Related Tips & Info

Identity Manager Policy: Run One Event Only

aburgemeister
0 Likes

One of the many great things about Identity Manager (IDM) from NetIQ/Micro Focus is the event-driven nature of it. Besides running on top of an actual directory and authentication source (rather than needing to aggregate data from external sources only), it will act on events that happen in realtime, meaning performance is superb, and actual work is tied to actual events (rather than polling and possibly coming up with nothing after a long delay) rather than needing to do outside calculations to see if changes to attribute X and variable Y indicate event Z took place, which is how most competing products work.

With every strength comes a corresponding tradeoff, as in all of life. A side effect of an event-driven system is that the events might be there waiting for you right now, and they may come in fast and furious, and that may not be ideal in some cases. For example, when deploying a new driver config object, or new code in an existing object, you may want to watch one or two events at a time, rather than seeing thousands go through in the blink of an eye, to verify everything is perfect before you unleash the new code on the entire world.

Since some events can be over in a millisecond, and others may take hundreds of milliseconds or, if the connected application is slow, a few seconds to complete, there is no reliable way to interact with the system directly to stop after one event happens. We poor humans are just too slow at reading traces, understanding consequences, and sending the Stop command to pull that off properly. Computers, though, are good at doing things reliably, repeatedly, and quickly, as that is their primary job, so there is a way to get the computer to stop itself at the appropriate time.

The attached policy is one you can add to any driver config, or maybe to a Library for use anywhere easily, or maybe it should be put into a package as well; it exists for the sole purpose of stopping the driver config object after one event processes, whether successfully or not. The way it works is by using the seldom-ideal driver-scoped local variable in order to detect the first event, and then upon detection of another event along with that previously-set variable, it sends a fatal status (with appropriate messages) indicating that one event is done and it is time to stop. A Fatal status causes a driver config object to stop, and also causes the current operation to be retained until things start up again, so no data loss. Thanks goes to IDM developers for having good ideas all around in terms of the event caching system.

I have incorporated a Global Configuration Variable/Value (GCV) to control the behavior so this can be trivially turned on and off while the object is stopped. It may also be important to note that if the policy is in place, whether or not the GCV exists, the policy works. The policy only disables itself if the GCV is set to 'false'. There are a couple reasons I did this:

    1. This is not a policy meant for production use, other than when new code is going into production. The reason is that it does not make a lot of sense to have a driver object that stops after one event all the time, other than when testing new code when you might want to limit the damage of new code.

 

    1. This policy is meant for cases where running many events could be disastrous, so if something like a pesky GCV is forgotten, the system may run as if no policy were there to help, and cause a disaster.

 

    1. Humans are imperfect, and forget things like adding GCVs along with policies (yes, I should create a package in Designer; that will come next). As a result, forgetting the GCV is likely, even in the case where the policy is added and a disaster may (or may not) be averted.



With this policy in place, and the GCV set to something other than false, it detects the first event, lets things run, and then sets the status to fatal on the second event, letting the trace be limited in size, the potential damage of bad code limited in scope, and possibly causing endless frustration to anybody who cannot find this policy in the meantime.

Let me know what you think. I have included trace messages to make things clear, documenting both the first and second events detected, so hopefully this can be very helpful to monitor progress of events flowing through.

The GCV XML follows:

 <definition critical-change="true" display-name="Process One Subscriber Event Only" name="drv.sub-process-one-event-only" type="boolean">
   <description>Set this GCV, and have the appropriate policy in place on the Subscriber Event Transformation Policyset (first policy), in order to process just one event (on the Subscriber channel) before shutting down the driver config by generating a FATAL status event.</description>
   <value>true</value>
 </definition>


To install to any driver configuration object, follow these steps:

    1. Import the attached XML to your Designer project; it can go into a policy Library, or it can go directly into an impacted driver configuration object'.  I would probably use a Library (if not using a packaged version) so that it can be intuitively shared across many driver objects.

 

    1.  In Designer, go to the fishbone diagram to access the Subscriber channels Event Transformation Policyset (ETP), or go there some other way to modify the ETP as you see fit.

