What's new in IDM 4.5 - Part 5

I think digging in and seeing what is new in releases of Identity Manager is a useful thing. The high level What's New that the vendor provides is helpful, but rarely covers the level of detail I am interested in.

With IDM 4.5 there is a TID https://www.novell.com/support/kb/doc.php?id=7016414 that lists all the bugs tagged as fixed in IDM 4.5. I thought it would be interesting to pick out ones I wanted to talk about and discuss what the issue is for each. This way you can get a better feel for what is new in this release.

Roles Based Provisioning Module:

These are bugs related to the Roles and User App side of the IDM product and are harder to find information about. For a variety of reasons bugs about the engine and Designer are much more open than the RBPM side. Which seems like an odd choice, but that is what it is. But as a consequence there is not much to say about them. Which appears to be the goal, as strange as that might seem.

855366 Documentation DOC: New settings for controlling Code Map Refresh

In IDM 4.02 they introduced a way to code map refresh a single entitlement via a SOAP call. In the PCRS drivers they use this call to refresh entitlement values in the Code Map tables after they read in new values or update entitlements via the PCRS policy code. They actually call this via a Java class they include called init-idm-resources.jar that has a bunch of functions you can see called in the policies. (They have to define the name space of the class they are calling for each function, which is dead giveaway where the class is located), then look for new JAR files in the patch.

This bug just seems about documenting the new way to do this.

875557 Dashboard - Request Status Unable to filter or view requests in the Request Status area after hitting a size limit exceeded exception

I would like to see more about this, specifically, since this is a persistent and recurring issue in all of the User Application. In order to protect the database, large queries are blocked, and offers the option of paging the results. Except, they do not use the size of the page to page the query, rather they do the big query still and page the results. Thus if you have too many results, you do not get anything unless you filter it down first. But of course, you often need to see what you have to know what to filter on constructively, yet you do not get just the first set of results, you get nothing along with an error. This is a core flaw in the product that I hope this bug is partially working to resolve.

869031 Dashboard - Role Assignments (cygnus): Filter for Role Assignments does not work correctly when there are more then 500 assignments

This is another bug about how the filtering works, where too large a set breaks filtering that is now resolved. Generically these are good things, but it would be nice to see the real underlying problem finally resolved.


891446 Application Framework Remove "Manage Directory" tool

I had noticed that if you tried to open the eDirectory browser in Designer 4.5 that it was no longer there. It looks like this bug is the tracker for why it was removed. I personally am kind of disappointed as I liked having what amounted to a copy of Console1 running in Designer. It was useful for looking at the tree without needing some other tool. Like actual Console1, or an LDAP browser. Having it built into Designer was kind of useful at times. What was interesting is that it really was a copy of Console1. Many of the plugins were included, but disabled and there was a config file you could edit to re-enable specific plugins. I found that very handy on rare occasion.

Alas poor eDirectory browser, it was a good run! I shall raise a slice of herring in your memory this weekend.

The good news is that there are plugins for Designer that offer some LDAP like services within the Designer instance. There is Stephaan Van Cauwberge (I never can spell that guys name) plugin that adds DAModifier like activities to Designer. That is, allows import, export, and modifications of DirXML-Associations from within Designer.

Or a more generic LDAP tool for Designer available here: http://oberlechner.org/?page_id=90

895027 Application Framework Designer 4.5 on Windows 7 sluggish and freezes

I am always very interested in bugs about Designer performance. As someone who lives in Designer every day as my job, performance is a real concern for me. The guys in Engineering were good about working with me on it, and I approached it from the memory leak perspective. With a Java application that eats lots of memory, leaking memory means Garbage Collection can take a long time (multiple seconds) and that usually manifests itself as a seeming freeze of the application as the JVM cleans things up.

I have to say that somewhere between the switch to a new version of Eclipse 4.3 from 3.4, or a move to 64 bit, or else cleanup work by the engineering really made a difference in memory leaks. I try very hard to force leaks, and in some builds of Designer it was really easy. I must have uploaded 100 Eclipse memory dumps to try and isolate them over the years.

Well 4.5 is really hard to make leak. My currently running Designer has a medium sized project open, with one policy, and is using 1188M out of 1347M according to the gas gauge at the bottom left.

A click on the garbage can and is down to 480M now. Close all tabs, and hit the garbage can and it is down to 468M. When I look at the memory dump (use the tool jmap from a JDK of the same version/bit depth with the switch -dump:format=b,file=path\to\dump\file PID to generate the dump) then open it in the Eclipse Memory Analyzer Tool it shows no obvious leakers. The two big memory 'leaks' have been identified to me as copies of schema from each project I opened during this session and are kept for performance reasons.

This bug however did not seem to resolve anything specific. But overall I am very happy with the performance and memory leak characteristics of Designer 4.5. I still try to make it leak, but that is because I am mean.

848303 Configuration Management Duplicate Password Sync GCVs are added when Password Synchronization configuration is edited in the Developer mode

With the switch to packages in IDM 4, and specifically moving the Password Sync logic into packages, where the GCV's are in a GCV object some of the tools that were built for managing them needed to be fixed. After all, previously there was only one place to have GCV's (well two I guess, driverset and driver objects) but now you can have unlimited objects carrying GCV data. Thus the notion of Effective GCV is important under the covers.

