fp_idmworks Super Contributor.
Super Contributor.
983 views

eDirectory LDAP fulfillment -- calling for example /use case

When I turn on all of the logging for work flows in tomcat/conf I see the error:

Unexpected error while provisioning changeItem id: 5. Reason: Item 'REMOVE_PERMISSION_ASSIGNMENT' does not contain all required provisioning attributes (permProvAttr, permProvId, accountProvId).



However, when I export the eDir LDAP fulfillment json I don't see these attributes and not sure how to configure to add them in. Any ideas?



{"targetId":13,"name":"eDirectory LDAP Fulfillment","displayName":"eDirectory LDAP Fulfillment","description":"eDirectory LDAP Service Fulfillment template","isDefault":false,"isSystem":false,"type":"CUSTOM","typeDisplayName":"eDirectory LDAP","isManual":false,"isIdmWorkflow":false,"isIdmAuto":false,"dataCollectors":{"arraySize":1,"collectors":[{"collectorId":19,"name":"eDirectory LDAP Fulfillment","collectorType":"FULFILLMENT","templateId":72,"templateUniqueId":"EDirLdapFulfillmentTemplate","templateVersion":"3.0.0","configuration":"{\"service-identifier\":\"EDirLdapFulfillmentTemplate-13-19-27229a65d1ac488e9fdcfeed76149d81\",\"collectorType\":\"FULFILLMENT\",\"class\":\"com.netiq.daas.fulfillment.ldapservice.LDAPFulfillment\",\"allow-connection-test\":true,\"change_request_types\":[\"REMOVE_PERMISSION_ASSIGNMENT\",\"ADD_PERMISSION_TO_USER\",\"REMOVE_ACCOUNT\",\"ADD_APPLICATION_TO_USER\",\"REMOVE_ACCOUNT_PERMISSION\"],\"version\":\"3.0.0\",\"service-parms\":[{\"name\":\"server\",\"display-name\":\"Host\",\"description\":\"IP or DNS address of eDirectory server\",\"data-type\":\"string\",\"required\":true,\"value\":\"10.0.2.5\"},{\"name\":\"port\",\"display-name\":\"Port\",\"description\":\"LDAP Service Port Number\",\"data-type\":\"numeric\",\"default-value\":389,\"required\":true,\"value\":\"636\"},{\"name\":\"user\",\"display-name\":\"User Name\",\"description\":\"User name used to connect to eDirectory Server\",\"data-type\":\"string\",\"required\":true,\"credential-type\":\"user\",\"credential-position\":0,\"value\":\"cn=admin,ou=sa,o=system\"},{\"name\":\"password\",\"display-name\":\"Password\",\"description\":\"Password\",\"data-type\":\"password\",\"required\":true,\"credential-type\":\"password\",\"credential-position\":0,\"value\":\"$$$$\"},{\"name\":\"security-certificate\",\"display-name\":\"Server Certificate\",\"description\":\"Base-64 encoded certificate from target eDirectory Server\",\"data-type\":\"string\",\"certificate-parm\":true,\"conn-parms\":\"[\\\"server\\\",\\\"port\\\"]\",\"required\":false,\"default-value\":\"\",\"value\":\"MIIGjzCCBXegAwIBAgIUAxXz9s6r2usExElkSXT\\/06u58S8wDQYJKoZIhvcNAQELBQAwLzEaMBgGA1UECxMRT3JnYW5pemF0aW9uYWwgQ0ExETAPBgNVBAoTCElEVi1UUkVFMB4XDTE4MTEyMzE1Mzc1NFoXDTIwMTEyMjE1Mzc1NFowIjERMA8GA1UEChMISURWLVRSRUUxDTALBgNVBAMTBElEVjEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJpndP8WK6MKMTk79jt+QgLq+z283J8HSDHjQvwjwulPTdD8MBY0mjCJwJLwg4JAX1rPDwsULUwmjFa1zfrFwWgIl18nRCAguLX9pzmRbGqC4BrCS9pvjjJRxQ0hDj0OQmRdh3g6xluJSaNhfA2QWpEKSfdL0Sj8Q4drmS3YsF5w9n84lL9bPAnEEQQS7Y52GtC\\/bGz20MlpXxEXTQ8PK2iy1C\\/HCQJS4T35\\/lBF\\/03hoh6R1H7wCPl4SwCCihP+ggKSP4ufSPpEMy5SCsZyM8J\\/evaDvmXV9wlLr2f21aG+Jvw2a0GwL5qJaA0kX6\\/6snmDuoCINp3wm1DUIx8SYZAgMBAAGjggOuMIIDqjAdBgNVHQ4EFgQUISa+ZSKtTZ2bIIZyNaHKUm9l8xgwHwYDVR0jBBgwFoAUYiNa2nM3uQM71gI5X\\/2HdtQVxeowDwYDVR0RBAgwBocECgACBTALBgNVHQ8EBAMCBaAwggHMBgtghkgBhvg3AQkEAQSCAbswggG3BAIBAAEB\\/xMdTm92ZWxsIFNlY3VyaXR5IEF0dHJpYnV0ZSh0bSkWQ2h0dHA6Ly9kZXZlbG9wZXIubm92ZWxsLmNvbS9yZXBvc2l0b3J5L2F0dHJpYnV0ZXMvY2VydGF0dHJzX3YxMC5odG0wggFIoBoBAQAwCDAGAgEBAgFGMAgwBgIBAQIBCgIBaaEaAQEAMAgwBgIBAQIBADAIMAYCAQECAQACAQCiBgIBFwEB\\/6OCAQSgWAIBAgICAP8CAQADDQCAAAAAAAAAAAAAAAADCQCAAAAAAAAAADAYMBACAQACCH\\/\\/\\/\\/\\/\\/\\/\\/\\/\\/AQEAAgQG8N9IMBgwEAIBAAIIf\\/\\/\\/\\/\\/\\/\\/\\/\\/8BAQACBAbw30ihWAIBAgICAP8CAQADDQBAAAAAAAAAAAAAAAADCQBAAAAAAAAAADAYMBACAQACCH\\/\\/\\/\\/\\/\\/\\/\\/\\/\\/AQEAAgQR\\/66BMBgwEAIBAAIIf\\/\\/\\/\\/\\/\\/\\/\\/\\/8BAQACBBH\\/roGiTjBMAgECAgEAAgIA\\/wMNAIAAAAAAAAAAAAAAAAMJAIAAAAAAAAAAMBIwEAIBAAIIf\\/\\/\\/\\/\\/\\/\\/\\/\\/8BAQAwEjAQAgEAAgh\\/\\/\\/\\/\\/\\/\\/\\/\\/\\/wEBADCCAXgGA1UdHwSCAW8wggFrMCagJKAihiBodHRwOi8vMTAuMC4yLjU6ODAyOC9jcmwvb25lLmNybDBaoFigVoZUbGRhcDovLzEwLjAuMi41OjM4OS9DTj1PbmUsQ049T25lJTIwLSUyMENvbmZpZ3VyYXRpb24sQ049Q1JMJTIwQ29udGFpbmVyLENOPVNlY3VyaXR5MCegJaAjhiFodHRwczovLzEwLjAuMi41OjgwMzAvY3JsL29uZS5jcmwwW6BZoFeGVWxkYXBzOi8vMTAuMC4yLjU6NjM2L0NOPU9uZSxDTj1PbmUlMjAtJTIwQ29uZmlndXJhdGlvbixDTj1DUkwlMjBDb250YWluZXIsQ049U2VjdXJpdHkwX6BdoFukWTBXMQwwCgYDVQQDEwNPbmUxHDAaBgNVBAMTE09uZSAtIENvbmZpZ3VyYXRpb24xFjAUBgNVBAMTDUNSTCBDb250YWluZXIxETAPBgNVBAMTCFNlY3VyaXR5MA0GCSqGSIb3DQEBCwUAA4IBAQBhGxN3CkMc2QyZ25M+cNfmXzsNKQpMkQGo0Y\\/HWsLJiMp41CwRe8xDye+XhQLe6XcRqg30wVoocEC2JvzwFQMcksbTQZk7SLECFNirTij4jGbkHep\\/Bv790yrAul3WpqVRNiMaFT8QsPLU3ebYS6Hwmh7cNJHImhXPJeOc8t\\/iQocpSaeh7vDa6TUoJOSnWY2QPxEUmAcWCGwwsIBLbKdsNC+jv5UMZCmmkOmMmQVDsLccd+RjuROJ7kGrjkB2IsQBzYTbcB7txkC9xvs0\\/8rQ8HZqNb7wketc\\/LJmSddeLU4I7\\/R8AqHPCdEfg3xvKMSH6Da3OZyvsNyZrsdqGkoQ\",\"certificateLoading\":false},{\"name\":\"reciprocal-attrs\",\"display-name\":\"Set reciprocal attributes?\",\"description\":\"Select 'Yes' to set User and Group security attributes. Select 'No' to only set LDAP membership\",\"data-type\":\"string\",\"default-value\":1,\"required\":false,\"options\":[{\"value\":1,\"display-name\":\"Yes\"},{\"value\":0,\"display-name\":\"No\"}],\"selectedValue\":{\"value\":1,\"display-name\":\"Yes\"},\"value\":1},{\"name\":\"server-type\",\"display-name\":\"Server Type\",\"description\":\"Type of LDAP Server\",\"data-type\":\"string\",\"default-value\":\"EDIR\",\"required\":true,\"hidden\":true,\"value\":\"EDIR\"}],\"ecma-scripts\":[{\"name\":\"userProfile\",\"display-name\":\"Generated script for \\\"userProfile\\\" mapping\",\"description\":\"Generated script for \\\"userProfile\\\" mapping\",\"script\":\"\\/\\/ The following script is a sample Account creation payload generator.\\n\\/\\/ It utilizes firstName, lastName, title, and workforceId attributes.\\n\\/\\/ These must be configured as 'Recipient' Fulfillment Context Attributes.\\n\\/\\/ For eDirectory, the mandatory attributes that must be generated are 'cn' and\\n\\/\\/ 'sn'.