 

    1. Add a new policy, and link to the already-imported policy (whether under the Library, or the driver object, or wherever).

 

    1. Add the new GCV code above just to be complete.

 

    1. Deploy the new policy as well as the driver object(s) linking to it.



This is how it looks in trace. On the first Subscriber event the policy looks like this:


[02/13/18 08:10:31.815]:driver ST:Applying event transformation policies.
[02/13/18 08:10:31.816]:driver ST:Applying policy: % CCsub-process-one-event-only%-C.
[02/13/18 08:10:31.816]:driver ST:  Applying to add #1.
[02/13/18 08:10:31.816]:driver ST:    Evaluating selection criteria for rule 'Detect Second Event'.
[02/13/18 08:10:31.817]:driver ST:      (if-global-variable 'drv.sub-process-one-event-only' not-equal "false") = TRUE.
[02/13/18 08:10:31.817]:driver ST:      (if-local-variable 'run-one-object-dn' match "^. $") = FALSE.
[02/13/18 08:10:31.818]:driver ST:    Rule rejected.
[02/13/18 08:10:31.818]:driver ST:    Evaluating selection criteria for rule 'Detect First Event'.
[02/13/18 08:10:31.818]:driver ST:      (if-global-variable 'drv.sub-process-one-event-only' not-equal "false") = TRUE.
[02/13/18 08:10:31.819]:driver ST:      (if-local-variable 'run-one-object-dn' not-match "^. $") = TRUE.
[02/13/18 08:10:31.819]:driver ST:      (if-operation match "^(add|delete|modify|modify-password|move|rename|sync|trigger)$") = TRUE.
[02/13/18 08:10:31.820]:driver ST:    Rule selected.
[02/13/18 08:10:31.820]:driver ST:    Applying rule 'Detect First Event'.
[02/13/18 08:10:31.820]:driver ST:      Action: do-set-local-variable("run-one-object-dn",scope="driver","Setting driver-scoped local variable for " token-operation() " on source object: " token-src-dn()).
[02/13/18 08:10:31.821]:driver ST:        arg-string("Setting driver-scoped local variable for " token-operation() " on source object: " token-src-dn())
[02/13/18 08:10:31.822]:driver ST:          token-text("Setting driver-scoped local variable for ")
[02/13/18 08:10:31.822]:driver ST:          token-operation()
[02/13/18 08:10:31.822]:driver ST:            Token Value: "add".
[02/13/18 08:10:31.823]:driver ST:          token-text(" on source object: ")
[02/13/18 08:10:31.823]:driver ST:          token-src-dn()
[02/13/18 08:10:31.823]:driver ST:            Token Value: "\IDV\org\data\users\students\test1".
[02/13/18 08:10:31.824]:driver ST:          Arg Value: "Setting driver-scoped local variable for add on source object: \IDV\org\data\users\students\test1".
[02/13/18 08:10:31.824]:driver ST:Policy returned:
[02/13/18 08:10:31.825]:driver ST:
<nds dtdversion="4.0" ndsversion="8.x">
  <source>
    <product edition="Advanced" version="4.6.0.0">DirXML</product>
    <contact>NetIQ Corporation</contact>
  </source>
  <input>
    <add cached-time="20171030192609.538Z" class-name="User" event-id="JDBC#Publisher#1854134:cf74c665-a952-4c33-b626-da7c5bbfe143" qualified-src-dn="O=org\OU=data\OU=users\OU=students\CN=test1" src-dn="\IDV\org\data\users\students\test1" src-entry-id="347853" timestamp="1509391569#7">
      <add-attr attr-name="Given Name">
        <value timestamp="1509391569#3" type="string">Test1</value>
      </add-attr>
      <add-attr attr-name="Full Name">
        <value timestamp="1509391569#4" type="string">Test1lname, Test1</value>
      </add-attr>
      <add-attr attr-name="Initials">
        <value timestamp="1509391569#6" type="string">tt</value>
      </add-attr>
      <add-attr attr-name="Surname">
        <value timestamp="1509391569#7" type="string">Test1lname</value>
      </add-attr>
    </add>
  </input>
</nds>


On the second Subscriber event it looks like this:


