Entitlements issue in the IDM.4.5 User Application


Hi all,

i have an issue to assign a resource with an entitlement. The request is
still in the running state. I found it is entitlement issue but it is
strange because i installed a newest version of IDM4.5 with the patches
and i deployed LDAP driver. Also i used newest version of Designer and
all packages are updated.
I found the following error in the traces of Role and Resource Service
Driver:


-<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.5.0.2">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<nrf:resrequest
dn="O=system\OU=services\OU=idm\CN=driverset\CN=UserApplication\CN=AppConfig\CN=RoleConfig\CN=ResourceRequests\CN=201503
12095634-6241066a88b348e388711678ae9c5a56-0" event-id="0"
xmlns:nrf="urn:dirxml:nrf"/>
</input>
</nds>
[03/12/15 09:56:34.672]:Role and Resource Service Driver
ST:SubscriptionShim.execute() returned:
[03/12/15 09:56:34.672]:Role and Resource Service Driver ST:
<nds dtdversion="4.0">
<source>
<product instance="Role and Resource Service Driver"
version="4.5.0.0">NetIQ Role Service Driver</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="0" level="error">Error processing request
DN:
O=system\OU=services\OU=idm\CN=driverset\CN=UserApplication\CN=AppConfig\CN=RoleConfig\CN=ResourceRequests\CN=2015031209
5634-6241066a88b348e388711678ae9c5a56-0
Reason: java.lang.Exception: Error. Entitlement
parameter value is not in the expected JSON format, defined by the
entitleme
nt configuration setting named parameter-format. This can occur from
malformed JSON in the parameter value, or an entitlement was provision
ed with a legacy parameter value before the entitlement parameter
support was upgraded to IDM4.
DN:
O=system\OU=services\OU=idm\CN=driverset\CN=PostgreSQL ACME
Schema\CN=Account
Agent: UA
Parameter Value: </status>
</output>
</nds>-

Also, I read the Geoffrey`s blog http://tinyurl.com/la52w5b to
understand it and l read the TID '7009911'
(https://www.novell.com/support/kb/doc.php?id=7009911) too but it is not
clear for me how can i solve this issue :(

Do you have any idea what could be wrong and how can i solve it?
Many thanks!

Milan


--
mjuricek
------------------------------------------------------------------------
mjuricek's Profile: https://forums.netiq.com/member.php?userid=1616
View this thread: https://forums.netiq.com/showthread.php?t=53088

  • Go look at your nrfResource object. Read the nrfEntitlementRef attribute.

    What is the value, inside the path component, inside the <param></param>
    node of that component?

    (This value, is the DirXML-EntitlementRef that will be added to each
    user who is granted the Resource).

    That stuff inside <param/> should be JSON. Alas, empty, is apparently
    invalid JSON.

    If you have no value in this entitlement, just define it as a valued
    entitlement and give it a silly value. (I vote for something funny like
    42). So that the JSON should become {"ID":"42"} or somesuch which is valid.

    If your implement entitlement in the actual driver stuff is not using
    the value, then it does not matter what you put in there.

    Be nice if there was an official way to specify an empty value that RRSD
    would accept.


