Move resource to subcontainer OR create it in correct subcontainer from policy

As title says, i am looking for a way to move resource to subcontainer, that I created in Designer and then deployed it. Maybe I am missing something or moving is still not supported (as some thread I found, from 2013 said)?

I tried moving it via LDAP/iManager, but the UserApp was not happy, it started showing duplicate resources, and those old ones were impossible to delete from web interface.


As a matter of fact, I could not need to move resources in the first place, if I somehow manage it to be created in the right place via policy. I use Create Resource from policy, but there is not such setting to set destination subcontainer. Right?

Weird, it's possible to set container when importing resources from CSV in Designer, which is great, except this way, I can not set User Groups entitlements with it.

Am I correct? Any ideas how to around it? I read I could somehow use workflows, make SOAP calls, but that seems to be too much hassle for such basic things as creating resource.


<small rant>

Honestly, the whole bulk creating roles/resources is missing some comfort if you ask me. I did not really find an easy way to bulk import resources WITH valued entitlemets. And assigning them all in UserApp (Designer says me, it's read-only there) seems like so huge waste of time, when I can just provide all the info upfront in structured file.

Found PowerRole while searching, it's the closest thing I found to achieve this. But still, I would expect the product be able to do this? Or people are not doing such sort of thing? I still hope I am missing something, and it's actually possible. I just did not found it yet *fingers-crossed*

</small rant>


  • Verified Answer

    I had just asked this question about moving Roles to one of the IDM Devs from India.  He thinks that a Role should be able to move, without issue. I.e. The DB does not know where it is as a string, it is only eDir which can resolve a move.

    Now he did say the Permindex used to search for Roles and Resources will be goofed up, so stop Tomcat, delete the permindex and restart Tomcat and it should work. 

    I wonder if your duplicate rseources is a Permindex issue?


    You also asked about the Create Resurce tag. I believe you either have to set the EntityKey with full DN value or else it is not possible. (Was a missing feature in the token).

    As for PowerROle, I like the guys, and have seen a demo, but I am not 100% sure I agree with the approahc they took under the covers.  We have discussed this, and ended up disagreeing.

    I have updated Fernando's scripts for Bash Shell RBPM commands and added in a more full functional Create Resouce.  Then I have a wrapper script that passes each line of a spreadsheet (CSV really, using semicolons instead of commas) to the same command so I can bulk load resources and set the values if needed.


  • Thanks  so much for your reply. I did not have a chance last night to write here my new observations.

    You are correct, I searched userappdb I did not find any traces of defined roles and resources (searching the duplicity). I tried to restart tomcat, and voilá, they were gone. Docs also mention the permindex, so I guess that's it. I am glad to know, that Roles and Resources are edirectory-only defined.


    For the do-create-resource, the "EntityKey" does not seem to be documented? Or how would I set it?


    While I was extensively searching for import solutions, I stumbled upon the Bash Shell RBPM scripts - probably it was your article. I did not read much into it, because at that time it looked outdated to me, and I believed there must be solution inside of the product. Now, with more information, I will deffinitely revisit that, because it sounds like something that could really provide functions and some kind of admin comfort. Thanks again.

  • Thanks for the info. It is not visible in Designer strings, good to know that 'sub-container' exists, will test that.


  • Is the token using the REST api?


    From the dtd: LDAP DN of sub container in which resource needs to be created. This is available only while using REST api

  •  wrote:

    Is the token using the REST api

    I don't think so.

    I tried to test it and force rest from policy, it reqired osp-clientid from me. I ended up with this:



    <do-create-resource id="cn=uaadmin,ou=sa,o=data" osp-clientid="rbpm" resource-name="$resourceName$" time-out="0" url="~UAProvURL~" use-rest="true"> <arg-password> <token-named-password name="rr-pass"/> </arg-password> <arg-string name="description"> <token-local-variable name="groupDescription"/> </arg-string> <arg-string name="display-name"> <token-local-variable name="groupDisplayName"/> </arg-string> <arg-string name="owner"> <token-text xml:space="preserve">cn=Vybihal,ou=users,o=data</token-text> </arg-string> <arg-string name="entitlement-dn"> <token-text xml:space="preserve">cn=Skupina,cn=Active Directory Driver,cn=driverset1,o=system</token-text> </arg-string> <arg-string name="entitlement-value"> <token-text xml:space="preserve">{&quot;ID&quot;:&quot;</token-text> <token-local-variable name="groupGUID"/> <token-text xml:space="preserve">&quot;,&quot;ID2&quot;:&quot;</token-text> <token-src-dn/> <token-text xml:space="preserve">&quot;}</token-text> </arg-string> <arg-string name="sub-container"> <token-text xml:space="preserve">cn=sub,cn=test,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=User Application Driver,cn=driverset1,o=system</token-text> </arg-string> <arg-string name="locale"> <token-text xml:space="preserve">en</token-text> </arg-string> </do-create-resource>



    Note the attributes use-rest="true" and osp-clientid="rbpm". But it did not get me there. There is a bug, and with these attributes the driver does not start with this error:


    DirXML Log Event ------------------- Driver: \UNISIDM\system\driverset1\Active Directory Driver Channel: Subscriber Status: Error Message: Code(-9127) Error in Directory Driver/Create Resource from group#XmlData:42 : Missing 'arg-password' element.


    Which is weird, because the element is present. The sub-container element does not work.


    Log from my webserver when doing do-create-resource from policy. Does not look liek REST call to me: - - [18/Nov/2019:16:11:09 0100] "GET /IDMDCS-CORE/rpt/idvs/guid/DF2FDEC1-3A1A-46f7-8245-C1DE2FDF1A3A HTTP/1.1" 401 104 "-" "Java/1.8.0_222" - cn=uaadmin,ou=sa,o=data [18/Nov/2019:16:11:15 0100] "POST /IDMProv/resource/service HTTP/1.1" 200 509 "-" "Jakarta Commons-HttpClient/3.1" - dcsdrv [18/Nov/2019:16:11:15 0100] "POST /osp/a/idm/auth/oauth2/grant HTTP/1.1" 400 111 "-" "Java/1.8.0_222" - - [18/Nov/2019:16:11:15 0100] "GET /IDMDCS-CORE/rpt/idvs/guid/DF2FDEC1-3A1A-46f7-8245-C1DE2FDF1A3A HTTP/1.1" 401 104 "-" "Java/1.8.0_222" - cn=uaadmin,ou=sa,o=data [18/Nov/2019:16:11:15 0100] "POST /IDMProv/resource/service HTTP/1.1" 200 527 "-" "Jakarta Commons-HttpClient/3.1" - cn=uaadmin,ou=sa,o=data [18/Nov/2019:16:11:16 0100] "POST /IDMProv/rest/access/index/permissions HTTP/1.1" 200 275 "-" "RPT-HTTPClient/0.3-2L" - cn=uaadmin,ou=sa,o=data [18/Nov/2019:16:11:16 0100] "POST /IDMProv/rest/access/index/permissions HTTP/1.1" 200 274 "-" "RPT-HTTPClient/0.3-2L"
  • Hmm... yeah... same error here:


    Missing 'arg-password' element.


    And in a strange way this error makes sense: osp-clientid by it's own is not enough. The OSP Client Secret is missing. I guess you have to add this by the sayed arg-password element. But where and how?


    Edit: Just noticed that at least the driver is starting if you just add a second <arg-password> token. But still no luck with creation.

  • I did not test it yet, but 4.8.2 seems to have fix related to the REST call:

    Enhances the do-create-resource Action to Use Rest API.#

    Policy Editor now allows you to set a new field and select to use Rest services. (Bug 231393)