Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
fp_idmworks Honored Contributor.
Honored Contributor.
1006 views

401 start workflow from driver policy


I have an authorized user that is assigned to the provadmin role. RR
driver confirms that the assignment was a success.

My recipient is the group SuspenseGroup.sa.data and is a Trustee DN on
the workflow, I also added the authorized user as a trustee as well.

As part of troubleshooting I added some eDir rights. I found in the 402
documentation the following statement: Notice that
nrfAccessMgrTaskAddressee is not listed with the write permission
checked, which means that the user does not have the proper rights for
the provisioning request definition.

I have added nrfAccessMgrTaskAddressee with write permission checked to
the Workflow object for both the authorized user. I also did this for
nrfAccessMgrTaskRecipient. However, I'm not sure why a write right would
be needed... Very little is documented about these rights.

I added these rights to the recipient as well as the authorized user.

The error we receive is below:

DirXML Log Event -------------------
Driver: \OU-IDM-POC\system\driverset\PS-Test
Channel: Publisher
Object: 19017
Status: Error
Message: Code(-9194) Error in
vnd.nds.stream://OU-IDM-POC/system/driverset/PS-Test/Publisher/NOVLDTXTBASE-pub-mp#XmlData:784
: Couldn't
start workflow 'CN=Suspense
handling,CN=RequestDefs,CN=AppConfig,CN=UserApplication,CN=driverset,O=system'
for recipient 'cn=suspensegroup,ou=
sa,o=data': java.rmi.RemoteException: HTTP 401 Unauthorized
[08/15/16 05:30:07.328]:PS-Test PT: Action: do-veto().
[08/15/16 05:30:07.328]:PS-Test PT:Policy returned:
[08/15/16 05:30:07.328]:PS-Test PT:
<nds dtdversion="1.1" ndsversion="8.6" xml:space="default">


I don't see anything in the catalina.out log file when triggering the
workflow from a driver. However, I'm not sure if we would with it doing
a soap call.

The URL to connect to userapp is right. http://<ipaddr>:8180/IDMProv
(not using https currently, correct ip address is entered in)

There are some empty values as part of the request. I'm assuming this is
okay. None of the values on the request form are set to required, just
sending over what data the driver has on the existing user. Some of the
values being sent over are local variables. So not sure how we could
strip empty values on those if we needed to.

The purpose of the workflow is to start it when a match is found that
isn't specific enough and requires an administration review to make sure
the user is an actual match and that we aren't creating duplicate
users.

thanks,
Fred


--
fp_IDMWORKS
------------------------------------------------------------------------
fp_IDMWORKS's Profile: https://forums.netiq.com/member.php?userid=9869
View this thread: https://forums.netiq.com/showthread.php?t=56433