\\n\\n\\/\\/ inputValue is string, we need to parse it to convert it into a javascript object\\n\\/\\/ If Recipient context attributes are not configured, it will be an empty string\\nif (inputValue === null || inputValue.length === 0) {\\n\\toutputValue = '';\\n} else {\\n\\tvar userProfileParsed = JSON.parse(inputValue);\\n\\tvar firstName = userProfileParsed.firstName ? userProfileParsed.firstName : '';\\n\\tvar lastName = userProfileParsed.lastName ? userProfileParsed.lastName : '';\\n\\tvar title = userProfileParsed.jobTitle ? userProfileParsed.jobTitle : '';\\n\\tvar workforceId = userProfileParsed.workforceId ? userProfileParsed.workforceId : '';\\n\\tvar targetDn = 'ou=Users,o=Test';\\n\\n\\tvar outObj = {};\\n\\tvar cn = firstName.substring(0,1) + lastName;\\n\\toutObj.cn = cn.toLowerCase();\\n\\n\\toutObj.fullName = firstName + ' ' + lastName;\\n\\toutObj.givenName = firstName;\\n\\toutObj.sn = lastName;\\n\\toutObj.title = title;\\n\\toutObj.workforceID = workforceId;\\n\\toutObj.targetContainer = targetDn;\\n\\n\\t\\/\\/ Passwords can only be set when using SSL connection!\\n\\t\\/\\/ Uncomment and modify the following line to set password for new accounts.\\n\\toutObj.password = 'Password123!';\\n\\n\\t\\/\\/ enable debug by uncommenting lines below\\n\\n\\t\\/\\/var logger = org.slf4j.LoggerFactory.getLogger(\\\"debug\\\");\\n\\t\\/\\/logger.info(\\\"**********\\\");\\n\\t\\/\\/logger.info(\\\"inputValue is: \\\" + JSON.stringify(inputValue));\\n\\t\\/\\/logger.info(\\\"outputValue is: \\\" + JSON.stringify(outObj));\\n\\t\\/\\/logger.info(\\\"**********\\\");\\n\\n\\toutputValue = JSON.stringify(outObj);\\n}\"}],\"views\":[{\"name\":\"fulfillment-configuration\",\"display-name\":\"Fulfillment Item configuration and mapping\",\"output-transforms\":[{\"app-name\":\"userProfile\",\"script-name\":\"userProfile\"}],\"input-transforms\":[],\"schema-map-filter\":{\"generic-map\":[{\"view-name\":\"comment\",\"required\":true,\"app-name\":\"comment\"},{\"view-name\":\"fulfillmentId\",\"required\":true,\"app-name\":\"fulfillmentId\"}],\"fulfillment-parms\":[{\"display-name\":\"Fulfillment payload\",\"description\":\"Fulfillment payload\",\"data-type\":\"string\",\"app-name\":\"provPayload\",\"hidden\":true,\"required\":true,\"view-name\":\"FULL_PAYLOAD\"},{\"display-name\":\"Account creation payload\",\"description\":\"User Profile attributes used for creating new accounts. Account provisioning prohibited if left blank\",\"data-type\":\"string\",\"app-name\":\"userProfile\",\"required\":false,\"view-name\":\"userProfile\"}]},\"inputMapErrorMsg\":\"\"}],\"supportedChangeItems\":{\"REMOVE_PERMISSION_ASSIGNMENT\":true,\"ADD_PERMISSION_TO_USER\":false,\"REMOVE_ACCOUNT\":true,\"ADD_APPLICATION_TO_USER\":false,\"REMOVE_ACCOUNT_PERMISSION\":true}}","version":"1.0","link":"/api/dcs/collectors/19","linkStatus":"/api/dcs/collectors/19/status","linkSchedules":"/api/dcs/collectors/19/schedules","lastUpdateTime":1554142972940}]}}
0 Likes
20 Replies
fp_idmworks Super Contributor.
Super Contributor.

