Anonymous_User Absent Member.
Absent Member.
282 views

AdminUA deleted; Role Assignment havoc ensues.


(Replacing Thread wrongly started under Engine/Drivers)
AdminUA deleted. I rebuilt the security domain for the UserApp and the
new AdminUA account seems functional. I have, for troubleshooting,
granted full supervisor rights to the entire tree for AdminUA.

However, when I add a user a group assigned to a role, and that role has
5 resources assigned to it... which were 100% functional before the
deletion of AdminUA... I do not get any of the entitlements assigned,
with the following error in trace of the Roles and Resources Driver
(which is security equivalent to ADMIN of the tree):

<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.5.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify cached-time="20150505145118.266Z" class-name="User"
event-id="CustomerIDV1T-NDS#20150505145118#1#1:f5b47cb0-a5e4-41f9-bdd9-a0c662b9a333"
qualified-src-dn="O=Customer\OU=Data\OU=Users\CN=ameyer31"
src-dn="\IDVT\Customer\Data\Users\ameyer31" src-entry-id="73592"
timestamp="1430837478#1">
<modify-attr attr-name="Group Membership">
<add-value>
<value timestamp="1430837478#1"
type="dn">\T=IDVT\O=Customer\OU=Data\OU=Groups\OU= Identity
Types\CN=Primary - EMPLOYEE_IT</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
[05/05/15 09:51:18.290]:**RRSD** ST:Applying event transformation
policies.
[05/05/15 09:51:18.291]:**RRSD** ST:Applying policy:
%+C%14CNOVLRSERVB-sub-etp%-C.
[05/05/15 09:51:18.291]:**RRSD** ST: Applying to modify #1.
[05/05/15 09:51:18.291]:**RRSD** ST: Evaluating selection criteria for
rule 'Ignore everything except add, modify, and sync for all classes'.
[05/05/15 09:51:18.292]:**RRSD** ST: (if-operation not-match
"add|modify|sync") = FALSE.
[05/05/15 09:51:18.292]:**RRSD** ST: Rule rejected.
[05/05/15 09:51:18.293]:**RRSD** ST: Evaluating selection criteria for
rule 'Cleanup the entitlement results for entitlements granted by NRF'.
[05/05/15 09:51:18.293]:**RRSD** ST: (if-operation equal "modify") =
TRUE.
[05/05/15 09:51:18.294]:**RRSD** ST: (if-op-attr
'DirXML-EntitlementResult' changing) = FALSE.
[05/05/15 09:51:18.294]:**RRSD** ST: Rule rejected.
[05/05/15 09:51:18.294]:**RRSD** ST: Evaluating selection criteria for
rule 'Convert the event into a custom command to send to the driver'.
[05/05/15 09:51:18.295]:**RRSD** ST: Rule selected.
[05/05/15 09:51:18.295]:**RRSD** ST: Applying rule 'Convert the event
into a custom command to send to the driver'.
[05/05/15 09:51:18.296]:**RRSD** ST: Action:
do-set-local-variable("command",scope="policy",token-map("NOVLRSERVB-sub-CommandMappingTable","class-name","command",token-class-name())).
[05/05/15 09:51:18.297]:**RRSD** ST:
arg-string(token-map("NOVLRSERVB-sub-CommandMappingTable","class-name","command",token-class-name()))
[05/05/15 09:51:18.297]:**RRSD** ST:
token-map("NOVLRSERVB-sub-CommandMappingTable","class-name","command",token-class-name())
[05/05/15 09:51:18.298]:**RRSD** ST:
token-map("NOVLRSERVB-sub-CommandMappingTable","class-name","command",token-class-name())
[05/05/15 09:51:18.299]:**RRSD** ST: token-class-name()
[05/05/15 09:51:18.299]:**RRSD** ST: Token Value: "User".
[05/05/15 09:51:18.299]:**RRSD** ST: Arg Value: "User".
[05/05/15 09:51:18.299]:**RRSD** ST: Token Value: "nrf:identity".
[05/05/15 09:51:18.300]:**RRSD** ST: Arg Value: "nrf:identity".
[05/05/15 09:51:18.300]:**RRSD** ST: Action:
do-append-xml-element("$command$","..").
[05/05/15 09:51:18.301]:**RRSD** ST: Expanded variable reference
'$command$' to 'nrf:identity'.
[05/05/15 09:51:18.301]:**RRSD** ST: Action:
do-set-xml-attr("dn","../nrf:*",token-xpath("@qualified-src-dn")).
[05/05/15 09:51:18.302]:**RRSD** ST:
arg-string(token-xpath("@qualified-src-dn"))
[05/05/15 09:51:18.302]:**RRSD** ST: token-xpath("@qualified-src-dn")
[05/05/15 09:51:18.302]:**RRSD** ST: Token Value:
"O=Customer\OU=Data\OU=Users\CN=ameyer31".