Labels (1)
0 Likes
6 Replies
Micro Focus Expert
Micro Focus Expert

Re: 401 start workflow from driver policy

On 8/15/16 7:32 AM, fp IDMWORKS wrote:
>
> I have an authorized user that is assigned to the provadmin role. RR
> driver confirms that the assignment was a success.
>
> My recipient is the group SuspenseGroup.sa.data and is a Trustee DN on
> the workflow, I also added the authorized user as a trustee as well.
>
> As part of troubleshooting I added some eDir rights. I found in the 402
> documentation the following statement: Notice that
> nrfAccessMgrTaskAddressee is not listed with the write permission
> checked, which means that the user does not have the proper rights for
> the provisioning request definition.
>
> I have added nrfAccessMgrTaskAddressee with write permission checked to
> the Workflow object for both the authorized user. I also did this for
> nrfAccessMgrTaskRecipient. However, I'm not sure why a write right would
> be needed... Very little is documented about these rights.
>
> I added these rights to the recipient as well as the authorized user.
>
> The error we receive is below:
>
> DirXML Log Event -------------------
> Driver: \OU-IDM-POC\system\driverset\PS-Test
> Channel: Publisher
> Object: 19017
> Status: Error
> Message: Code(-9194) Error in
> vnd.nds.stream://OU-IDM-POC/system/driverset/PS-Test/Publisher/NOVLDTXTBASE-pub-mp#XmlData:784
> : Couldn't
> start workflow 'CN=Suspense
> handling,CN=RequestDefs,CN=AppConfig,CN=UserApplication,CN=driverset,O=system'
> for recipient 'cn=suspensegroup,ou=
> sa,o=data': java.rmi.RemoteException: HTTP 401 Unauthorized
> [08/15/16 05:30:07.328]:PS-Test PT: Action: do-veto().
> [08/15/16 05:30:07.328]:PS-Test PT:Policy returned:
> [08/15/16 05:30:07.328]:PS-Test PT:
> <nds dtdversion="1.1" ndsversion="8.6" xml:space="default">
>
>
> I don't see anything in the catalina.out log file when triggering the
> workflow from a driver. However, I'm not sure if we would with it doing
> a soap call.
>
> The URL to connect to userapp is right. http://<ipaddr>:8180/IDMProv
> (not using https currently, correct ip address is entered in)
>
> There are some empty values as part of the request. I'm assuming this is
> okay. None of the values on the request form are set to required, just
> sending over what data the driver has on the existing user. Some of the
> values being sent over are local variables. So not sure how we could
> strip empty values on those if we needed to.
>
> The purpose of the workflow is to start it when a match is found that
> isn't specific enough and requires an administration review to make sure
> the user is an actual match and that we aren't creating duplicate
> users.
>
> thanks,
> Fred
>
>

Greetings,

1) Are you using the endpoint start or startAsProxy?

2) Who are you passing in as the Initiator?

3) You should see an attempt to login in the server.log file.



--
Sincerely,
Steven Williams
Lead Software Engineer
Micro Focus
0 Likes
fp_idmworks Honored Contributor.
Honored Contributor.

Re: 401 start workflow from driver policy


So we are actually using the start workflow action in a policy rule from
a driver. So I'm assuming that the initiator is the "Authorized user" or
the id="CN=suspense,OU=sa,O=data" value listed below. This is the user
that we have assigned to the provadmin role.

1) not sure as not an option in regards to starting it from a driver
policy. I'm assuming it would be a startAsProxy as it is asking for an
authorized user.

2) As stated above, I believe so as there is an authorized user
populated.

3) I don't see a server.log file on the server. /var/log/messages
doesn't appear to show anything. jboss talks about a server.xml file,
but in tomcat that is under the conf directory and don't think it is
actually a log file.


<do-start-workflow id="CN=suspense,OU=sa,O=data" time-out="90000"
url="~UAProvURL~" workflow-id="CN=Suspense
handling,CN=RequestDefs,CN=AppConfig,CN=UserApplication,CN=driverset,O=system">
<arg-password>
<token-named-password name="Suspense"/>
</arg-password>
<arg-dn>
<token-parse-dn dest-dn-format="ldap"
src-dn-format="dot">
<token-global-variable
name="Suspense.Group"/>
</token-parse-dn>
</arg-dn>
<arg-string name="firstName">
<token-op-attr name="Given Name"/>
</arg-string>
<arg-string name="Initials">
<token-op-attr name="Initials"/>
</arg-string>
<arg-string name="lastName">
<token-op-attr name="Surname"/>
</arg-string>
<arg-string name="preferredName">
<token-op-attr name="preferredName"/>
</arg-string>
<arg-string name="SSN">
<token-op-attr name="OUSSN"/>
</arg-string>
<arg-string name="DOB">
<token-op-attr name="OUBirthdate"/>
</arg-string>
<arg-string name="homeZipCode">
<token-op-attr name="OUhomeZipCode"/>
</arg-string>
<arg-string name="OUEmplStatus">
<token-op-attr name="OUEmplStatus"/>
</arg-string>
<arg-string name="OUEffdt">
<token-op-attr name="OUEffdt"/>
</arg-string>
<arg-string name="jobCode">
<token-op-attr name="jobCode"/>
</arg-string>
<arg-string name="OUJobFunction">
<token-op-attr name="OUJobFunction"/>
</arg-string>
<arg-string name="OUTenureStatus">
<token-op-attr name="OUTenureStatus"/>
</arg-string>
<arg-string name="OUEmplID">
<token-op-attr name="OUEmplID"/>
</arg-string>
<arg-string name="OUEGGrantedDT">
<token-op-attr name="OUEGGrantedDT"/>
</arg-string>
<arg-string name="OUWSVisaDescr">
<token-op-attr name="OUWSVisaDescr"/>
</arg-string>
<arg-string name="OUDeptID">
<token-op-attr name="OUDeptID"/>
</arg-string>
<arg-string name="OUCampDirectory">
<token-op-attr name="OUCampDirectory"/>
</arg-string>
<arg-string name="OUSource">
<token-global-variable name="OUSource"/>
</arg-string>
<arg-string name="OUSuspenseMatch">
<token-local-variable name="lv-policy"/>
</arg-string>
<arg-string name="OUSuspenseError">
<token-local-variable name="lv-error"/>
</arg-string>
</do-start-workflow>


