I figured out how to do that. It's all about nrfStatus attribute of nrfResourceAssociation object.

I understood the following:

1. To update automatically all role members when a role changes: adding new resource

1.1 I used the following LDIF to create a resource and associate it within a existing role:

dn: cn=RESOURCE,cn=ResourceDefs,cn=RoleConfig,cn=AppCo nfig,cn=UserApplication,cn=DriverSet,ou=it,o=acme
changeType: add
nrfAllowMulti: FALSE
nrfAllowAprOveride: FALSE
nrfCategoryKey: mrsPerfis
nrfLocalizedDescrs: en~RESOURCE|pt~RECURSO
nrfLocalizedNames: en~RESOURCE|pt~RECURSO
nrfActive: FALSE
nrfEntitlementRef:cn=Group,cn=AD,cn=DriverSet,ou=i t,o=acme#1#<?xml version="1.0" encoding="UTF-8"?><ref><src>UA</src><id/><param>GROUP-01</param></ref>
objectClass: nrfResource

dn: cn=IT-ANALYST-RESOURCE,cn=ResourceAssociations,cn=RoleConfig,cn= AppConfig,cn=UserApplication,cn=DriverSet,ou=it,o= acme
changeType: add
nrfResource: cn=RESOURCE,cn=ResourceDefs,cn=RoleConfig,cn=AppCo nfig,cn=UserApplication,cn=DriverSet,ou=it,o=acme
nrfAllowAprOveride: FALSE
nrfLocalizedDescrs: en~RESOURCE|pt~RECURSO
nrfRole: cn=IT-ANALYST,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=Ap pConfig,cn=UserApplication,cn=DriverSet,ou=it,o=ac me
nrfStatus: 10
objectClass: nrfResourceAssociation

1.2 The nrfStatus of the nrfResourceAssociation object must be 10 at the creation and thus all current role members will receive automatically the created resource.

2. Removing a resource:

To remove a resource from existing role and get all its members updated, with the current resource list, you just need to update the nrfStatus of the nrfResourceAssociation object, changing the value to 15. Doing that the Roles driver will do the dirty job by updating all the role members, removing the lost resource.

I hope that can help you out!


Alan Cota.