Role Configuration object in Provisioning Issues


This has now happened to me several times, but I am told no one else has reported this problem. But if I can screw it up this badly, then no doubt someone else out there has done so just as badly.

If you are using later Designers and IDM Apps (4.7/4.8 families) you may have run into a strange problem.

My colleague noticed this issue when he tried to use Create Role token, and the DN was all wonky when it failed. He could see that it was trying to create the nrfRole object at the root of the User App driver, instead of inside the AppConfig, inside the RoleConfig, inside the RoleDefs, inside a level10/20/30 container.

What we noticed is that under the cn=RoleConfig object, there is a cn=configuration object. Or there should be.  I noticed in a system where this happened, my Designer was missing a Role Configuration object.



In this example above, you can see the User App in the Provisioning view (Bottom left corner of Designer) as the first instance and it is missing the Role Configuration object. 

I made a new ID Vault in my project, connected to the system and simply imported the UA driver and said no to the Role Catalog when asked.

When I compare the driver, I get the cn=configuration object showing the correct values.


The key is the box I highlghted.  The nrfRoleLevels is a multivalued, Path syntax attribute. The DN component (Volume) is the cn=Level10 or 20 or 30 with the rest of the DN all the way to the root of the tree. 

But it seems that if it is blank when you deploy it gets created with just the UA driver DN.

The integer (nameSpace) component holds something I am not sure what it means, and the Path component (path) holds XML that describes the name of the level (Permission/Technical/Business) in the various support languages.

But basically all the DN data that Designer tries to push out is bad (absent or wrong) in this case.

The fix is pretty simple, so long as you catch it before you deploy the 4.7/4.8 UA Base driver packages as part of your upgrade.  Compare the configuration and update Designer with this info, then the package update you deploy will work.

If it is too late, and you already overwrote it, go find a working system, or ask someone in the Community to provide one, and you can LDIF the values in (changed for your environment).

I would be very interested to hear if anyone else has seen this happen to them or if it is just me.



Support Tip
Comment List