--
fp_IDMWORKS
------------------------------------------------------------------------
fp_IDMWORKS's Profile: https://forums.netiq.com/member.php?userid=9869
View this thread: https://forums.netiq.com/showthread.php?t=56433

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: 401 start workflow from driver policy

On 8/15/16 10:28 AM, fp IDMWORKS wrote:
>
> So we are actually using the start workflow action in a policy rule from
> a driver. So I'm assuming that the initiator is the "Authorized user" or
> the id="CN=suspense,OU=sa,O=data" value listed below. This is the user
> that we have assigned to the provadmin role.
>
> 1) not sure as not an option in regards to starting it from a driver
> policy. I'm assuming it would be a startAsProxy as it is asking for an
> authorized user.
>
> 2) As stated above, I believe so as there is an authorized user
> populated.
>
> 3) I don't see a server.log file on the server. /var/log/messages
> doesn't appear to show anything. jboss talks about a server.xml file,
> but in tomcat that is under the conf directory and don't think it is
> actually a log file.
>
>
> <do-start-workflow id="CN=suspense,OU=sa,O=data" time-out="90000"
> url="~UAProvURL~" workflow-id="CN=Suspense
> handling,CN=RequestDefs,CN=AppConfig,CN=UserApplication,CN=driverset,O=system">
> <arg-password>
> <token-named-password name="Suspense"/>
> </arg-password>
> <arg-dn>
> <token-parse-dn dest-dn-format="ldap"
> src-dn-format="dot">
> <token-global-variable
> name="Suspense.Group"/>
> </token-parse-dn>
> </arg-dn>
> <arg-string name="firstName">
> <token-op-attr name="Given Name"/>
> </arg-string>
> <arg-string name="Initials">
> <token-op-attr name="Initials"/>
> </arg-string>
> <arg-string name="lastName">
> <token-op-attr name="Surname"/>
> </arg-string>
> <arg-string name="preferredName">
> <token-op-attr name="preferredName"/>
> </arg-string>
> <arg-string name="SSN">
> <token-op-attr name="OUSSN"/>
> </arg-string>
> <arg-string name="DOB">
> <token-op-attr name="OUBirthdate"/>
> </arg-string>
> <arg-string name="homeZipCode">
> <token-op-attr name="OUhomeZipCode"/>
> </arg-string>
> <arg-string name="OUEmplStatus">
> <token-op-attr name="OUEmplStatus"/>
> </arg-string>
> <arg-string name="OUEffdt">
> <token-op-attr name="OUEffdt"/>
> </arg-string>
> <arg-string name="jobCode">
> <token-op-attr name="jobCode"/>
> </arg-string>
> <arg-string name="OUJobFunction">
> <token-op-attr name="OUJobFunction"/>
> </arg-string>
> <arg-string name="OUTenureStatus">
> <token-op-attr name="OUTenureStatus"/>
> </arg-string>
> <arg-string name="OUEmplID">
> <token-op-attr name="OUEmplID"/>
> </arg-string>
> <arg-string name="OUEGGrantedDT">
> <token-op-attr name="OUEGGrantedDT"/>
> </arg-string>
> <arg-string name="OUWSVisaDescr">
> <token-op-attr name="OUWSVisaDescr"/>
> </arg-string>
> <arg-string name="OUDeptID">
> <token-op-attr name="OUDeptID"/>
> </arg-string>
> <arg-string name="OUCampDirectory">
> <token-op-attr name="OUCampDirectory"/>
> </arg-string>
> <arg-string name="OUSource">
> <token-global-variable name="OUSource"/>
> </arg-string>
> <arg-string name="OUSuspenseMatch">
> <token-local-variable name="lv-policy"/>
> </arg-string>
> <arg-string name="OUSuspenseError">
> <token-local-variable name="lv-error"/>
> </arg-string>
> </do-start-workflow>
>
>

