Hello dane_jones,
First of all thanks for your answer.
That was my suspect, I looked at all the available options in the policy xpress and none of them were able to get the secondary object passed in an event.
I will implement this with a Listener that will be "listening" for the AssignAccesRoleEvent/RevokeAccessRoleEvent.
From my point of view, Policy Xpress has great potential but CA needs to improve it, implementing more functionalities.
Once again, thanks.
Best regards,
Fábio Santos
dane_jones wrote:
Hello, Fabio!
Your best bet here is to use a BLTH to obtain the name of the role for that event.
Unfortunately Policy Xpress does not currently provide the capability to access secondary objects passed to an event. On each of the Assigned or Revoked role events within Identity Manager, the role itself is passed as the secondary object (with the user or subject of the event passed as the primary object). If you really want to pursue using Policy Xpress for this type of functionality, an alternative approach could be to "stamp" a hidden screen logical attribute on Set Subject for a task with the user's existing set of roles and then compare that user's set of roles to the stamp when the event is raised. Where this alternative becomes a little more complex is when differing roles can be assigned automatically in other asynchronous Policy Xpress policies. This can lead to a situation where the AssignAccessRoleEvent can be raised more than once at the same time and execute your policy at the same time. In this scenario your policy may not be able to actually determine which role has been added without a good set of logical checks.