On 7/10/2014 11:38 AM, Geoffrey Carman wrote:
> On 7/10/2014 12:23 PM, ffreitas wrote:
>> Hi!
>> Forgetting about the error for a moment and focusing on your business
>> need - a role can be assigned to a container or a group, and then all
>> users under that container / members of that group will receive it. That
>> seems to be a simpler approach than using the add-role token due to the
>> timings involved in it.
>> Since the user is being created in the identity vault it is possible to
>> create a template object that will grant the group membership, assign
>> the role to said group, and add a policy to your publisher's Creation
>> Policy set that uses the template to create the user.
>> See
>> https://www.netiq.com/documentation/...emplatedn.html
>> for the token to add the template.

> That is an interesting way of handling it... Of course, it seems like
> reversing the Role model, where the Role is the thing not the group that
> grants the role that grants the thing.

True, another approach would be to have a "business logic" (Null) driver
that reacts on initial user adds for objects that have the association
to the JDBC driver and grants the role. That would make the JDBC
driver's logic simpler and eliminate timing issues.