Re: eDirectory LDAP fulfillment -- calling for example /use

So this is a single line json file. I don't recommend posting in your json as it has too much config information. This is from my lab.

Not only is it painful to read, once I find out how to fix to add the required parameters, I don't know how to begin to attempt to transform the data. Will I be able to use nashhorn?
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: eDirectory LDAP fulfillment -- calling for example /use case

On 4/4/19 10:56 AM, fp IDMWORKS wrote:
>
> So this is a single line json file. I don't recommend posting in your
> json as it has too much config information. This is from my lab.
>
> Not only is it painful to read, once I find out how to fix to add the
> required parameters, I don't know how to begin to attempt to transform
> the data. Will I be able to use nashhorn?
>
>

Greetings,
You can not compare Workflow Fulfillment to eDirectory Fulfillment.
They have different requirements and call-backs.

Please be aware that with 3.5 in the Fulfillment Configuration ->
Workflow we have included a example there that you can download and
import into your IDM Designer.

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
fp_idmworks Super Contributor.
Super Contributor.

Re: eDirectory LDAP fulfillment -- calling for example /use

So when I turned on the wf logging, I was presuming that because I recieved an error message that stated there were missing values; I assumed it was for the eDirectory LDAP fulfillment. But that was under a different code path where the Identity Governance driver would be used.

So we aren't using the Identity Governance driver yet, as they the customer is on 4.6 still.

So I need a better understanding of what the eDirectory LDAP fulfillment works / use case. How is the best way to log activity with the eDirectory LDAP fulfillment target?
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: eDirectory LDAP fulfillment -- calling for example /use

Hmm,

I get the exactly same error when using the AD automatic fulfillment.