    On 3/12/2015 7:54 AM, mjuricek wrote:
    >
    > Hi all,
    >
    > i have an issue to assign a resource with an entitlement. The request is
    > still in the running state. I found it is entitlement issue but it is
    > strange because i installed a newest version of IDM4.5 with the patches
    > and i deployed LDAP driver. Also i used newest version of Designer and
    > all packages are updated.
    > I found the following error in the traces of Role and Resource Service
    > Driver:
    >
    >
    > -<nds dtdversion="4.0" ndsversion="8.x">
    > <source>
    > <product edition="Advanced" version="4.5.0.2">DirXML</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <input>
    > <nrf:resrequest
    > dn="O=system\OU=services\OU=idm\CN=driverset\CN=UserApplication\CN=AppConfig\CN=RoleConfig\CN=ResourceRequests\CN=201503
    > 12095634-6241066a88b348e388711678ae9c5a56-0" event-id="0"
    > xmlns:nrf="urn:dirxml:nrf"/>
    > </input>
    > </nds>
    > [03/12/15 09:56:34.672]:Role and Resource Service Driver
    > ST:SubscriptionShim.execute() returned:
    > [03/12/15 09:56:34.672]:Role and Resource Service Driver ST:
    > <nds dtdversion="4.0">
    > <source>
    > <product instance="Role and Resource Service Driver"
    > version="4.5.0.0">NetIQ Role Service Driver</product>
    > <contact>NetIQ Corporation</contact>
    > </source>
    > <output>
    > <status event-id="0" level="error">Error processing request
    > DN:
    > O=system\OU=services\OU=idm\CN=driverset\CN=UserApplication\CN=AppConfig\CN=RoleConfig\CN=ResourceRequests\CN=2015031209
    > 5634-6241066a88b348e388711678ae9c5a56-0
    > Reason: java.lang.Exception: Error. Entitlement
    > parameter value is not in the expected JSON format, defined by the
    > entitleme
    > nt configuration setting named parameter-format. This can occur from
    > malformed JSON in the parameter value, or an entitlement was provision
    > ed with a legacy parameter value before the entitlement parameter
    > support was upgraded to IDM4.
    > DN:
    > O=system\OU=services\OU=idm\CN=driverset\CN=PostgreSQL ACME
    > Schema\CN=Account
    > Agent: UA
    > Parameter Value: </status>
    > </output>
    > </nds>-
    >
    > Also, I read the Geoffrey`s blog http://tinyurl.com/la52w5b to
    > understand it and l read the TID '7009911'
    > (https://www.novell.com/support/kb/doc.php?id=7009911) too but it is not
    > clear for me how can i solve this issue :(
    >
    > Do you have any idea what could be wrong and how can i solve it?
    > Many thanks!
    >
    > Milan
    >
    >



  • so I changed the entitlement as valued, set the values and i read the
    nrfEntitlementRef in the Role and Resource Service Driver.
    The value is:

    -1\T=ACME\O=system\OU=services\OU=idm\CN=driverset\CN=ApacheDS-LDAPDriver\CN=Account<?xml
    version="1.0" encoding="UTF-8"?><ref>
    <src>UA</src>
    <id/>
    <param>TestValue</param>
    </ref>-

    Is it ok? Because It does not work too.
    M.


    --
    mjuricek
    ------------------------------------------------------------------------
    mjuricek's Profile: https://forums.netiq.com/member.php?userid=1616
    View this thread: https://forums.netiq.com/showthread.php?t=53088


  • Ok... when I set the value in the JASON format in the UA - in my
    resource, it is working.
    It looks like a bug!

    Milan


    --
    mjuricek
    ------------------------------------------------------------------------
    mjuricek's Profile: https://forums.netiq.com/member.php?userid=1616
    View this thread: https://forums.netiq.com/showthread.php?t=53088

  • On 3/12/2015 9:54 AM, mjuricek wrote:
    >
    > so I changed the entitlement as valued, set the values and i read the
    > nrfEntitlementRef in the Role and Resource Service Driver.
    > The value is:
    >
    > -1\T=ACME\O=system\OU=services\OU=idm\CN=driverset\CN=ApacheDS-LDAPDriver\CN=Account<?xml
    > version="1.0" encoding="UTF-8"?><ref>
    > <src>UA</src>
    > <id/>
    > <param>TestValue</param>
    > </ref>-
    >
    > Is it ok? Because It does not work too.


    No it is not Ok. TestValue is not valid JSON, which is the message you
    were getting.

    I gave a specific JSON example, which would probably suffice.


