Microsoft BHOLD Suite - How to use Model Loader files
Overview
The BHOLD Model Loader is a file based utility program that can be used to initialize or update a BHOLD Role Model. The utility takes an XML files and imports that file into a BHOLD database. One application that you can use to generate a Model Loader XML file is BHOLD Model Generator, but you can also create a new Model Loader XML file from scratch.
One common use of Model Loader is the scenario where an existing BHOLD Role Model is exported in an XML dataset that can be consumed by the Model Loader utility to merge changes from a staging environment into a production model.
This document describes the format dataset that is being generated by Model Generator and can be consumed by Model Loader.
Model Generator and Model Loader can also be used to port an existing production BHOLD Role Model to a staging environment.
For more information about Model Generator, please refer to http://technet.microsoft.com/en-us/library/dn320950(v=ws.10).aspx
For information about using Model Loader, please refer to http://technet.microsoft.com/en-us/library/dn320947(v=ws.10).aspx
Dataset organization
The input for Model Loader is a standard XML file. The model is partitioned by the following sequence of objects:
- BHOLD Extensible Object Definitions
- Applications and Permissions
- Organizational Tree
- Roles and Permission
- Role Policies
- Role Tree
- Object Ownerships
- Organizational Unit & Role binding
- Users
- Application Accounts
- Explicit Role & User binding
All XML elements need to following common format:
Element | Attribute | Description |
Object element | BHOLD object name, like:
· object · role · orgunit |
|
Name | The unique name of a BHOLD Object. | |
Other | Object Specific | |
Sub element | Object bindings, parent to child. | |
Example(s) | ||
<object name=’User’> … </object> | References the BHOLD User object. | |
<role name=’clerk’>…</role> | References, creates or updates a BHOLD Role object named clerk. | |
<role name=’clerk’> <user name=’kevin’ alias=’kevd/> </role> | 1. References, creates or updates a BHOLD Role object named clerk. 2. Bind a user with the alias kevd to the role. |
Model loader can be used to remove objects from a target model by using the obsolete element.
Element | Attribute | Description |
Sample(s) | ||
<role name=’clerk’> <obsolete> <user name=’kevin’ alias=’kevd/> </obsolete> </role> | 1. References, creates or updates a BHOLD Role object named clerk. 2. Unbind a user with the alias kevd from the role. |
|
<obsolete> <role name=’clerk’> <obsolete> <user name=’kevin’ alias=’kevd/> </obsolete> </role> </obsolete> | 1. References, creates or updates a BHOLD Role object named clerk. 2. Unbind a user with the alias kevd from the role. 3. Deletes the role |
Object elements
Orgunit element
Element | Attribute | Description |
orgunit | Defines an organizational unit to be referenced, created or deleted. When the top most organizational unit in the dataset is not found in the target model then it created under the root an organizational unit. | |
name | Required. The unique name of an organizational unit. | |
type | Optional. The organizational unit type name. Organizational unit may be classified. For display, documentation & synchronization purposes only. | |
Any other attribute | Optional. The defined extensible attributes for the BHOLD OrgUnit object. | |
Possible parent elements | ||
orgunit | Optional. Any child organizational unit. | |
role | Optional. Any role to be bound either effective or optional to organizational unit. | |
obsolete | Optional. Declares the sub elements of the object element must be purged from the target. | |
Possible Sub elements | ||
orgunit | Optional. Any child organizational unit. | |
role | Optional. Any role to be bound either effective or optional to organizational unit. | |
user | Optional. Any user or person who is member of the organizational unit. | |
supervisor | Optional. Bind an internal authorization object to the organization unit. | |
obsolete | Optional. Declares the sub elements of the object element must be purged from the target. | |
Example | ||
<orgunit name=’acme laundry services’> … </object> | A BHOLD OrgUnit, named acme laundry services, is created under the root. | |
<orgunit name=’acme laundry services’> <orgunit name=’going green’ type=’project’ /> </orgunit> | 1. A BHOLD OrgUnit, named acme laundry services, is reference or created under the root. 2. A BHOLD Orgunit, named going green, is: a. Referenced and moved as child. b. Is created as child. c. The orgunit type is changed to project. Note: The project type must have been declared priorly. |
