Automatically creation of resource from AD Groups

Hi

Is there any way on creating "Resources" in UserApp/resource catalog from a corresponding AD group automatically, and assign the Entitlement Value?

/Michael
  • You need to create a policy in the AD driver for this.
    There is an create resource token you can use I belive.
  • mJg2XW <mJg2XW@no-mx.forums.microfocus.com> wrote:
    >

    Hi
    >
    > Is there any way on creating "Resources" in UserApp/resource catalog

    from a corresponding AD group automatically, and assign the Entitlement
    Value?
    >


    PCRS did most of this for you (now deprecated.) but used dynamic
    entitlement assignments (so just one resource).

    The replacement CPRS is new in 4.7 and I havenâ€Tmt tried it out but should do
    the same (it is reengineered to handle more groups in AD without choking)


  • Alex McHugh <alexmchugh@no-mx.forums.microfocus.com> wrote:
    > mJg2XW <mJg2XW@no-mx.forums.microfocus.com> wrote:
    >>
    >>

    >
    > PCRS did most of this for you (now deprecated.) but used dynamic
    > entitlement assignments (so just one resource).
    >
    > The replacement CPRS is new in 4.7 and I havenâ€Tmt tried it out but should do
    > the same (it is reengineered to handle more groups in AD without choking)
    >
    >


    Note: you should not need to add any policy to your AD driver. Just
    configure the relevant GCVs and follow the documented procedures. A good
    place to start is here:

    https://www.netiq.com/communities/cool-solutions/cprs-controlled-permission-reconciliation-service-understanding-feature-whats-new-advantage-usage/

    Still one resource with dynamic entitlements (again scales better). I
    prefer to use static entitlements in some scenarios.



  • On 2019-01-12 18:04, mJg2XW wrote:
    >
    > Hi
    >
    > Is there any way on creating "Resources" in UserApp/resource catalog
    > from a corresponding AD group automatically, and assign the Entitlement
    > Value?
    >
    > /Michael
    >
    >

    Hello,

    We do it with custom policys on the publisher channel that call a
    workflow that in turn calls a integration activity that uses SOAP
    against the User Application to create the resources.

    If you use a modern IDM version you could skip the workflow and create
    the resource directly from the policy builder.


    -alekz

    --
    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.
  • alekz <alekz@no-mx.forums.microfocus.com> wrote:
    > On 2019-01-12 18:04, mJg2XW wrote:
    >>
    >> Hi
    >>
    >> Is there any way on creating "Resources" in UserApp/resource catalog
    >> from a corresponding AD group automatically, and assign the Entitlement
    >> Value?
    >>
    >> /Michael
    >>
    >>

    > Hello,
    >
    > We do it with custom policys on the publisher channel that call a
    > workflow that in turn calls a integration activity that uses SOAP
    > against the User Application to create the resources.
    >
    > If you use a modern IDM version you could skip the workflow and create
    > the resource directly from the policy builder.
    >


    We do similar (WF, integration activity), but move such logic to separate
    driver. keeping AD driver for just data transport as much as possible.

    There are still some limitations on the tokens vs the soap calls. For
    resources IIRC you canâ€Tmt specify a custom container.

    Also, as I said. In theory you only need 1 resource with dynamic
    entitlements, but that might not suit your overall design.


  • Hi

    Many thanks for you reply:)

    I will take a closer look on the CPRS stuff.

    /michael
  • Hi

    We have upgraded from 4.6(PCRS) to 4.7(CPRS). It wont create the resource automatically in 4.7. We have manually created dynamic resource for group. CPRS give you two options first compute
  • iampranavpg;2497998 wrote:
    Hi

    We have upgraded from 4.6(PCRS) to 4.7(CPRS). It wont create the resource automatically in 4.7. We have manually created dynamic resource for group. CPRS give you two options first compute
  • Here is a rule that creates a Resource with Entitlement :