So.
How should we configure them?
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: eDirectory LDAP fulfillment -- calling for example /use case

On 4/10/19 5:34 PM, joakim ganse wrote:
>
> Hmm,
>
> I get the exactly same error when using the AD automatic fulfillment.
>
> So.
> How should we configure them?
>
>

Greetings Joakim,
The AD Fulfillment works correctly for me with removing/granting a
Permission in AD in the following cases:

1) Removal of a permission via a Review

2) Adding a permission via Access Request

3) Adding a permission via a Business Role

4) Removal of a permission via a Business Role

I do believe that you have a Service Request open with Support and we
will continue to work this from there.

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: eDirectory LDAP fulfillment -- calling for example /use case

On 4/4/19 11:26 AM, fp IDMWORKS wrote:
>
> So when I turned on the wf logging, I was presuming that because I
> recieved an error message that stated there were missing values; I
> assumed it was for the eDirectory LDAP fulfillment. But that was under a
> different code path where the Identity Governance driver would be used.
>
> So we aren't using the Identity Governance driver yet, as they the
> customer is on 4.6 still.
>
> So I need a better understanding of what the eDirectory LDAP fulfillment
> works / use case. How is the best way to log activity with the
> eDirectory LDAP fulfillment target?
>
>

Greetings Fred,
The eDir Fulfillment works correctly for me with
removing/granting a Permission in eDir in the following cases:

1) Removal of a permission via a Review

2) Adding a permission via Access Request

3) Adding a permission via a Business Role

4) Removal of a permission via a Business Role



--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: eDirectory LDAP fulfillment -- calling for example /use case

On 4/23/19 11:04 AM, Steven Williams wrote:
> On 4/4/19 11:26 AM, fp IDMWORKS wrote:
>>
>> So when I turned on the wf logging, I was presuming that because I
>> recieved an error message that stated there were missing values; I
>> assumed it was for the eDirectory LDAP fulfillment. But that was under a
>> different code path where the Identity Governance driver would be used.
>>
>> So we aren't using the Identity Governance driver yet, as they the
>> customer is on 4.6 still.
>>
>> So I need a better understanding of what the eDirectory LDAP fulfillment
>> works / use case. How is the best way to log activity with the
>> eDirectory LDAP fulfillment target?
>>
>>

> Greetings Fred,
>       The eDir Fulfillment works correctly for me with
> removing/granting a Permission in eDir in the following cases:
>
> 1) Removal of a permission via a Review
>
> 2) Adding a permission via Access Request
>
> 3) Adding a permission via a Business Role
>
> 4) Removal of a permission via a Business Role
>
>
>

Greetings,
In regards to receiving

"
Unexpected error while provisioning changeItem id: %value%. Reason: Item
'%Remove or add%_PERMISSION_ASSIGNMENT' does not contain all required
provisioning attributes (permProvAttr, permProvId, accountProvId).
"

This typically happens because you do not have the account information.



--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
sma2006 Outstanding Contributor.
Outstanding Contributor.

Re: eDirectory LDAP fulfillment -- calling for example /use

Hi,

I'm also trying to setup the AD Ldap fulfillment and get the error : Item 'REMOVE_PERMISSION_ASSIGNMENT' does not contain all required provisioning attributes (permProvAttr, permProvId, accountProvId).
Fix Retry Terminate


Does anyone as some information how to configure ?

Thanks

Sylvain
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: eDirectory LDAP fulfillment -- calling for example /use case

On 5/14/19 5:24 AM, sma wrote:
>
> Hi,
>
> I'm also trying to setup the AD Ldap fulfillment and get the error :
> Item 'REMOVE_PERMISSION_ASSIGNMENT' does not contain all required
> provisioning attributes (permProvAttr, permProvId, accountProvId).
> Fix Retry Terminate
>
>
> Does anyone as some information how to configure ?
>
> Thanks
>
> Sylvain
>
>

Greetings,
In your AD Application Collector, do you have both and AD permission
Collector and an AD Account collector? So that the flow goes:

AD Permission -> AD Account -> Identity in the Catalog?