  • On 03/12/2015 11:33 AM, Geoffrey Carman wrote:
    > On 3/12/2015 9:54 AM, mjuricek wrote:
    >>
    >> so I changed the entitlement as valued, set the values and i read the
    >> nrfEntitlementRef in the Role and Resource Service Driver.
    >> The value is:
    >>
    >> -1\T=ACME\O=system\OU=services\OU=idm\CN=driverset\CN=ApacheDS-LDAPDriver\CN=Account<?xml
    >>
    >> version="1.0" encoding="UTF-8"?><ref>
    >> <src>UA</src>
    >> <id/>
    >> <param>TestValue</param>
    >> </ref>-
    >>
    >> Is it ok? Because It does not work too.

    >
    > No it is not Ok. TestValue is not valid JSON, which is the message you
    > were getting.
    >
    > I gave a specific JSON example, which would probably suffice.
    >
    >

    Greetings,
    We do not re-evaluate assigned Resources when one makes a change in
    regards to Entitlements or Request Parameters

    Once you create a Resource and have assigned it to a user or associated
    it to Role then you can not do the following:

    a) Add an Entitlement
    b) Remove an Entitlement
    b) Change the value of an Entitlement
    c) Change the format of an Entitlement
    d) Add new Request Parameters
    e) Remove Request Parameters
    g) Modify Request Parameter


    If you need to make any of the above changes, then you have to:

    1) Remove the Resource from be associated to any and all Roles
    2) Manually revoke any users that were directly assigned
    3) Make the necessary changes
    4) Re-associate the Resource to the Role(s)
    5) Assign any users that were directly Assigned.


    Failure to follow the above steps will result in many different kinds of
    problems with Revocation.


    --

    Sincerely,
    Steven Williams
    Lead Software Engineer
    NetIQ
  • On 03/12/2015 01:18 PM, Steven Williams wrote:
    > On 03/12/2015 11:33 AM, Geoffrey Carman wrote:
    >> On 3/12/2015 9:54 AM, mjuricek wrote:
    >>>
    >>> so I changed the entitlement as valued, set the values and i read the
    >>> nrfEntitlementRef in the Role and Resource Service Driver.
    >>> The value is:
    >>>
    >>> -1\T=ACME\O=system\OU=services\OU=idm\CN=driverset\CN=ApacheDS-LDAPDriver\CN=Account<?xml
    >>>
    >>>
    >>> version="1.0" encoding="UTF-8"?><ref>
    >>> <src>UA</src>
    >>> <id/>
    >>> <param>TestValue</param>
    >>> </ref>-
    >>>
    >>> Is it ok? Because It does not work too.

    >>
    >> No it is not Ok. TestValue is not valid JSON, which is the message you
    >> were getting.
    >>
    >> I gave a specific JSON example, which would probably suffice.
    >>
    >>

    > Greetings,
    > We do not re-evaluate assigned Resources when one makes a change in
    > regards to Entitlements or Request Parameters
    >
    > Once you create a Resource and have assigned it to a user or associated
    > it to Role then you can not do the following:
    >
    > a) Add an Entitlement
    > b) Remove an Entitlement
    > b) Change the value of an Entitlement
    > c) Change the format of an Entitlement
    > d) Add new Request Parameters
    > e) Remove Request Parameters
    > g) Modify Request Parameter
    >
    >
    > If you need to make any of the above changes, then you have to:
    >
    > 1) Remove the Resource from be associated to any and all Roles
    > 2) Manually revoke any users that were directly assigned
    > 3) Make the necessary changes
    > 4) Re-associate the Resource to the Role(s)
    > 5) Assign any users that were directly Assigned.
    >
    >
    > Failure to follow the above steps will result in many different kinds of
    > problems with Revocation.
    >
    >

    I also forgot to outline that you can have issues with assignment
    depending upon what was changed.