|
<orgunit name=’acme laundry services’> <user name=’kevin’ alias=’kevd/> </orgunit> | 1. A BHOLD OrgUnit, named acme laundry services, is reference or created under the root. 2. A BHOLD User, named Kevin, is: a. Referenced and bound as member. b. Is created as member. |
Application element
Element | Attribute | Description |
application | Defines an application to be referenced, created or deleted. | |
name | Required. The unique name of an application. | |
parameter | Required. The application type name. Application may be classified. For display, documentation & synchronization purposes only. | |
description | Optional. A descriptive text for the application. | |
module | Obsolete. | |
protocol | Obsolete. | |
Any other attribute | Optional. The defined extensible attributes for the BHOLD Application object. | |
Possible parent elements | ||
obsolete | Optional. Declares the sub elements of the object element must be purged from the target. | |
Possible Sub elements | ||
permission | Optional. Any authorization object within the application to which users may be granted access. | |
account | Optional. The user account for persons bound to this application. | |
obsolete | Optional. Declares the sub elements of the object element must be purged from the target. | |
supervisor | Optional. Bind an internal authorization object to the application. | |
Example | ||
<application name=’acme laundry services’> … </object> | A BHOLD Application, named acme laundry services, is created under the root. | |
<application name=’acme laundry services’> <permission name=’createorder’ description=’Create a work order’ /> </application> | 1. A BHOLD Application, named acme laundry services, is reference or created under the root. 2. A BHOLD Permission, named createorder, is: a. Referenced and updated. b. Is created as application member. |
Permission element
Element | Attribute | Description |
permission task | Defines a permission to be referenced, created or deleted. | |
name | Required. The unique name of a permission. | |
description | Optional. A possible explanation or description of a permission. | |
cat | Optional. Used to declare a permission as context adaptable. | |
max-roles | Optional. The maximum number of roles to which this permissions may be bound. | |
max-users | Optional. The maximum number of users to which this permissions may be granted. | |
Any other attribute | Optional. The defined extensible attributes for the BHOLD Permission object. | |
Possible parent elements | ||
Application | Optional. The parent application for the permission. | |
role | Optional. The role to which the permission is to be bound. | |
obsolete | Optional. Declares the sub elements of the object element must be purged from the target. | |
Possible Sub elements | ||
permission | Optional. Any authorization object within the permission to which users may be granted access. | |
obsolete | Optional. Declares the sub elements of the object element must be purged from the target. | |
supervisor | Optional. Bind an internal authorization object to the permission. | |
Example(s) | ||
<permission name=’acme laundry services’> … </object> | A BHOLD Permission, named acme laundry services, is referenced. | |
<application name=’acme laundry services’> <permission name=’createorder’ description=’Create a work order’ /> </application> | 1. A BHOLD Application, named acme laundry services, is reference or created under the root. 2. A BHOLD Permission, named createorder, is: a. Referenced and updated. b. Is created as application member. |
Role element
Element | Attribute | Description |
role | Defines a role to be referenced, created or deleted. | |
name | Required. The unique name of a role. | |
Proposed | Optional. Declare how the role will be bound to an organization unit. Only valid when binding. | |
cat | Optional. Used to declare the role as context adaptable. Context adaptable permissions may only be bound to roles who are declared as context adaptable. | |
sv | Optional. Used to declare the role as a supervisor role. | |
Inherit-roles | Optional. Declares that the role will be inherited by child organizational units. Only valid when binding roles to organizational units. | |
max-sub-roles | Optional. The maximum number of child roles to be bound to this role. | |
max-users | Optional. The maximum number of users which may be granted this role. | |
max-permissions | Optional. The maximum number of permissions which may be bound to this role. | |
replace-permissions | Optional. Declares that all permission sub elements will replace the existing role permission content in the target model. | |
