Micro Focus Expert
Micro Focus Expert

Re: eDirectory LDAP fulfillment -- calling for example /use case

On 5/15/19 7:24 AM, sma wrote:
>
> stevewdj;2499754 Wrote:
>> On 5/14/19 5:24 AM, sma wrote:
>>>
>>> Hi,
>>>
>>> I'm also trying to setup the AD Ldap fulfillment and get the error :
>>> Item 'REMOVE_PERMISSION_ASSIGNMENT' does not contain all required
>>> provisioning attributes (permProvAttr, permProvId, accountProvId).
>>> Fix Retry Terminate
>>>
>>>
>>> Does anyone as some information how to configure ?
>>>
>>> Thanks
>>>
>>> Sylvain
>>>
>>>

>> Greetings,
>> In your AD Application Collector, do you have both and AD permission
>> Collector and an AD Account collector? So that the flow goes:
>>
>> AD Permission -> AD Account -> Identity in the Catalog?
>>
>>
>> As I outlined in 23-April the error seen for Removing or Adding a
>> permission with the eDir or AD fulfillment happens because the Account
>> is not known. The Account has to be known. Therefore, within the
>> eDir
>> or AD Application Collector you must have the AD/eDir permission
>> collector and the AD/eDir Account collector and the mapping for the
>> Holder of the permission goes to the Account. The Account will then
>> (when possible and when not that makes it an unmapped account) go to an
>> Identity
>>
>>
>>
>> --
>> Sincerely,
>> Steven Williams
>> Principal Enterprise Architect
>> Micro Focus

>
> Hi,
>
> No I don't have the account collector as the AD directory is the
> Identity source.
>
> Yes, it make sense that the account is required and I will make some
> tries with the account.
>
> BTW, I found a bit redondant to get also account from AD, if this is the
> Identity source, do you have any suggestion about that ?
>
>
> Thanks.
>
> Sylvain
>
>

Greetings,
That is the requirement for ID Gov 3.5.x and 3.0.x. For the next
release we are looking into a possible change.

If you collect accounts it does allow you to run the Mapped and Unmapped
account reviews. Now, in your case if you collect your IDs and Accounts
from the same level in the ldap source then you would have all mapped
accounts. But, if you have special accounts that have permissions that
are not where your IDs are then it would allow you to review them and
the rights they have.


--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
sma2006 Outstanding Contributor.
Outstanding Contributor.

Re: eDirectory LDAP fulfillment -- calling for example /use

Hi,

Now I setup both the account and permission collectors in the application and all Identities are mapped with the Application accounts.

All permissions (AD groups) are collected and everything looks ok, but the LDAP fulfillment still gives the same error :

Comment: Item 'ADD_PERMISSION_TO_USER' does not contain all required provisioning attributes (permProvAttr, permProvId, accountProvId).

I do not find where to find the missing mapping for those attributes.


Any idea ?


Thanks


Sylvain
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: eDirectory LDAP fulfillment -- calling for example /use case

On 5/21/2019 8:24 AM, sma wrote:
>
> Hi,
>
> Now I setup both the account and permission collectors in the
> application and all Identities are mapped with the Application accounts.
>
> All permissions (AD groups) are collected and everything looks ok, but
> the LDAP fulfillment still gives the same error :
>
> Comment: Item 'ADD_PERMISSION_TO_USER' does not contain all required
> provisioning attributes (permProvAttr, permProvId, accountProvId).
>
> I do not find where to find the missing mapping for those attributes.


So in trying to figure out how this all works, it looks like the
FUllfillmaent actions are supposed to generate set of attributes, that
are passed to the Fullfillment class. Each of the various defined
actions needs different info.

So to Add a permission, you need the PermprvoAttr which should be Member
for a Group, the attribute to which to add the permission.

Now when you collect the Group/Permission in your Account collector,
you added a Permission collector right?

Then inside there, there are 4 subsections.
First is the permission itself - find the set of permissions, so here
you define the Group as the class, and so on.

You should probably have defined Member as the Permission Account or
User mapping which should be set to Account ID from Source. (This one
confused me as it did you, as I set up 2 standalone Accunt collectors,
one for users, one for groups, and I could not get the Permission to
link to the Account. Identity yes, account no. Answer was, have to do
both in one collector. Docs could be MUCH clearer on this issue).

Then there is a Target Attribute for Provisioning, still in the Group,
which in the schema is named provAttribute and I have "member" as a
static value (Note the quotes).

So in theory if you have all this data in the catalog, when you review a
user and say add or remove a permission (or access request a permission)
via fullfillment it should be able to pass i the data to enact it.







0 Likes
sma2006 Outstanding Contributor.
Outstanding Contributor.

Re: eDirectory LDAP fulfillment -- calling for example /use

So, I tried to start again from scratch with the ADIR permissions/accounts:

1) Delete the current AD application data source --> OK
2) Create new application data source --> OK
3) Add AD account collector with default value --> OK
4) Collect & publish --> get new accounts for AD users that are mapped with Identities --> OK
5) Add AD permission collector with default value --> OK
6) Collect & publish again --> get new permisssions for group membership of AD account --> OK
7) All identities from AD Identity source are mapped with AD account (same source) and get permissions (AD group) and also groups (same AD group).