    --

    Sincerely,
    Steven Williams
    Lead Software Engineer
    NetIQ

  • Steven Williams;255262 Wrote:
    > On 03/12/2015 01:18 PM, Steven Williams wrote:
    > > On 03/12/2015 11:33 AM, Geoffrey Carman wrote:
    > >> On 3/12/2015 9:54 AM, mjuricek wrote:
    > >>>
    > >>> so I changed the entitlement as valued, set the values and i read

    > the
    > >>> nrfEntitlementRef in the Role and Resource Service Driver.
    > >>> The value is:
    > >>>
    > >>>

    > -1\T=ACME\O=system\OU=services\OU=idm\CN=driverset\CN=ApacheDS-LDAPDriver\CN=Account<?xml
    > >>>
    > >>>
    > >>> version="1.0" encoding="UTF-8"?><ref>
    > >>> <src>UA</src>
    > >>> <id/>
    > >>> <param>TestValue</param>
    > >>> </ref>-
    > >>>
    > >>> Is it ok? Because It does not work too.
    > >>
    > >> No it is not Ok. TestValue is not valid JSON, which is the message

    > you
    > >> were getting.
    > >>
    > >> I gave a specific JSON example, which would probably suffice.
    > >>
    > >>

    > > Greetings,
    > > We do not re-evaluate assigned Resources when one makes a change

    > in
    > > regards to Entitlements or Request Parameters
    > >
    > > Once you create a Resource and have assigned it to a user or

    > associated
    > > it to Role then you can not do the following:
    > >
    > > a) Add an Entitlement
    > > b) Remove an Entitlement
    > > b) Change the value of an Entitlement
    > > c) Change the format of an Entitlement
    > > d) Add new Request Parameters
    > > e) Remove Request Parameters
    > > g) Modify Request Parameter
    > >
    > >
    > > If you need to make any of the above changes, then you have to:
    > >
    > > 1) Remove the Resource from be associated to any and all Roles
    > > 2) Manually revoke any users that were directly assigned
    > > 3) Make the necessary changes
    > > 4) Re-associate the Resource to the Role(s)
    > > 5) Assign any users that were directly Assigned.
    > >
    > >
    > > Failure to follow the above steps will result in many different kinds

    > of
    > > problems with Revocation.
    > >
    > >

    > I also forgot to outline that you can have issues with assignment
    > depending upon what was changed.
    >
    > --
    >
    > Sincerely,
    > Steven Williams
    > Lead Software Engineer
    > NetIQ


    Hi, same problem is happening to me.

    When I define a NO VALUED Entitlement for a Resource Object and I try to
    assign it to a user it gives the error outlined by mjuricek. If I add
    the tag param in JSON format directly on the attribute nrfEntitlementRef
    on the resource object (it doesn't matter the value) it works.

    ORIGINAL nrfEntitlementRef attribute value (not working):
    -cn=RACFAccount,cn=RACF,cn=driverset1,o=system#1#<?xml version="1.0"
    encoding="UTF-8"?><ref>
    <src>UA</src>
    <id/>
    <param/>
    </ref>-

    MODIFIED nrfEntitlementRef attribute value (working):
    -cn=RACFAccount,cn=RACF,cn=driverset1,o=system#1#<?xml version="1.0"
    encoding="UTF-8"?><ref>
    <src>UA</src>
    <id/>
    <param>{"ID":"NADA"}</param>
    </ref>-

    The ORIGINAL attribute value works correctly on IDM 4.02. Is there any
    fix for this on IDM 4.5?

    Regards.


    --
    --
    Facundo Orsi
    --
    ------------------------------------------------------------------------
    orsifacundo's Profile: https://forums.netiq.com/member.php?userid=734
    View this thread: https://forums.netiq.com/showthread.php?t=53088

  • On 2/17/2016 10:04 AM, orsifacundo wrote:
    >
    > Steven Williams;255262 Wrote:
    >> On 03/12/2015 01:18 PM, Steven Williams wrote:
    >>> On 03/12/2015 11:33 AM, Geoffrey Carman wrote:
    >>>> On 3/12/2015 9:54 AM, mjuricek wrote:
    >>>>>
    >>>>> so I changed the entitlement as valued, set the values and i read

    >> the
    >>>>> nrfEntitlementRef in the Role and Resource Service Driver.
    >>>>> The value is:
    >>>>>
    >>>>>