As I outlined in 23-April the error seen for Removing or Adding a
permission with the eDir or AD fulfillment happens because the Account
is not known. The Account has to be known. Therefore, within the eDir
or AD Application Collector you must have the AD/eDir permission
collector and the AD/eDir Account collector and the mapping for the
Holder of the permission goes to the Account. The Account will then
(when possible and when not that makes it an unmapped account) go to an
Identity



--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Knowledge Partner
Knowledge Partner

Re: eDirectory LDAP fulfillment -- calling for example /use case

>> I'm also trying to setup the AD Ldap fulfillment and get the error :
>> Item 'REMOVE_PERMISSION_ASSIGNMENT' does not contain all required
>> provisioning attributes (permProvAttr, permProvId, accountProvId).
>> Fix Retry Terminate
>>

> Greetings,
>    In your AD Application Collector, do you have both and AD permission
> Collector and an AD Account collector?   So that the flow goes:
>
> AD Permission -> AD Account  -> Identity in the Catalog?
>
>
> As I outlined in 23-April the error seen for Removing or Adding a
> permission with the eDir or AD fulfillment happens because the Account
> is not known.   The Account has to be known.  Therefore, within the eDir
> or AD Application Collector you must have the AD/eDir permission
> collector and the AD/eDir Account collector  and the mapping for the
> Holder of the permission goes to the Account.  The Account will then
> (when possible and when not that makes it an unmapped account) go to an
> Identity


I ran into the issue Steve is describing, which once you see it makes
sense and seems obvious, but not until you see it. (I missed figuring
this out from reading the docs, personally, it is probably in there, but
I did not see the significance of it).

so you collect Identities. Cool.

Then you collect an Account. When you collect an account you define a
service connector (AD, eDir, CSV, etc).

Then you start with the Account info. But you can add another
'collector thingy' at he level of Account, this time for Permissions.

When you collect two things in one collector, you tie them together.
This is the step Steve is suggesting maybe you did not do?

Perhaps you are using 2 collectors, one to get Groups, one to get
Accounts. They are both tied to the Identity, since you have the
attribute set that links them, however, the Group and Account User are
not actually linked together.


0 Likes
sma2006 Outstanding Contributor.
Outstanding Contributor.

Re: eDirectory LDAP fulfillment -- calling for example /use

stevewdj;2499754 wrote:
On 5/14/19 5:24 AM, sma wrote:
>
> Hi,
>
> I'm also trying to setup the AD Ldap fulfillment and get the error :
> Item 'REMOVE_PERMISSION_ASSIGNMENT' does not contain all required
> provisioning attributes (permProvAttr, permProvId, accountProvId).
> Fix Retry Terminate
>
>
> Does anyone as some information how to configure ?
>
> Thanks
>
> Sylvain
>
>

Greetings,
In your AD Application Collector, do you have both and AD permission
Collector and an AD Account collector? So that the flow goes:

AD Permission -> AD Account -> Identity in the Catalog?


As I outlined in 23-April the error seen for Removing or Adding a
permission with the eDir or AD fulfillment happens because the Account
is not known. The Account has to be known. Therefore, within the eDir
or AD Application Collector you must have the AD/eDir permission
collector and the AD/eDir Account collector and the mapping for the
Holder of the permission goes to the Account. The Account will then
(when possible and when not that makes it an unmapped account) go to an
Identity



--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus


Hi,

No I don't have the account collector as the AD directory is the Identity source.

Yes, it make sense that the account is required and I will make some tries with the account.

BTW, I found a bit redondant to get also account from AD, if this is the Identity source, do you have any suggestion about that ?


Thanks.

Sylvain
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: eDirectory LDAP fulfillment -- calling for example /use case

On 5/15/19 7:24 AM, sma wrote:
>
> stevewdj;2499754 Wrote:
>> On 5/14/19 5:24 AM, sma wrote:
>>>
>>> Hi,
>>>
>>> I'm also trying to setup the AD Ldap fulfillment and get the error :
>>> Item 'REMOVE_PERMISSION_ASSIGNMENT' does not contain all required
>>> provisioning attributes (permProvAttr, permProvId, accountProvId).
>>> Fix Retry Terminate
>>>
>>>
>>> Does anyone as some information how to configure ?
>>>
>>> Thanks
>>>
>>> Sylvain
>>>
>>>

