DESCRIPTION
The query-based Managed Units in ARS are all full "Subtree" searches of the provided container. In some cases this is undesirable; rather a "Onelevel" search is needed instead.
The code below is intended to capture object creation events and, if the object's parent is equal to the supplied container and is of the desired object class, add the object to a Managed Unit. The object is added as explicitly and statically, however Active Roles on its own (without need for additional coding) remove the reference to the object in the Managed Unit should that object be deleted. Note that this code is intended to be implemented in a Policy with the "Handle changes from DirSync control" option enabled, so that objects created outside of ARS may be added to the Managed Unit as well. For this reason it is not possible to create this as a custom policy extension (policy extensions do not allow you to specify the DirSync option).
Note This code may use functions from the Active Roles Script Policy Best Practices. Please, follow the link to obtain instructions and code for those functions.
SCRIPT
#*********************************************************************************
# THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
# EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
#
# IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,
# PLEASE CONTACT ONE IDENTITY PROFESSIONAL SERVICES.
#*********************************************************************************
$EDST_MOD_SOURCE_AD = 2
$EDS_MUCONDITION_INCLUDE_DIRECTLY = 3
function onInit($Context) {
$Parameter = $Context.AddParameter("Managed Unit")
$Parameter.Description = "This is the distinguishedName of the Managed Unit to which the newly created objects should be added"
$Parameter.Required = $True
$Parameter.Syntax = "DN"
$Parameter = $Context.AddParameter("Base DN")
$Parameter.Description = "This is the distinguishedName of the base container; only objects created in this container will be added to the Managed Unit."
$Parameter.Required = $True
$rootDSE = [ADSI]"LDAP://rootDSE"
$defaultNamingContext = [string]$rootDSE.defaultNamingContext
$Parameter.DefaultValue = $defaultNamingContext
$Parameter = $Context.AddParameter("objectClass")
$Parameter.Description = "Only objects of this type will be added to the Managed Unit."
$Parameter.Required = $True
$Parameter.DefaultValue = "organizationalUnit"
}
function onPostCreate($Request) {
$ManagedUnitDN = $PolicyEntry.Parameter("Managed Unit")
if ($Request.Class -ne $PolicyEntry.Parameter("objectClass")) {
return
}
$DirObj.GetInfoEx(@("edsvaParentDN"), 0)
if ($DirObj.Get("edsvaParentDN") -ne $PolicyEntry.Parameter("Base DN")) {
return
}
if ($Request.Parameter("RequestSource") -ne $EDST_MOD_SOURCE_AD) {
return
}
$ManagedUnit = [ADSI]"EDMS://$ManagedUnitDN"
$RuleCollection = $ManagedUnit.MembershipRuleCollection
$Rule = New-Object -ComObject "EDSIManagedUnitCondition"
$Rule.Base = "EDMS://" + $DirObj.Get("distinguishedName")
$Rule.BaseGuid = $DirObj.Guid
$Rule.Type = $EDS_MUCONDITION_INCLUDE_DIRECTLY
$RuleCollection.Add($Rule)
$ManagedUnit.SetInfo()
}
#***** END OF CODE ***************************************************************