replace-roles | Optional. Declares that all role sub elements will replace the existing role content in the target model. | |
replace-users | Optional. Declares that all user sub elements will replace the existing role members in the target model. | |
Any other attribute | Optional. The defined extensible attributes for the BHOLD Role object. | |
Possible parent elements | ||
role | Optional. Any child role. | |
role | Optional. Any role to be bound either effective or optional to role. | |
obsolete | Optional. Declares the sub elements of the object element must be purged from the target. | |
Possible Sub elements | ||
role | Optional. Any child role. | |
role | Optional. Any role to be bound either effective or optional to role. | |
user | Optional. Any user or person who is member of the role. | |
supervisor | Optional. Bind an internal authorization object to the organization unit. | |
obsolete | Optional. Declares the sub elements of the object element must be purged from the target. | |
Example(s) | ||
<role name=’acme laundry services’> … </object> | A BHOLD Role, named acme laundry services, is created. | |
<role name=’acme laundry services’> <role name=’going green’ type=’project’ /> </role> | 1. A BHOLD Role, named acme laundry services, is reference or created under the root. 2. A BHOLD Role, named going green, is: a. Referenced and moved as child. b. Is created as child. |
|
<role name=’acme laundry services’> <user name=’kevin’ alias=’kevd/> </role> | 1. A BHOLD Role, named acme laundry services, is reference or created. 2. A BHOLD User, named Kevin, is: Referenced and bound as member. |
|
<role name=’acme laundry services’ proposed=’yes’> <orgunit name=’shiproom’ /> </role> | 1. A BHOLD Role, named acme laundry services, is reference or created. 2. A BHOLD Orgunit, named shiproom, is referenced and created if needed. 3. The role is bound optionally to the orgunit. |
|
<orgunit name=’shiproom’ /> <role name=’acme laundry services’ proposed=’yes’> </orgunit> | 1. A BHOLD Orgunit, named shiproom, is referenced and created if needed. 2. A BHOLD Role, named acme laundry services, is reference or created. 3. The role is bound optionally to the orgunit. |
Rule/Policy element
Element | Attribute | Description |
and | Defines a policy for a role to be referenced, created or deleted. | |
name | Required. The unique name of a role. | |
Parent elements | ||
role | Required. The role for which a policy is to be created. | |
Sub elements | ||
Avp | Optional. The conditions to be applied. | |
Example(s) | ||
<role name=’acme laundry services’> <and name=’must be local’ > <avp name=’workplace’ value=’local’ /> </and> </role> | 3. A BHOLD Role, named acme laundry services, is reference or created under the root. 4. A policy, named must be local, is created. 5. The condition is the user’s workplace attribute value must be local. |
Element | Attribute | Description |
avp | Definies a binary condition for a policy. | |
name | Required. The unique name of a role. | |
Value | Require. The value to be tested. | |
Parent elements | ||
And | Required. The policy for which the condition is created. | |
Sub elements | ||
Example(s) | ||
<role name=’acme laundry services’> <and name=’must be local’ > <avp name=’workplace’ value=’local’ /> </and> </role> | 1. A BHOLD Role, named acme laundry services, is reference or created under the root. 2. A policy, named must be local, is created. 3. The condition is the user’s workplace attribute value must be local. |
User element
Element | Attribute | Description |
user | Defines a user to be referenced, created or deleted. | |
Alias | Required. The unique and default alias or account name. The alias is used as the user’s primary key. | |
name | Required. The non unique name of a user. | |
language | Optional. The language name. Defines the display language for the user in the BHOLD standard user interface. | |
relationship | Optional. When two user objects are linked then this attribute declares the relationship between these two objects. | |
max-roles | Optional. The maximum number of active roles which may bound to this user. | |
max-permissions | Optional. The maximum number of permissions which may be bound to this user. | |
enddate | Optional. The date on which the user must be terminated. On enddate all user authorization are revoked. | |
disabled | Optional. Declares the user as enable or disabled. A disabled user remains member of any orgunit, role or application but will loose all permissions. | |