    >> -1\T=ACME\O=system\OU=services\OU=idm\CN=driverset\CN=ApacheDS-LDAPDriver\CN=Account<?xml
    >>>>>
    >>>>>
    >>>>> version="1.0" encoding="UTF-8"?><ref>
    >>>>> <src>UA</src>
    >>>>> <id/>
    >>>>> <param>TestValue</param>
    >>>>> </ref>-
    >>>>>
    >>>>> Is it ok? Because It does not work too.
    >>>>
    >>>> No it is not Ok. TestValue is not valid JSON, which is the message

    >> you
    >>>> were getting.
    >>>>
    >>>> I gave a specific JSON example, which would probably suffice.
    >>>>
    >>>>
    >>> Greetings,
    >>> We do not re-evaluate assigned Resources when one makes a change

    >> in
    >>> regards to Entitlements or Request Parameters
    >>>
    >>> Once you create a Resource and have assigned it to a user or

    >> associated
    >>> it to Role then you can not do the following:
    >>>
    >>> a) Add an Entitlement
    >>> b) Remove an Entitlement
    >>> b) Change the value of an Entitlement
    >>> c) Change the format of an Entitlement
    >>> d) Add new Request Parameters
    >>> e) Remove Request Parameters
    >>> g) Modify Request Parameter
    >>>
    >>>
    >>> If you need to make any of the above changes, then you have to:
    >>>
    >>> 1) Remove the Resource from be associated to any and all Roles
    >>> 2) Manually revoke any users that were directly assigned
    >>> 3) Make the necessary changes
    >>> 4) Re-associate the Resource to the Role(s)
    >>> 5) Assign any users that were directly Assigned.
    >>>
    >>>
    >>> Failure to follow the above steps will result in many different kinds

    >> of
    >>> problems with Revocation.
    >>>
    >>>

    >> I also forgot to outline that you can have issues with assignment
    >> depending upon what was changed.
    >>
    >> --
    >>
    >> Sincerely,
    >> Steven Williams
    >> Lead Software Engineer
    >> NetIQ

    >
    > Hi, same problem is happening to me.
    >
    > When I define a NO VALUED Entitlement for a Resource Object and I try to
    > assign it to a user it gives the error outlined by mjuricek. If I add
    > the tag param in JSON format directly on the attribute nrfEntitlementRef
    > on the resource object (it doesn't matter the value) it works.
    >
    > ORIGINAL nrfEntitlementRef attribute value (not working):
    > -cn=RACFAccount,cn=RACF,cn=driverset1,o=system#1#<?xml version="1.0"
    > encoding="UTF-8"?><ref>
    > <src>UA</src>
    > <id/>
    > <param/>
    > </ref>-
    >
    > MODIFIED nrfEntitlementRef attribute value (working):
    > -cn=RACFAccount,cn=RACF,cn=driverset1,o=system#1#<?xml version="1.0"
    > encoding="UTF-8"?><ref>
    > <src>UA</src>
    > <id/>
    > <param>{"ID":"NADA"}</param>
    > </ref>-
    >
    > The ORIGINAL attribute value works correctly on IDM 4.02. Is there any
    > fix for this on IDM 4.5?


    I think we heard that to use an unvalued entitlement, you need to set a
    value of {} as null. However, the better way to do it is in
    entitlementConfiguration define this entitlement as legacy format, not idm4.




  • geoffc;265294 Wrote:
    > On 2/17/2016 10:04 AM, orsifacundo wrote:
    > >
    > > Steven Williams;255262 Wrote:
    > >> On 03/12/2015 01:18 PM, Steven Williams wrote:
    > >>> On 03/12/2015 11:33 AM, Geoffrey Carman wrote:
    > >>>> On 3/12/2015 9:54 AM, mjuricek wrote:
    > >>>>>
    > >>>>> so I changed the entitlement as valued, set the values and i read
    > >> the
    > >>>>> nrfEntitlementRef in the Role and Resource Service Driver.
    > >>>>> The value is:
    > >>>>>
    > >>>>>
    > >>