Greetings,

1) The server.log file (for JBoss) is normally located in:

/opt/novell/idm/rbpm/jboss/server/IDMProv/log/

If you accepted all of the defaults when installing 4.0.1

2) Can you login into the User Application UI with user
"CN=suspense,OU=sa,O=data"

and the actual password from the variable "Suspense"

3) If yes to #2 are you able to start see and start the workflow in
question?





--
Sincerely,
Steven Williams
Lead Software Engineer
Micro Focus
0 Likes
fp_idmworks Honored Contributor.
Honored Contributor.

Re: 401 start workflow from driver policy


Hey Steve,

Sorry for the confusion. This is a 4.5.4 Tomcat install. I was looking
for rights / permission related issues and found the 401 documentation
that made me thing to set that property on the PRD.

What is the equivalent log for the tomcat platform?

2) We are able to login to the User Application with the Suspense user
with the same password that I set for the named password.

3) I am able to see the workflow and enter data as that user.

thanks,
Fred


--
fp_IDMWORKS
------------------------------------------------------------------------
fp_IDMWORKS's Profile: https://forums.netiq.com/member.php?userid=9869
View this thread: https://forums.netiq.com/showthread.php?t=56433

0 Likes
Knowledge Partner
Knowledge Partner

Re: 401 start workflow from driver policy

On 8/15/2016 12:34 PM, fp IDMWORKS wrote:
>
> Hey Steve,
>
> Sorry for the confusion. This is a 4.5.4 Tomcat install. I was looking
> for rights / permission related issues and found the 401 documentation
> that made me thing to set that property on the PRD.
>
> What is the equivalent log for the tomcat platform?


/opt/netiq/idm/apps/tomcat/logs/catalina.out


> 2) We are able to login to the User Application with the Suspense user
> with the same password that I set for the named password.
>
> 3) I am able to see the workflow and enter data as that user.


Prov Manager or Prov Admin role? To make a SOAP call, you need to be
the admin. Not the manager with restricted permissions, in my
experience. Which seems like it defeats the point of the Manager role.


0 Likes
fp_idmworks Honored Contributor.
Honored Contributor.

Re: 401 start workflow from driver policy


grrr

so not sure if anything changed or not, but catalina.out is now showing
the failed authentication.

I did put in the named password, I promise I really did.... sigh, it
wasn't there. At least with the log in catalina.out I could see the
failed attempt and knowing it had to be the password or login id, or
rights....

Someone asked if we could start Monday over. I'm all for it 🙂

thanks Steve and Geoff


--
fp_IDMWORKS
------------------------------------------------------------------------
fp_IDMWORKS's Profile: https://forums.netiq.com/member.php?userid=9869
View this thread: https://forums.netiq.com/showthread.php?t=56433

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.