Any other attribute | Optional. The defined extensible attributes for the BHOLD User object. | |
Possible parent elements | ||
Application | Optional. The parent application for the user. | |
role | Optional. The role to which the user is to be bound. | |
orgunit | Optional. The organizational unit to which the user is to be bound. | |
user | Optional. A secondary user to which the user is to be bound. | |
obsolete | Optional. Declares the sub elements of the object element must be purged from the target. | |
Possible Sub elements | ||
orgunit | Optional. The organizational to which the user is to be bound. | |
role | Optional. The role to which the user is to be bound. | |
user | Optional. A secondary user to which this user is bound. | |
obsolete | Optional. Declares the sub elements of the object element must be purged from the target. | |
supervisor | Optional.. | |
Example(s) | ||
<orgunit name=’acme laundry services’> <user name=’kevin’ alias=’kevd/> </orgunit> | 1. A BHOLD OrgUnit, named acme laundry services, is reference or created under the root. 2. A BHOLD User, named Kevin, is: a. Referenced and bound as member. b. Is created as member. |
Application account or User Alias element
Element | Attribute | Description |
alias | Defines a user to be referenced, created or deleted. | |
name | Required. The application specific user name or account. | |
Any other attribute | Optional. The defined extensible attributes for the BHOLD User object. | |
Parent elements | ||
Application | Required. The application for which account are set. | |
user | Required. The user for which an application account is created. | |
obsolete | Optional. Declares the sub elements of the object element must be purged from the target. | |
Sample(s) | ||
<application name=’acme laundry services’> <user name=’kevin’ > <alias name=’XVK123’ /> </user> </application> | 1. Application acme laundry services is referenced to define account. 2. A BHOLD User, named Kevin, is referenced. 3. The account XVK123 is created for user Kevin on application acme laundry services. |
Supervisor element
Element | Attribute | Description |
supervisor | A supervisor role is a role with built-in behavior with BHOLD. | |
name | Required. The unique name of a role. | |
Any other attribute | See the role element for attribute details. | |
Possible parent elements | ||
application | Optional. The application being managed with this supervisor role. | |
Role | Optional. The role being managed with this supervisor role. | |
permission | Optional. The permission being managed with this supervisor role. | |
orgunit | Optional. The organizational unit being managed with this supervisor role. | |
obsolete | Optional. Declares the sub elements of the object element must be purged from the target. | |
Possible Sub elements | ||
application | Optional. The application being managed with this supervisor role. | |
Role | Optional. The role being managed with this supervisor role. | |
permission | Optional. The permission being managed with this supervisor role. | |
orgunit | Optional. The organizational unit being managed with this supervisor role. | |
User | Optional. The user who is granted supervisorship over the supervisor role content. | |
obsolete | Optional. Declares the sub elements of the object element must be purged from the target. | |
Sample(s) | ||
<supervisor name=’acme laundry services sv role’> … </supervisor> | A BHOLD Role, named acme laundry services sv role’, is created. | |
<role name=’acme laundry services’> <supervisor name=’acme laundry services sv role’ /> </role> | 1. A BHOLD Role, named acme laundry services, is reference or created under the root. 2. A BHOLD Supervisr Role, named acme laundry services sv role, is: a. Referenced or created and bound for supervisorship of the role. |
|
<supervisor name=’acme laundry services sv role’ > <user name=’kevin’ alias=’kevd/> </supervisor> | 1. A BHOLD Role, named acme laundry services sv role, is reference or created. 2. A BHOLD User, named Kevin, is: Referenced and made supervisor of all objects bound to the supervisor role. |
Clearance element
Element | Attribute | Description |
clearance | Forces controlled cleaning of the target BHOLD Role Model | |
empty-roles | Optional. Will delete all empty roles. | |
unused-roles | Optional. Will delete all roles not bound to any user. | |
unused-permissions | Optional. Will delete all permissions not granted to any user. | |
obsolete-users | Optional. Will delete all users without any granted permission. | |
Example | ||
< clearance empty-roles=”yes” unused-roles=”yes” unused-permissions=”yes” obsolete-users=”yes” /> | All unused and empty roles, permissions and users are deleted. |