>> Greetings,
>> In your AD Application Collector, do you have both and AD permission
>> Collector and an AD Account collector? So that the flow goes:
>>
>> AD Permission -> AD Account -> Identity in the Catalog?
>>
>>
>> As I outlined in 23-April the error seen for Removing or Adding a
>> permission with the eDir or AD fulfillment happens because the Account
>> is not known. The Account has to be known. Therefore, within the
>> eDir
>> or AD Application Collector you must have the AD/eDir permission
>> collector and the AD/eDir Account collector and the mapping for the
>> Holder of the permission goes to the Account. The Account will then
>> (when possible and when not that makes it an unmapped account) go to an
>> Identity
>>
>>
>>
>> --
>> Sincerely,
>> Steven Williams
>> Principal Enterprise Architect
>> Micro Focus

>
> Hi,
>
> No I don't have the account collector as the AD directory is the
> Identity source.
>
> Yes, it make sense that the account is required and I will make some
> tries with the account.
>
> BTW, I found a bit redondant to get also account from AD, if this is the
> Identity source, do you have any suggestion about that ?
>
>
> Thanks.
>
> Sylvain
>
>

Greetings,
That is the requirement for ID Gov 3.5.x and 3.0.x. For the next
release we are looking into a possible change.

If you collect accounts it does allow you to run the Mapped and Unmapped
account reviews. Now, in your case if you collect your IDs and Accounts
from the same level in the ldap source then you would have all mapped
accounts. But, if you have special accounts that have permissions that
are not where your IDs are then it would allow you to review them and
the rights they have.


--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
sma2006 Outstanding Contributor.
Outstanding Contributor.

Re: eDirectory LDAP fulfillment -- calling for example /use

Hi,

Now I setup both the account and permission collectors in the application and all Identities are mapped with the Application accounts.

All permissions (AD groups) are collected and everything looks ok, but the LDAP fulfillment still gives the same error :

Comment: Item 'ADD_PERMISSION_TO_USER' does not contain all required provisioning attributes (permProvAttr, permProvId, accountProvId).

I do not find where to find the missing mapping for those attributes.


Any idea ?


Thanks


Sylvain
0 Likes
Knowledge Partner
Knowledge Partner

Re: eDirectory LDAP fulfillment -- calling for example /use case

On 5/21/2019 8:24 AM, sma wrote:
>
> Hi,
>
> Now I setup both the account and permission collectors in the
> application and all Identities are mapped with the Application accounts.
>
> All permissions (AD groups) are collected and everything looks ok, but
> the LDAP fulfillment still gives the same error :
>
> Comment: Item 'ADD_PERMISSION_TO_USER' does not contain all required
> provisioning attributes (permProvAttr, permProvId, accountProvId).
>
> I do not find where to find the missing mapping for those attributes.


So in trying to figure out how this all works, it looks like the
FUllfillmaent actions are supposed to generate set of attributes, that
are passed to the Fullfillment class. Each of the various defined
actions needs different info.

So to Add a permission, you need the PermprvoAttr which should be Member
for a Group, the attribute to which to add the permission.

Now when you collect the Group/Permission in your Account collector,
you added a Permission collector right?

Then inside there, there are 4 subsections.
First is the permission itself - find the set of permissions, so here
you define the Group as the class, and so on.

You should probably have defined Member as the Permission Account or
User mapping which should be set to Account ID from Source. (This one
confused me as it did you, as I set up 2 standalone Accunt collectors,
one for users, one for groups, and I could not get the Permission to
link to the Account. Identity yes, account no. Answer was, have to do
both in one collector. Docs could be MUCH clearer on this issue).

Then there is a Target Attribute for Provisioning, still in the Group,
which in the schema is named provAttribute and I have "member" as a
static value (Note the quotes).

So in theory if you have all this data in the catalog, when you review a
user and say add or remove a permission (or access request a permission)
via fullfillment it should be able to pass i the data to enact it.







0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.