A lot of times NetIQ IDM developers need to define workflows where a user can assign permissions. With IDM, permissions are defined using entitlements and assigned via resources, when you follow RBAC. However in the real world sometimes you cannot map everything with a Role and some entitlements have to be assigned manually on a user. The only way you can do this from a workflow is to add them with a resource assignment bounded statically with a specific entitlement value (direct entitlement assignments are deprecated). This means that if you have 100 entitlement values, you will need 100 mapped resources.

One way to achieve this is making use of reconciliation services on IDM 4.0.2.

But what about using a unique resource without preassigning the entitlement value, specifying on the resource definition "Allow user to assign entitlement value(s) at resource request time"? With PRD widgets defined by NetIQ you will not be able to query the entitlement values and permit to a user to specify which value you want to assign.

With the steps described here you can achieve this result

First of all you have to activate Named Passwords on User Application (https://www.netiq.com/documentation/idm402/agpro/data/bu5sikg.html)

• In iManager, double click on the User Application driver.

• Click on the Global Configuration Values tab.

• Click on the Add button.

• Fill out the definition, as described below:

1. Specify allow-fetch-named-passwords as the name for the global configuration definition.

• Specify Allow Named Password to be retrieved over LDAP as the display name.

• Provide a description for the definition.

• Specify boolean as the Type.

• Click OK.

• Set the value to true or false and click Apply.

• Create a named password in your User Application driver.

• Create a GCV of the type password-ref that points to the named password you want to be able to read.

• In your workflow, use the function getValueForNamedPassword to retrieve the value of the named password, using the following syntax:

GCV.getValueForNamedPassword('PasswordRefGCV')

Pay attention: this will work only if your user application is configured to use SSL for Administrative connections, check it via configupdate.sh

After this setup you can define the Workflow. Define this javascript on a pre activity mapping for an hidden field of your form:

function getEntitlementValues(resource){
	var resourceService = new ResourceServiceImpl(); 
	var service = resourceService.getIRemoteResourcePort(); 
	service._setProperty(Stub.USERNAME_PROPERTY, GCV.get('UserappAccount'));
	service._setProperty(Stub.PASSWORD_PROPERTY, GCV.getValueForNamedPassword('userapp-password-gcv'));
	service._setProperty(Stub.ENDPOINT_ADDRESS_PROPERTY,"http://userappURL:8180/IDMprov/resource/service");
	service._setProperty(Stub.SESSION_MAINTAIN_PROPERTY, java.lang.Boolean.TRUE);
	var entitlementValues = new Array();
	var resource = service.getResource(resource,null);
	var resourceParameters = resource.getParameters();
	var codeMapkey = null;
	if (resourceParameters!=null)
	{
	for (var i=0; i<resourceParameters.length;i  )
		{
		if (resourceParameters[i].getKey().equals("EntitlementParamKey"))
			codeMapkey = resourceParameters[i].getCodemapKey();
		}
	}

	if (codeMapkey!=null){
		codeMap = service.getCodeMapValues(codeMapkey, null);
		if (codeMap!=null){ 
			for (var i=0; i<codeMap.length;i  ) entitlementValues.push(codeMap[i].getParamValue());
		}
	}
	return java.util.Arrays.asList(entitlementValues).toString();
} 

getEntitlementValues("cn=resourceCN,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=Driverset,o=system")

When you are going to define the form, add on your visible field where you want to show the entitlement values this onload() event

field.setValues(form.getValue("HiddenField").substring(1,form.getValue("HiddenField").length-1).split(","));

this will prefetch your list with the entitlement values

This code was tested on IDM 4.0.2, User Application Build Revision 38382