Association resources and role

Hello! I am trying to understand how a resource is associated with a role.
I have a jdbc driver that looks into the informix database. I need to pass resource parameters and guid to the role that was assigned with this resource. The following chain exists: resource with two parameters, permission role, it role and business role. So when assigning a business role to a user, I need to pass the guid of this role and resource parameters. I extract the parameters from the nrfassignedresources attribute. But how can I find the right role, given that the user has already been assigned other roles?
  • There is an object of class nrfResourceAssociation.  It has two attributes of interest, nrfRole (with the DN of the role) and nrfResource (DN of the Resource) and is the object linking the two together. So you can search for for nrfResourceAssociaton objects witha  ResourceDN that matches yours, to find the ROles thta are possibly assigning it.


  • Yes you are right! But the nrfResourceAssociaton class has a coded name consisting of a date and a second part, I did not understand. Thus, I need to view the contents of all nrfResourceAssociaton objects or? In my case, I have one resource assigned to different permission roles with different access parameters. Therefore, by iterating over nrfResourceAssociaton objects, the result will be two permission roles, and I need one, with my access parameters.
  • By Access Parameters, it sounds like you mean the values inside the <param> node, inside the path component, of the dirxml-entitlementRef attribute added to a user when granted a Resource.  I.e. the actual 'thing' the driver uses to send to the target system as a value.

    The CN of the nrfResourceAssociation is a GUID to make it unique so not useful or meaningful for this.

    The Role is not handy.  Perhaps if you knew the role you could look at the nrfResourceAssociations for it, find the Resources it assigns.  But if the value is dynamic (Which I think you asked in a different post) it won't be there either.

    I guess you would have to look at the DirXML-EntitlementRef on the user to get the value ultimately.  Not sure there is an easy solution for your interesting problem.