    <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-builder-dtd" "C:\netiq\idm\apps\Designer47\plugins\com.novell.idm.policybuilder_4.0.0.201812171538\DTD\dirxmlscript4.7.2.dtd"><policy>
    <rule>
    <description>test rule</description>
    <conditions>
    <and>
    <if-op-attr mode="nocase" name="Description" op="changing-to">testres</if-op-attr>
    </and>
    </conditions>
    <actions>
    <do-create-resource id="cn=uaadmin,ou=users,o=data" resource-name="group5idm5" time-out="0" url="~UAProvURL~">
    <arg-password>
    <token-text xml:space="preserve">novell</token-text>
    </arg-password>
    <arg-string name="description">
    <token-text xml:space="preserve">testgroupeb</token-text>
    </arg-string>
    <arg-string name="display-name">
    <token-text xml:space="preserve">testgroupeB</token-text>
    </arg-string>
    <arg-string name="entitlement-dn">
    <token-text xml:space="preserve">cn=Group,cn=Active Directory Driver,cn=driverset,ou=services,o=system</token-text>
    </arg-string>
    <arg-string name="entitlement-value">
    <token-text xml:space="preserve">{"ID":"94ce357c931caa4eb47de7aa7081adef","ID2":"CN=group5idm5,OU=groups,OU=test,DC=demo,DC=com"}</token-text>
    </arg-string>
    </do-create-resource>
    </actions>
    </rule>
    </policy>

    You can set this rule in the publisher channel of your AD driver and get the entitlement value from the AD group.

    I already test this rule successfully.

    Hope this will help.

    Sylvain
  • Here is the full rule that create the resource when a AD group is created (in Input Transformation):

    <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-builder-dtd" "C:\netiq\idm\apps\Designer47\plugins\com.novell.idm.policybuilder_4.0.0.201812171538\DTD\dirxmlscript4.7.2.dtd"><policy>
    <rule>
    <description>Create resource when new group is ADDED - xxxx </description>
    <conditions>
    <and>
    <if-operation mode="nocase" op="equal">add</if-operation>
    <if-class-name mode="nocase" op="equal">Group</if-class-name>
    <if-src-dn op="in-container">~drv.group.container~</if-src-dn>
    </and>
    </conditions>
    <actions>
    <do-set-local-variable name="groupGUID" scope="policy">
    <arg-string>
    <token-association/>
    </arg-string>
    </do-set-local-variable>
    <do-set-local-variable name="groupName" scope="policy">
    <arg-string>
    <token-src-name/>
    </arg-string>
    </do-set-local-variable>
    <do-set-local-variable name="resourceName" scope="policy">
    <arg-string>
    <token-text xml:space="preserve">AD_Group_Resource_</token-text>
    <token-local-variable name="groupName"/>
    </arg-string>
    </do-set-local-variable>
    <do-create-resource id="cn=uaadmin,ou=users,o=data" resource-name="$resourceName$" time-out="0" url="~UAProvURL~">
    <arg-password>
    <token-text xml:space="preserve">novell</token-text>
    </arg-password>
    <arg-string name="description">
    <token-text xml:space="preserve">AD_Group_Resource_</token-text>
    <token-local-variable name="groupName"/>
    </arg-string>
    <arg-string name="display-name">
    <token-text xml:space="preserve">AD_Group_Resource_</token-text>
    <token-local-variable name="groupName"/>
    </arg-string>
    <arg-string name="entitlement-dn">
    <token-text xml:space="preserve">cn=Group,cn=Active Directory Driver,cn=driverset,ou=services,o=system</token-text>
    </arg-string>
    <arg-string name="entitlement-value">
    <token-text xml:space="preserve">{"ID":"</token-text>
    <token-local-variable name="groupGUID"/>
    <token-text xml:space="preserve">","ID2":"CN=</token-text>
    <token-local-variable name="groupName"/>
    <token-text xml:space="preserve">,OU=groups,OU=xxxx,DC=demoxxxx,DC=com"}</token-text>
    </arg-string>
    </do-create-resource>
    </actions>
    </rule>
    </policy>