parameter-format="idm4" and administrator-defined-values

Is this combination supported? Or is idm4 parameter format only allowed
with query based values (values from the application)?

I ask this because I get an error "Unable to complete the CODE MAP
refresh for entitlement:" when I run a refresh of entitlement values.

If I change the parameter format back to legacy. Then the error goes away.


ERROR [RBPM]
[com.novell.idm.nrf.service.CodeMapEngine:updateEntitlementToCodeMapView] Unable
to complete the CODE MAP refresh for entitlement:
INFO [RBPM] [com.novell.idm.nrf.service.CodeMapEngine:refreshCodeMap]
Unable to complete the CODE MAP refresh for entitlement: cn=aseaccount,c
Parents
  • On 16.03.2012 11:36, Alex McHugh wrote:
    > Is this combination supported? Or is idm4 parameter format only allowed
    > with query based values (values from the application)?
    >
    > I ask this because I get an error "Unable to complete the CODE MAP
    > refresh for entitlement:" when I run a refresh of entitlement values.
    >
    > If I change the parameter format back to legacy. Then the error goes away.


    Nevermind, I worked out that this is possible.

    1. In EntitlementConfiguration make sure that the following are present:
    a. parameter-format="idm4"
    b. <parameters><parameter mandatory="true" name="ID"
    source="value"/></parameters>
    2. In entitlement object, specify the value in JSON format, for example:
    {"ID":"an_entitlement_value"}
    3. refresh entitlement values and no errors are generated during refresh
    4. granting/revoking a resource tied to this entitlement doesn't
    generate any errors in the roles
  • Verified Answer

    True that would fix the problem, but then Designer is broken as it generates the Entitlement with XML Data, and not JSON Data.

    I have the exact same configuration in an IDM 4.5 project which works. Now has this changed between IDM 4.5 and 4.7 - so entitlement with values needs to be updated?

     

    Cheers,

    Casper

Reply
  • Verified Answer

    True that would fix the problem, but then Designer is broken as it generates the Entitlement with XML Data, and not JSON Data.

    I have the exact same configuration in an IDM 4.5 project which works. Now has this changed between IDM 4.5 and 4.7 - so entitlement with values needs to be updated?

     

    Cheers,

    Casper

Children
  • We've seen IDM Apps and RRSD has got stricter with how it interprets the info in the Entitlement-Configuration object. RRSD actually parses Entitlement-Configuration and uses the info in that to decide how to grant/revoke entitlement values. At one customer, this caused some odd errors for me when I had inadvertently created an Entitlement-Configuration object with invalid XML.

    I think it is actually a good thing that RRSD driver has become more strict as there are environments out there with all kind of cruft that should never have worked in the first place.

    The DTD for Entitlement-Configuration objects now states that if you omit parameter-format then it defaults to idm4. I don't think it was like that when they first launched the new style entitlements in 4.0

    Recall that administrator defined values were intended to be used by the old Entitlement Service Driver. Which has been on the deprecated chopping block for a long time now.

  • With 4.0.x the new format was introduced, and it would default to it. I think I even got an original 4.0.0 AD driver somewhere which would create the EntitlementConfiguation object without the format.

    But this is not an issue with the RRSD driver, this is the UA which will not do a code-map refresh of the entitlement, and the Entitlement is created with Designer.

    I've followed the documentation (IDM 4.7): https://www.netiq.com/documentation/identity-manager-47/pdfdoc/entitlements/entitlements.pdf - on page 21 there is a screendump of an entitlement (Designer) and mine is an almost exact copy.

    And on page 46 there is an example of an entitlement with values (XML).

    The code-map refresh works just fine with entitlements w/o values, and with queries, it only fails when there are values.

     

    A bit strange.

     

  • I am pretty sure Steve in the past suggested two solutions for non-valued entitlements.

     

    1) Legacy mode as Alex suggested.

    2) Specify a value of {} (Open curly brace, close curly brace) which is a valid empty JSON element.

     

    Thinking about it, does the EntitlementConfiguration DTD support static values for <parameter> nodes? 

  • The DTD shows the values as XML. And even Designer 4.8 will generate the Entitlement as:

    <entitlement conflict-resolution="priority" description="" display-name="test-values">
    <values multi-valued="false">
    <value>VALUE1</value>
    <value>VALUE2</value>
    <value>VALUE3</value>
    </values>
    </entitlement>

    There are now two options - something is in my setup is really wrong, or Designer and the Documentation is wrong

    I'll ignore the issue for the time being.

     

    Thanks!

  • Designer and the documentation fail to mention that you need to set parameter-format to legacy if you want to use this style. 

    The documentation is not "wrong" just incomplete.
    If you insist on using idm4 as parameter format than you need to construct your values as such (JSON inside XML)

    <entitlement conflict-resolution="priority" description="" display-name="test-values">
    <values multi-valued="false">
    <value>{"ID":"VALUE1"}</value> 
    <value>{"ID":"VALUE2"}</value>
    <value>{"ID":"VALUE3"}</value>
    </values>
    </entitlement>

  • This is interesting, as then Designer is "broken" as it will always produce the legacy format - unless of cause you enter "{"ID":"VALUE1"}" which then will work.

    Bug as you said, the Documentation needs a refresher.

    Good to know, thank you.

     

     

  •  

     

    Thanks for good tip!

     

    One thing  I wonder is the parameter id "ID" in  "EntitlementConfiguration" for entitlment  is hard-code to the entitlement with  administrative values  with json field  ID ?

    <value>{"ID":"VALUE1"}</value>  

     

    /Maqsood

     

  • You can use what ever you want in your static assigned values, the 'getEntParamField' just takes a field name.

    It's only when you're using dynamic entitlements it could become a bit tricky, you can also use something else than ID and ID2, but then you need to meddle with the entitlement configuration object.