[05/05/15 09:51:18.303]:**RRSD** ST: Arg Value:
"O=Customer\OU=Data\OU=Users\CN=ameyer31".
[05/05/15 09:51:18.303]:**RRSD** ST: Action: do-if().
[05/05/15 09:51:18.307]:**RRSD** ST: Evaluating conditions.
[05/05/15 09:51:18.308]:**RRSD** ST: (if-op-attr 'nrfChildRoles'
changing) = FALSE.
[05/05/15 09:51:18.308]:**RRSD** ST: Action: do-if().
[05/05/15 09:51:18.308]:**RRSD** ST: Evaluating conditions.
[05/05/15 09:51:18.309]:**RRSD** ST: (if-op-attr 'nrfAssignedResources'
changing) = FALSE.
[05/05/15 09:51:18.309]:**RRSD** ST: Performing else actions.
[05/05/15 09:51:18.309]:**RRSD** ST: Evaluating selection criteria for
rule 'Get rid of any association that might be there and veto the
original event'.
[05/05/15 09:51:18.310]:**RRSD** ST: Rule selected.
[05/05/15 09:51:18.310]:**RRSD** ST: Applying rule 'Get rid of any
association that might be there and veto the original event'.
[05/05/15 09:51:18.311]:**RRSD** ST: Action: do-if().
[05/05/15 09:51:18.311]:**RRSD** ST: Evaluating conditions.
[05/05/15 09:51:18.311]:**RRSD** ST: (if-association available) = FALSE.
[05/05/15 09:51:18.312]:**RRSD** ST: Performing else actions.
[05/05/15 09:51:18.312]:**RRSD** ST: Action: do-if().
[05/05/15 09:51:18.312]:**RRSD** ST: Evaluating conditions.
[05/05/15 09:51:18.313]:**RRSD** ST: (if-xpath true
"association/@state='migrate'") = FALSE.
[05/05/15 09:51:18.313]:**RRSD** ST: Action: do-veto().
[05/05/15 09:51:18.313]:**RRSD** ST:Policy returned:
[05/05/15 09:51:18.314]:**RRSD** ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.5.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<nrf:identity dn="O=Customer\OU=Data\OU=Users\CN=ameyer31"
xmlns:nrf="urn:dirxml:nrf"/>
</input>
</nds>
[05/05/15 09:51:18.315]:**RRSD** ST:Subscriber processing identity for .
[05/05/15 09:51:18.315]:**RRSD** ST:Submitting unknown event to
subscriber shim.
[05/05/15 09:51:18.316]:**RRSD** ST:No command transformation policies.
[05/05/15 09:51:18.316]:**RRSD** ST:Filtering out notification-only
attributes.
[05/05/15 09:51:18.317]:**RRSD** ST:Fixing up association references.
[05/05/15 09:51:18.317]:**RRSD** ST:No schema mapping policies.
[05/05/15 09:51:18.317]:**RRSD** ST:No output transformation policies.
[05/05/15 09:51:18.318]:**RRSD** ST:Submitting document to subscriber
shim:
[05/05/15 09:51:18.318]:**RRSD** ST:
<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.5.0.0">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<nrf:identity dn="O=Customer\OU=Data\OU=Users\CN=ameyer31" event-id="0"
xmlns:nrf="urn:dirxml:nrf"/>
</input>
</nds>
[05/05/15 09:51:18.320]:**RRSD** ST:: Recalculating roles for identity:
O=Customer\OU=Data\OU=Users\CN=ameyer31
[05/05/15 09:51:18.324]:**RRSD** ST:: Role sync operation ignored
because container is out of scope
Container DN: O=Customer
User-Group root DN: Customer\Data
[05/05/15 09:51:18.340]:**RRSD** ST:: Process Equivalent To Me
Role: Process Equivalent To Me
Role: O=Customer\OU=services\CN=DriverSet\CN=UserApplica
tion\CN=AppConfig\CN=RoleConfig\CN=RoleDefs\CN=Lev el30\CN=Primary -
EMPLOYEE_IT
Operation: 5
Identity: O=Customer\OU=Data\OU=Users\CN=ameyer31
Operation: {1}
Identity: {2}
[05/05/15 09:51:18.358]:**RRSD** ST:SubscriptionShim.execute() returned:
[05/05/15 09:51:18.358]:**RRSD** ST:
<nds dtdversion="4.0">
<source>
<product instance="Role and Resource Service Driver"
version="4.5.0.0">NetIQ Role Service Driver</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="0" level="error">Error creating resource request
DN: O=Customer\OU=services\CN=DriverSet\CN=UserApplica
tion\CN=AppConfig\CN=RoleConfig\CN=ResourceRequest
s\CN=20150505095118-a72e18ffdd33454f825bcfa12173c764-0
Reason: novell.jclient.JCException: createEntry -613
ERR_SYNTAX_VIOLATION</status>
<status event-id="0" level="error">Error recalculating roles
Identity: O=Customer\OU=Data\OU=Users\CN=ameyer31
Reason: novell.jclient.JCException: createEntry -613
ERR_SYNTAX_VIOLATION</status>
</output>
</nds>