You could see this if you right clicked on the driver line in the Modeler view, selected Manage Password Sync and when this was broken, it would show all options ghosted, since the GCV's were not in the attribute on the driver object, rather they had been moved to a GCV object. Similarly, when you went from the Modeler view, bottom tab, Dataflow, upper left corner, change the filter view to Password Sync then it would show the driver level values, not the effective values. Between this and another bug they fixed that set of issues in 4.5. I had noticed in Designer 4, 4.01, and 4.02 that it kind of came and went. Was fixed, broken back, fixed, broken back. Hopefully this time it will stay resolved.

848785 Eclipse Framework Designer needs to automate linkage migration & updated schema to project

This bug opened a can of worms as it fixed another issue. With the release of IDM 4.0.2 patch 3 a fix for the ordering of policies was implemented that was long needed. Basically it started storing the package linkage information in eDirectory as the attribute DirXML-pkgLinkages (an XML blob that tells Designer where this policy belongs.) This apparently was the fix for importing a driver an Designer would refuse to match the eDirectory ordering no matter what you tried. Usually in a case of a mix of packaged and non-packaged content. With this fix, Designer is supposed to more reliably import it. I never understood this, since the ordering is not stored as the order of attributes in a multi valued attribute, rather it is stored in DirXML-Policies, which has the syntax of Typed Name. Typed Name syntax has three components, a DN (the object to be linked, policy, XSLT, Resource, GCV, etc), then two 32 bit integers. These are used as counters. One (Order differs in NCP vs LDAP view) tells you which policy set to use, where GCV's, ECMA, and each policy set gets a integer from 0-16. (Obviously good to 32 bit signed integer in size) and the second tells you the ordering within that assignment. Check out this article for more info: https://www.netiq.com/communities/cool-solutions/talking-about-dirxml-policies-attributes/

The numbering of the policy sets, GCV, and ECMA are as follows:
     0 Schema Map
     1 Input Transform
     2 Output Transform
     3 ECMA Script Object
     4 Sub Event Transform
     5 Pub Event Transform
     6 Sub Match
     7 Pub Match
     8 Sub Create
     9 Pub Create
     10 Sub Command Transform
     11 Pub Command Transform
     12 Sub Placement
     13 Pub Placement
     14 GCV Objects
     15 Startup (New in IDM
     16 Shutdown (New in IDM

But the second integer, telling you that Policy X is position 0, and Policy Y is position 1, seems eminently clear, so I do not understand why there was ever confusion. This is regardless of Packaged or not, that is how the end result of what is currently stored in eDirectory is represented.

Nevertheless there was some need to fix it, and Package Linkages were the method. Each project that was created before Designer 4.0.2 AU4 I think needs to be converted. Conveniently, Designer would ask if you would like to convert it as you opened each project up that needed it. However if you said yes, then the entire layout you may have spent much time getting just right is reset to a default square layout. I know I personally like to have my AD drivers near each other, my text drivers together, and so on. The default layout on a large project is terrible. The good news is that by the time I wrote this article, IDM 4.5 SP2 was released and Designer 4.5.2 has a fix for this issue.

877709 ECMAScript Editor "File Changes' alert is thrown on shifting the focus to ECMA Script editor

This bug would drive me crazy. It actually applied to all DirXML-Resource objects and it would cause all sorts of problems. In fact this is one of the first bugs I noticed fixed in Designer 4.5. If you did not notice and close the tab to keep it clean, you would end up with more than one tab dirtied (marked with an asterisk) which causes problems when saving since the each tab maintains a copy of the project in memory and you can stomp on changes made in another tab. It happens I work with a SOAP driver config that defines a lot of things in DirXML-Resource objects and these were always getting marked dirty to the point you could no longer rely on Designer about what was really changed or not. Very annoying and I am very glad it is fixed. DirXML-Resource objects that had a GUI editor on front of them did not seem to suffer this issue, like Mapping Tables, but those that exposed a text editor like view did.

855509 Package Manager Password Synchronization GCV drivers do not reflect effective state

128201 Policy Builder (Holger - xpath) Add GCV and possibly local variable support to xpath builder

This bug was entered in 2005, as you can tell from its very low Bugzilla ID. This is an oldy but goody. Now as it happens, I strongly suspect but have not verified that in fact what they did was the cosmetic fix, not the functional fix. In the XPATH builder when you are testing XPATH and you use variables (local or global) the tester does not really test the variable values. But the second part of the request was for a selector of those variables to insert into the XPATH builder which is now there. But to me, the core of the bug is to evaluate the GCV's at least (local variables would make no sense to do, since you do not have the full policy flow being simulated to generate their values properly). I strongly suspect they did NOT implement that, based on what I see.

849583 Policy Builder Default compare-mode changed from case insensitive to case sensitive

In Designer 4.02 Auto Update 4 they made a strange change, that the type of condition test for If Attribute, If Source Attribute, If Destination Attribute and others was now case sensitive. But the default all along had been case insensitive. This bit me hard at a client since I barely even read that line if it is a string compare and that is how I noticed it. This bug indicates they fixed it so that now it is back to defaulting to case insensitive.

There are hundreds more fixes but I think I am done for now. This should be a good taste of what changed in the 4.5 release and it is a worthwhile upgrade, I recommend it.


How To-Best Practice
Comment List