the Current User object I am processing.  If not, it will continue looping through the objects.  Once the loop is finished, I want to verify that I found a result and kick back a trace message and veto if I did not find a match.

<do-if>
<arg-conditions>
<or>
<if-op-attr name="uniqueCode" op="not-available"/>
<if-op-attr name="ReturnAttr3" op="not-available"/>
<if-op-attr mode="nocase" name="uniqueCode" op="equal"/>
<if-op-attr mode="nocase" name="ReturnAttr3" op="equal"/>
</or>
</arg-conditions>
<arg-actions>
<do-trace-message level="1">
<arg-string>
<token-text xml:space="preserve">No matching facility object found, uniqueCode and Attr3 not set.  Veto'ing transaction.</token-text>
</arg-string>
</do-trace-message>
<do-veto/>
</arg-actions>
<arg-actions/>
</do-if>
</actions>

Thats all there is to it!  The XPATH was easily used to run off and grab stuff out of eDirectory that was not previously available to me.  I can pick it up and use other dirxml logic to process through what I have very easily.