I'm stumped on a concept here. I'm not (yet) using entitlements, but am
approaching the problem in terms of an entitlement to a provisioned
system, and revoking access to the system when the entitlement is no
longer true. The problem is that while the problem I want to solve is
well defined, it's not easily expressed in terms of events. If anything,
this is closer to the ideas I'd usually try to solve with a workorder
driver, since the needs are based on time and data, not on changes.
The data I have is for students. They have identity (name, addr., etc.)
data. I also have data for courses (department, section, start date, end
date), and for enrollments in those courses.
So for a student Bob, I have a series of courses he's taking, and have
seen the enrollments in those courses. Each course is translated to a
Group object, and he's a member of the Group. That's the "data" part of
The "time" part of the problem is that while our official calendar is
based on three terms per year (Fall, Spring, Summer), the way the courses
actually work is that they have a "start" and an "end" which may or may
not actually match up with the start or end of any particular term. So
while most of our "fall" courses start 15 August, and end 15 December, we
may have some that start 15 October, or that end 15 February of the
following year, if the college needs something like that.
Making it worse, I actually get the course data when it's created in the
student records system. So a course that starts 15 October 2011, if
entered in the student records system today, will get a Group created
today to represent it. Then once the course (Group) exists, I may start
seeing enrollments for it at any time.
Now try to provision access to a system based on this! The events you
need may happen well before you want them to, so you can't be event
based. But without constantly re-evaluating, I can't see any obvious way
to get events out of this either.
As an example, provision access to a system based on being a member of
any Group matching regex ".*foo.*" (all "foo" students), where "foo" is
currently active (meaning: start date <= current date <= end date).
I can create a job to query for groups, check the dates, get the members,
and kick out the members as a list (DelimText). But I was hoping not to
do something that simple. I really wanted to be able to send Add, Modify,
and Delete events out, but the Add would have to be somehow triggered
when the student is a member of the named group *and* the current date
indicates that the group is active *and* that there hasn't been an Add
already sent for this user (no association maybe?).
But if the student is a member, and the group is active *and* and Add has
already been processed (association is present, then?), then only send
changes to whatever was already processed in the Add (difficult, since
DelimText doesn't support query of the remote system, for obvious
And the Delete is a deprovision, based on the student no longer being a
member, or the current date is now past the specified end date and the
group is no longer active.
Anybody want to take a crack at this one? So far the best I've been able
to come up with is a crazy mix of Jobs, WorkOrders, and Null drivers
trying to keep track of what has been done, and what hasn't been done yet.
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com
Please post questions in the newsgroups. No support provided via email.