Object element
Element | Attribute | Description |
object | References a built-in extensible BHOLD object. | |
name | Required. The BHOLD object name. Must be Role, OrgUnit, Application, Permission, User or Account. | |
Possible Sub elements | ||
attributeset | Optional. Defines a group of ordered attributes on an extensible. | |
Example(s) | ||
<object name=’Role’> … </object> | References the BHOLD Role object. | |
<object name=’OrgUnit’> <attributeset name=’WorkFlow’ > … </attributeset> </object> | 1. References the BHOLD Orgunit object. 2. References or creates and bind an attribute set named WorkFlow to the referenced. |
Attributeset element
Element | Attribute | Description |
attributeset | References or creates an group of attributes to be bound to BHOLD Extensible objects. | |
name | Required. The attribute set name. Note: Attribute sets can be bound to multiple BHOLD Extensible objects. | |
english | The display name in English. | |
dutch | The display name in Dutch. | |
visible | Optional. Declares the attribute to be visible or invisible in the BHOLD Administrative User Interface. | |
Possible parent elements | ||
object | Optional. The BHOLD Extensible object to which the attribute set is to be bound. | |
Possible Sub elements | ||
attribute | Optional. Defines the attributes contained in the set. | |
Example(s) | ||
<object name=’OrgUnit’> <attributeset name=’WorkFlow’ > <attribute name=’Approver1’ … /> <attribute name=’Approver2’ … /> </attributeset> </object> | 1. References the BHOLD Orgunit object. 2. References or creates and bind an attribute set named WorkFlow to the referenced. 3. References or creates attributes Approver1 and Approver2. 4. Bind the attributes to the set. |
Attribute element
Element | Attribute | Description |
Attribute | References or creates attributes to be bound to BHOLD Extensible objects through attributes sets. | |
name | Required. The attribute name. Note: Attribute can be bound to multiple BHOLD Extensible objects. | |
english | Required. The display name in English. | |
dutch | Optional. The display name in Dutch. | |
type | Optional. The data type for the attribute. | |
ength | Optional. The maximum number of characters. | |
default defaultvalue | Optional. A default value. | |
Possible parent elements | ||
attributeset | Optional. Defines the attributes contained in the set. | |
Possible Sub elements | ||
Attributevalue | Optional. | |
Example(s) | ||
<object name=’OrgUnit’> <attributeset name=’WorkFlow’ > <attribute name=’Approver1’ … /> <attribute name=’Approver2’ … /> </attributeset> </object> | 1. References the BHOLD Orgunit object. 2. References or creates and bind an attribute set named WorkFlow to the referenced. 3. References or creates attributes Approver1 and Approver2. 4. Bind the attributes to the set. |
Example of a Model Loader file
<?xml version="1.0" encoding="UTF-16"?>
<bhold>
<!--ObjectTypes - Attribute Sets - Attributes-->
<object name="Application">
<attributeset name="Attestation Attributes" english="Attestation Attributes">
<attribute name="steward1" english="steward1" />
</attributeset>
</object>
<object name="OrgUnit">
<attributeset name="Custom OrgUnit Attributes" english="Custom OrgUnit Attributes">
<attribute name="Managers_CorporateKey" english="Managers_CorperateKey" />
<attribute name="OU_Description" english="OU_Description" />
</attributeset>
</object>
<object name="Permission">
<attributeset name="Custom Permission Attributes" english="Custom Permission Attributes">
<attribute name="Application_Owner_ID" english="Application_Owner_ID" />
</attributeset>
<attributeset name="test" english="test">
<attribute name="Address" english="Address" />
<attribute name="B1EnforceABARepeatInterval" english="B1EnforceABARepeatInterval" />
<attribute name="B1EnforceABAStartHour" english="B1EnforceABAStartHour" />
<attribute name="bholdAliasFormula" english="bholdAliasFormula" />
</attributeset>
</object>
<object name="Role">
<attributeset name="Common Role Attributes" english="Common Role Attributes">
<attribute name="ManagedByFIM" english="ManagedByFIM" />
<attribute name="Role_Class" english="Role_Class" />
<attribute name="RoleType" english="RoleType" />
</attributeset>
<attributeset name="Custom Role Attributes" english="Custom Role Attributes">
<attribute name="Role_Description" english="Role_Description" />
</attributeset>
</object>
<object name="System">
<attributeset name="bholdAttestationSettings" english="bholdAttestationSettings">
<attribute name="bholdAttestationServiceInterval" english="bholdAttestationServiceInterval" />
