Read Resource Entitlement Values from User Application workflow

A lot of times NetIQ IDM developers need to define workflows where a user can assign permissions. With IDM, permissions are defined using entitlements and assigned via resources, when you follow RBAC. However in the real world sometimes you cannot map everything with a Role and some entitlements have to be assigned manually on a user. The only way you can do this from a workflow is to add them with a resource assignment bounded statically with a specific entitlement value (direct entitlement assignments are deprecated). This means that if you have 100 entitlement values, you will need 100 mapped resources.

One way to achieve this is making use of reconciliation services on IDM 4.0.2.

But what about using a unique resource without preassigning the entitlement value, specifying on the resource definition "Allow user to assign entitlement value(s) at resource request time"? With PRD widgets defined by NetIQ you will not be able to query the entitlement values and permit to a user to specify which value you want to assign.

With the steps described here you can achieve this result

First of all you have to activate Named Passwords on User Application (

  • In iManager, double click on the User Application driver.

  • Click on the Global Configuration Values tab.

  • Click on the Add button.

  • Fill out the definition, as described below:

  1. Specify allow-fetch-named-passwords as the name for the global configuration definition.

  • Specify Allow Named Password to be retrieved over LDAP as the display name.

  • Provide a description for the definition.

  • Specify boolean as the Type.

  • Click OK.

  • Set the value to true or false and click Apply.

  • Create a named password in your User Application driver.

  • Create a GCV of the type password-ref that points to the named password you want to be able to read.

  • In your workflow, use the function getValueForNamedPassword to retrieve the value of the named password, using the following syntax:


Pay attention: this will work only if your user application is configured to use SSL for Administrative connections, check it via

After this setup you can define the Workflow. Define this javascript on a pre activity mapping for an hidden field of your form:

function getEntitlementValues(resource){
var resourceService = new ResourceServiceImpl();
var service = resourceService.getIRemoteResourcePort();
service._setProperty(Stub.USERNAME_PROPERTY, GCV.get('UserappAccount'));
service._setProperty(Stub.PASSWORD_PROPERTY, GCV.getValueForNamedPassword('userapp-password-gcv'));
service._setProperty(Stub.SESSION_MAINTAIN_PROPERTY, java.lang.Boolean.TRUE);
var entitlementValues = new Array();
var resource = service.getResource(resource,null);
var resourceParameters = resource.getParameters();
var codeMapkey = null;
if (resourceParameters!=null)
for (var i=0; i<resourceParameters.length;i )
if (resourceParameters[i].getKey().equals("EntitlementParamKey"))
codeMapkey = resourceParameters[i].getCodemapKey();

if (codeMapkey!=null){
codeMap = service.getCodeMapValues(codeMapkey, null);
if (codeMap!=null){
for (var i=0; i<codeMap.length;i ) entitlementValues.push(codeMap[i].getParamValue());
return java.util.Arrays.asList(entitlementValues).toString();


When you are going to define the form, add on your visible field where you want to show the entitlement values this onload() event


this will prefetch your list with the entitlement values

This code was tested on IDM 4.0.2, User Application Build Revision 38382


How To-Best Practice
Comment List
  • We tested it on IDM 4.5.2 and there is a fix to do in order to keep this source code

    you have to replace

    codeMap = service.getCodeMapValues(codeMapkey, null);


    codeMap = service.getCodeMapValues(codeMapkey, null);
    catch (e){
    codeMap = service.getCodeMapValues(codeMapkey, null, null, null, null);
  • Up to how many CodeMap Values will such a form work well?
  • in reply to MigrationDeletedUser
    A limited number, because of two factors:

    1 - If you have a lot of values, the query will take a long time to resolve

    2 - The solution merges all the values on a long text line with this line of code java.util.Arrays.asList(entitlementValues).toString();

    About the point 1, if this code is used on an approval acticity it would not be a problem waiting for the result. Instead if you have to start the activity, it could be annoying waiting for the query result. Said that, you would wait the same time required by a full search during an "Assign Resource" done via User Application.

    For what concerns point 2, maybe you can fix the code passing the values directly on an ArrayList of DOM Elements. I don't think it will work because in the Pre-Activity Data Mapping, Netiq allows only String Data Type.

    However used in a limited subset of choices, it works well for us