This looks ok , now , I'm going to configure and test the LDAP fulfillment.
0 Likes
sma2006 Outstanding Contributor.
Outstanding Contributor.

Re: eDirectory LDAP fulfillment -- calling for example /use

I made a try with a CSV fulfillment for AD permission, just to see attributes availability and I get this:

changeItemId,changeRequestType,fulfillmentInstructions,userName,account,appName,reason,permName
"19","ADD_PERMISSION_TO_USER","","John Demo","","AD Account Permissions","Add Permission to user for permission ERP_Administrators to be given to John Demo requested by John Demo. Reason for request: test; test","ERP_Administrators"

And I can see there is no account ?

Let's try now with LDAP fulfillment.
0 Likes
sma2006 Outstanding Contributor.
Outstanding Contributor.

Re: eDirectory LDAP fulfillment -- calling for example /use

Still error : y
May 21, 2019 5:53:58 PM
Comment: Item 'ADD_PERMISSION_TO_USER' does not contain all required provisioning attributes (permProvAttr, permProvId, accountProvId).

With LDAP Fulfillment
0 Likes
sma2006 Outstanding Contributor.
Outstanding Contributor.

Re: eDirectory LDAP fulfillment -- calling for example /use

Reading your answer again, I think I found the problem, the default mapping for "permission-account or user mapping" is User ID from source and NOT Account ID from source.


Now after changing this I get the following with CSV fulfillment :

changeItemId,changeRequestType,fulfillmentInstructions,userName,account,appName,reason,permName
"22","ADD_PERMISSION_TO_USER","","John Demo","CN=John Demo,OU=users,OU=idsa,DC=demoidsa,DC=com","AD Account Permissions","Add Permission to user for permission ERP_Administrators to be given to John Demo requested by John Demo. Reason for request: Test; Test with member mapped to Account ID from source","ERP_Administrators"


And finally , the LDAP AD Fulfillment get :

Fulfilled Via DAAS
May 21, 2019 6:07:13 PM
Comment: Change Item '23' Fulfilled. Type: ADD_PERMISSION_TO_USER, Target Account: CN=John Demo,OU=users,OU=idsa,DC=demoidsa,DC=com, Target Permission: CN=ERP_Administrators,OU=groups,OU=idsa,DC=demoidsa,DC=com
Verification required

Great , it works !!!!

Thanks a lot for you valuable help.

Sylvain
0 Likes
Knowledge Partner
Knowledge Partner

Re: eDirectory LDAP fulfillment -- calling for example /use case

On 5/21/2019 12:14 PM, sma wrote:
>
> Reading your answer again, I think I found the problem, the default
> mapping for "permission-account or user mapping" is User ID from source
> and NOT Account ID from source.
>
>
> Now after changing this I get the following with CSV fulfillment :
>
> changeItemId,changeRequestType,fulfillmentInstructions,userName,account,appName,reason,permName
> "22","ADD_PERMISSION_TO_USER","","John Demo","CN=John
> Demo,OU=users,OU=idsa,DC=demoidsa,DC=com","AD Account Permissions","Add
> Permission to user for permission ERP_Administrators to be given to John
> Demo requested by John Demo. Reason for request: Test; Test with member
> mapped to Account ID from source","ERP_Administrators"
>
>
> And finally , the LDAP AD Fulfillment get :
>
> Fulfilled Via DAAS
> May 21, 2019 6:07:13 PM
> Comment: Change Item '23' Fulfilled. Type: ADD_PERMISSION_TO_USER,
> Target Account: CN=John Demo,OU=users,OU=idsa,DC=demoidsa,DC=com, Target
> Permission: CN=ERP_Administrators,OU=groups,OU=idsa,DC=demoidsa,DC=com
> Verification required


Woo Hoo! I got one right! See what I mean about thiis aspect being a
little bit confusing?

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: eDirectory LDAP fulfillment -- calling for example /use case

On 5/21/19 12:14 PM, sma wrote:
>
> Reading your answer again, I think I found the problem, the default
> mapping for "permission-account or user mapping" is User ID from source
> and NOT Account ID from source.
>
>
> Now after changing this I get the following with CSV fulfillment :
>
> changeItemId,changeRequestType,fulfillmentInstructions,userName,account,appName,reason,permName
> "22","ADD_PERMISSION_TO_USER","","John Demo","CN=John
> Demo,OU=users,OU=idsa,DC=demoidsa,DC=com","AD Account Permissions","Add
> Permission to user for permission ERP_Administrators to be given to John
> Demo requested by John Demo. Reason for request: Test; Test with member
> mapped to Account ID from source","ERP_Administrators"
>
>
> And finally , the LDAP AD Fulfillment get :
>
> Fulfilled Via DAAS
> May 21, 2019 6:07:13 PM
> Comment: Change Item '23' Fulfilled. Type: ADD_PERMISSION_TO_USER,
> Target Account: CN=John Demo,OU=users,OU=idsa,DC=demoidsa,DC=com, Target
> Permission: CN=ERP_Administrators,OU=groups,OU=idsa,DC=demoidsa,DC=com
> Verification required
>
> Great , it works !!!!
>
> Thanks a lot for you valuable help.
>
> Sylvain
>
>

Greetings,
This shows that you were not correctly set-up. As I outlined
earlier you have to go Permission -> Account -> Identity. You were sill
going Permission -> Identity.


--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.