</attributeset>
</object>
<object name="User">
<attributeset name="Common User Attributes" english="Common User Attributes">
<attribute name="Email" english="Email" />
</attributeset>
<attributeset name="Custom User Attributes" english="Custom User Attributes">
<attribute name="Days_lst_log" english="Days_lst_log" />
<attribute name="Employee_Type" english="Employee_Type" />
<attribute name="Job_Title" english="Job_Title" />
<attribute name="Status" english="Status" />
<attribute name="steward1" english="steward1" />
<attribute name="Valid_NDA" english="Valid_NDA" />
</attributeset>
</object>
<!-- START OF Create applications and permissions -->
<application name="Active Directory" module="" parameter="0" protocol="">
<Permission name="Department Share (CAP)" description="Department Share (CAP)" />
<Permission name="Domain administrator" description="Domain administrator" />
<Permission name="File Share (CAP)" description="File Share (CAP)" />
</application>
<!-- END OF Create applications and permissions -->
<!-- START OF Build of organization structure -->
<orgunit name="root" type="root">
<orgunit name="Test123" type="root" />
<orgunit name="The Company" type="root" Managers_CorperateKey="ABERCROMBIEKIM" OU_Description="The Company">
<orgunit name="BU1 Finance" type="root" Managers_CorperateKey="ABOLROUSHAZEM" OU_Description="BU1 Finance">
<orgunit name="Financial Administration" type="root" Managers_CorperateKey="ADAMSTERRY" OU_Description="Financial administration">
<orgunit name="Accounts Payable" type="root" Managers_CorperateKey="AFFRONTIMICHAEL" OU_Description="Accounts Payable" steward1="AFFRONTIMICHAEL" />
<orgunit name="Control" type="root" Managers_CorperateKey="AGARWALNUPUR" OU_Description="Control" />
<orgunit name="Finance" type="root" Managers_CorperateKey="AGARWALMANOJ" OU_Description="Finance" />
</orgunit>
</orgunit>
</orgunit>
</orgunit>
<!-- END OF Build of organization structure -->
<!-- START OF Roles definitions -->
<role name="Accountant" Role_Description="Accountant">
<task name="Select-Invoice-For-Payment" description="Select-Invoice-For-Payment" />
</role>
<role name="Accounts Payable Clerk" Role_Description="Accounts Payable Clerk">
<task name="Ticket Creation" description="Ticket Creation" />
<task name="View-Payment-Overview" description="View-Payment-Overview" />
<task name="View-Production-Status" description="View-Production-Status" />
<task name="GgpApp-Create-invoice" description="GgpApp-Create-invoice" />
<task name="GgpApp-Invoice-overview" description="GgpApp-Invoice-overview" />
<task name="GgpShr-Invoice-Overdue-Overview" description="GgpShr-Invoice-Overdue-Overview" />
<task name="GgpShr-Monthly-reports" description="GgpShr-Monthly-reports" />
</role>
<!-- END OF Roles definitions -->
<!-- START OF Role Supervisorships -->
<role name="Accounts Payable Clerk">
<supervisor name="SV-Accounts Payable Clerk-Regular" />
</role>
<role name="Attestor">
<supervisor name="SV-Attestor-Regular" />
</role>
<orgunit name="The Company">
<supervisor name="SV_The Company" />
</orgunit>
<!-- END OF OrgUnit Supervisorships -->
<!-- START OF Role rules (ABA) -->
<role name="SV_3rd party manufacturing">
<and>
<avp name="Job_Title" value="Manager" />
</and>
</role>
<role name="SV_Accounts Payable">
<and>
<avp name="Job_Title" value="Manager" />
</and>
</role>
<!-- END OF Role rules (ABA) -->
<!-- START OF Roles structure -->
<role name="Accountant">
<role name="Invoice Approval" />
</role>
<!-- END OF Roles structure -->
<!-- START OF Link effective roles the organization structure -->
<orgunit name="root">
<role name="TestRole123" cat="yes" />
</orgunit>
<!-- END OF Link effective roles the organization structure -->
<!-- START OF Add users to the organization structure -->
<orgunit name="root">
<user name="Root" alias="ILM-VM-SERVERAD\Administrator" language="en" />
</orgunit>
<orgunit name="BU1 Finance">
<user name="Abolrous, Hazem" alias="ABOLROUSHAZEM" language="en" Days_lst_log="5" Email="Abolrous.Hazem@Contoso.com" Employee_Type="Internal" Job_Title="Sales Representative" Status="Active" Valid_NDA="Y" />
</orgunit>
<!-- END OF Add users to the organization structure -->
<!--Application User Aliases-->
<application name="Active Directory">
<user name="ABOLROUSHAZEM">
<alias name="ABOLROUSHAZEM" />
</user>
<application name="Payments_Processor">
<user name="ALLENMICHAEL">
<alias name="ALLENMICHAEL" />
</user>
</application>
<!-- START OF Activate roles for users -->
<role name="SV_BU1 Finance">
<user name="Abolrous, Hazem" alias="ABOLROUSHAZEM" language="en" />
</role>
<!-- END OF Activate roles for users -->
</bhold>