    > -1\T=ACME\O=system\OU=services\OU=idm\CN=driverset\CN=ApacheDS-LDAPDriver\CN=Account<?xml
    > >>>>>
    > >>>>>
    > >>>>> version="1.0" encoding="UTF-8"?><ref>
    > >>>>> <src>UA</src>
    > >>>>> <id/>
    > >>>>> <param>TestValue</param>
    > >>>>> </ref>-
    > >>>>>
    > >>>>> Is it ok? Because It does not work too.
    > >>>>
    > >>>> No it is not Ok. TestValue is not valid JSON, which is the message
    > >> you
    > >>>> were getting.
    > >>>>
    > >>>> I gave a specific JSON example, which would probably suffice.
    > >>>>
    > >>>>
    > >>> Greetings,
    > >>> We do not re-evaluate assigned Resources when one makes a

    > change
    > >> in
    > >>> regards to Entitlements or Request Parameters
    > >>>
    > >>> Once you create a Resource and have assigned it to a user or
    > >> associated
    > >>> it to Role then you can not do the following:
    > >>>
    > >>> a) Add an Entitlement
    > >>> b) Remove an Entitlement
    > >>> b) Change the value of an Entitlement
    > >>> c) Change the format of an Entitlement
    > >>> d) Add new Request Parameters
    > >>> e) Remove Request Parameters
    > >>> g) Modify Request Parameter
    > >>>
    > >>>
    > >>> If you need to make any of the above changes, then you have to:
    > >>>
    > >>> 1) Remove the Resource from be associated to any and all Roles
    > >>> 2) Manually revoke any users that were directly assigned
    > >>> 3) Make the necessary changes
    > >>> 4) Re-associate the Resource to the Role(s)
    > >>> 5) Assign any users that were directly Assigned.
    > >>>
    > >>>
    > >>> Failure to follow the above steps will result in many different

    > kinds
    > >> of
    > >>> problems with Revocation.
    > >>>
    > >>>
    > >> I also forgot to outline that you can have issues with assignment
    > >> depending upon what was changed.
    > >>
    > >> --
    > >>
    > >> Sincerely,
    > >> Steven Williams
    > >> Lead Software Engineer
    > >> NetIQ

    > >
    > > Hi, same problem is happening to me.
    > >
    > > When I define a NO VALUED Entitlement for a Resource Object and I try

    > to
    > > assign it to a user it gives the error outlined by mjuricek. If I add
    > > the tag param in JSON format directly on the attribute

    > nrfEntitlementRef
    > > on the resource object (it doesn't matter the value) it works.
    > >
    > > ORIGINAL nrfEntitlementRef attribute value (not working):
    > > -cn=RACFAccount,cn=RACF,cn=driverset1,o=system#1#<?xml version="1.0"
    > > encoding="UTF-8"?><ref>
    > > <src>UA</src>
    > > <id/>
    > > <param/>
    > > </ref>-
    > >
    > > MODIFIED nrfEntitlementRef attribute value (working):
    > > -cn=RACFAccount,cn=RACF,cn=driverset1,o=system#1#<?xml version="1.0"
    > > encoding="UTF-8"?><ref>
    > > <src>UA</src>
    > > <id/>
    > > <param>{"ID":"NADA"}</param>
    > > </ref>-
    > >
    > > The ORIGINAL attribute value works correctly on IDM 4.02. Is there any
    > > fix for this on IDM 4.5?

    >
    > I think we heard that to use an unvalued entitlement, you need to set a
    > value of {} as null. However, the better way to do it is in
    > entitlementConfiguration define this entitlement as legacy format, not
    > idm4.


    Thanks Geoffrey, it worked.

    In my case I had to change a policy that came with the "Permission
    collection and reconciliation service" package that hardcoded "idm4" on
    the parameter-format property of the EntitlementConfiguration object so
    each time I restarted the driver it put that value back to "idm4" so
    valueless entitlement objects wouldn't work.

    Regards.


    --
    --
    Facundo Orsi
    --
    ------------------------------------------------------------------------
    orsifacundo's Profile: https://forums.netiq.com/member.php?userid=734
    View this thread: https://forums.netiq.com/showthread.php?t=53088