[02/13/18 08:10:31.851]:driver ST:Applying event transformation policies.
[02/13/18 08:10:31.852]:driver ST:Applying policy: % CCsub-process-one-event-only%-C.
[02/13/18 08:10:31.852]:driver ST:  Applying to modify #1.
[02/13/18 08:10:31.852]:driver ST:    Evaluating selection criteria for rule 'Detect Second Event'.
[02/13/18 08:10:31.853]:driver ST:      (if-global-variable 'drv.sub-process-one-event-only' not-equal "false") = TRUE.
[02/13/18 08:10:31.853]:driver ST:      (if-local-variable 'run-one-object-dn' match "^. $") = TRUE.
[02/13/18 08:10:31.854]:driver ST:    Rule selected.
[02/13/18 08:10:31.854]:driver ST:    Applying rule 'Detect Second Event'.
[02/13/18 08:10:31.854]:driver ST:      Action: do-trace-message(level="0","Shutting down the driver config on the second event detected.  First event information: " token-local-variable("run-one-object-dn") "  Second event information: " token-operation() " for " token-src-dn()).
[02/13/18 08:10:31.855]:driver ST:        arg-string("Shutting down the driver config on the second event detected.  First event information: " token-local-variable("run-one-object-dn") "  Second event information: " token-operation() " for " token-src-dn())
[02/13/18 08:10:31.856]:driver ST:          token-text("Shutting down the driver config on the second event detected.  First event information: ")
[02/13/18 08:10:31.857]:driver ST:          token-local-variable("run-one-object-dn")
[02/13/18 08:10:31.857]:driver ST:            Token Value: "Setting driver-scoped local variable for add on source object: \IDV\org\data\users\students\test2".
[02/13/18 08:10:31.858]:driver ST:          token-text("  Second event information: ")
[02/13/18 08:10:31.858]:driver ST:          token-operation()
[02/13/18 08:10:31.858]:driver ST:            Token Value: "modify".
[02/13/18 08:10:31.859]:driver ST:          token-text(" for ")
[02/13/18 08:10:31.859]:driver ST:          token-src-dn()
[02/13/18 08:10:31.859]:driver ST:            Token Value: "\IDV\org\data\users\students\test2".
[02/13/18 08:10:31.860]:driver ST:          Arg Value: "Shutting down the driver config on the second event detected.  First event information: Setting driver-scoped local variable for add on source object: \IDV\org\data\users\students\test2  Second event information: modify for \IDV\org\data\users\students\test2".
[02/13/18 08:10:31.861]:driver ST:Shutting down the driver config on the second event detected.  First event information: Setting driver-scoped local variable for add on source object: \IDV\org\data\users\students\test1  Second event information: modify for \IDV\org\data\users\students\test2
[02/13/18 08:10:31.862]:driver ST:      Action: do-status(level="fatal","Second event detected when in run-one-event-only mode.").
[02/13/18 08:10:31.863]:driver ST:        arg-string("Second event detected when in run-one-event-only mode.")
[02/13/18 08:10:31.863]:driver ST:          token-text("Second event detected when in run-one-event-only mode.")
[02/13/18 08:10:31.863]:driver ST:          Arg Value: "Second event detected when in run-one-event-only mode.".
[02/13/18 08:10:31.864]:driver ST:
DirXML Log Event -------------------
     Driver:   \IDV\org\services\VaultDriverSet\driver
     Channel:  Subscriber
     Status:   Fatal
     Message:  Second event detected when in run-one-event-only mode.
[02/13/18 08:10:31.865]:driver ST:Password synchronization command status detected.
[02/13/18 08:10:31.867]:driver ST:Password synchronization event status recorded.
[02/13/18 08:10:31.868]:driver ST:
DirXML Log Event -------------------
     Driver:   \IDV\org\services\VaultDriverSet\driver
     Channel:  Subscriber
     Status:   Fatal
     Message:  Code(-9173) A policy issued a "fatal" status indicating that the driver should be shut down. Detail from policy: Second event detected when in run-one-event-only mode.


Happy computing!

Labels:

How To-Best Practice
Collateral
Comment List
Related
Recommended

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.