Invalid nrfEntitlementRef being built


I have an issue with a Notes driver, where I am using multiple drivers.
I renamed the entitlements from the package names to avoid confusion.
Now, the User entitlement is not generating a valid value in the
resource object. This is a valueless entitlement, which usually means
the JSON string is empty, only having a "{}" in the param element in
nrfEntitlementRef. It should look like...

<param>{}</param>

instead, I get

</param>

So, when assigning this resource, the Roles driver errors out with an
Invalid JSON String, and will not process the Resource into an
Entitlement. When I manually edit the attribute, it works. However,
something, somewhere, seems to be changing it back to the invalid
value.

NetIQ decided it would be a good idea to hard code the entitlement names
into the initialization code. I exported both drivers, searched the XML
for the old names and found none. I went so far as to rename all the
GCV's as well with the new names. The EntitlementConfiguration says
these are IDM4 type entitlements, but no JSON strings. :( The Group
entitlements, which were also renamed, but are Valued entitlements,
appear to be working great. Attributes appear normal, and when
assigned, they actually put the user into the appropriate group in
Notes.

Where does UA get the information to build the nrfEntitlementRef
attribute on the Resource object? Is it being treated as a legacy
entitlement for some reason? Does this have something to do with
renaming the Entitlement?

As an aside, because I know someone will ask, I did try to revert the
changes but that failed. I tried both in Outline View, and in the Driver
Properties/Packages view. Neither one did anything when I tried to
revert the Entitlements. The next "funny thing", only the User
entitlement has the black star on it, but I renamed both the User and
Group entitlements.

<insert twilight zone music here>


--
tse7147
------------------------------------------------------------------------
tse7147's Profile: https://forums.netiq.com/member.php?userid=466
View this thread: https://forums.netiq.com/showthread.php?t=51568

  • > resource object. This is a valueless entitlement, which usually means
    > the JSON string is empty, only having a "{}" in the param element in
    > nrfEntitlementRef. It should look like...
    >
    > <param>{}</param>
    >
    > instead, I get
    >
    > </param>
    >
    > So, when assigning this resource, the Roles driver errors out with an
    > Invalid JSON String, and will not process the Resource into an
    > Entitlement. When I manually edit the attribute, it works. However,
    > something, somewhere, seems to be changing it back to the invalid
    > value.
    >
    > NetIQ decided it would be a good idea to hard code the entitlement names
    > into the initialization code. I exported both drivers, searched the XML


    You mean the ITP code? Ya, I dislike the approach taken here. I wish we
    could instead deliver the entitlementConfiguration object with the
    package, prebuilt, and just paste in the LDAP names instead. Since the
    final case (every other entitlement) does not do much anyway, so you
    have to change the code anyway, so why bother.

    > Where does UA get the information to build the nrfEntitlementRef
    > attribute on the Resource object? Is it being treated as a legacy
    > entitlement for some reason? Does this have something to do with
    > renaming the Entitlement?


    Code Map refresh is when the UA, queries the vault for all driver
    objects, then all the looks for the entitlementConfiguration object
    underneath it, reads the contents. Then seems to query back some of the
    Entitlement objects to get additional info out of them.

    So, then when you go to define a Resource, with an entitlement, it knows
    the kind of values you need to add and will inject an XDS query into the
    driver via the UA driver to return legal values to specify for this
    Resource.

    Not the entire answer, but part of the way.

    Now thinking about it, could you define a non-valued entitlement for
    UserAccount, instead of trying to set a null one. Maybe you could set
    an Admin defined Entitlement value and set it to null or {} or something
    else?