I have verified my entitlements are all using IDM4 syntax, as they were
before adminua was deleted. (i.e. I'm pretty sure it's not the
entitlement config.)

Any ideas where to look next, or even a simple total fix, appreciated.
🙂


--
folboteur
------------------------------------------------------------------------
folboteur's Profile: https://forums.netiq.com/member.php?userid=3683
View this thread: https://forums.netiq.com/showthread.php?t=53433

Labels (1)
0 Likes
2 Replies
Anonymous_User Absent Member.
Absent Member.

Re: AdminUA deleted; Role Assignment havoc ensues.


For the record:

The ROLE gets assigned to the users. The subsequent Resource Request
fails.

Assigning a resource directly to an individual user works. The
entitlement is assigned and the resource Request is created. So the
entitlement syntax is right.


--
folboteur
------------------------------------------------------------------------
folboteur's Profile: https://forums.netiq.com/member.php?userid=3683
View this thread: https://forums.netiq.com/showthread.php?t=53433

0 Likes
mjendrisek Absent Member.
Absent Member.

Re: AdminUA deleted; Role Assignment havoc ensues.


This issue has to do with the fact that you recreated a UA admin and the
original one no longer exists.

Please, check the following:

on you Role and resource driver -> driver parameters -> User
application identity - make sure you are pointing to a correct UA
admin.

Update your RR driver in the vault, restart your edir and try the
assignment again.

MJ


folboteur;256885 Wrote:
> (Replacing Thread wrongly started under Engine/Drivers)
> AdminUA deleted. I rebuilt the security domain for the UserApp and the
> new AdminUA account seems functional. I have, for troubleshooting,
> granted full supervisor rights to the entire tree for AdminUA.
>
> However, when I add a user a group assigned to a role, and that role has
> 5 resources assigned to it... which were 100% functional before the
> deletion of AdminUA... I do not get any of the entitlements assigned,
> with the following error in trace of the Roles and Resources Driver
> (which is security equivalent to ADMIN of the tree):
>
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.5.0.0">DirXML</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <input>
> <modify cached-time="20150505145118.266Z" class-name="User"
> event-id="CustomerIDV1T-NDS#20150505145118#1#1:f5b47cb0-a5e4-41f9-bdd9-a0c662b9a333"
> qualified-src-dn="O=Customer\OU=Data\OU=Users\CN=ameyer31"
> src-dn="\IDVT\Customer\Data\Users\ameyer31" src-entry-id="73592"
> timestamp="1430837478#1">
> <modify-attr attr-name="Group Membership">
> <add-value>
> <value timestamp="1430837478#1"
> type="dn">\T=IDVT\O=Customer\OU=Data\OU=Groups\OU= Identity
> Types\CN=Primary - EMPLOYEE_IT</value>
> </add-value>
> </modify-attr>
> </modify>
> </input>
> </nds>
> [05/05/15 09:51:18.290]:**RRSD** ST:Applying event transformation
> policies.
> [05/05/15 09:51:18.291]:**RRSD** ST:Applying policy:
> %+C%14CNOVLRSERVB-sub-etp%-C.
> [05/05/15 09:51:18.291]:**RRSD** ST: Applying to modify #1.
> [05/05/15 09:51:18.291]:**RRSD** ST: Evaluating selection criteria for
> rule 'Ignore everything except add, modify, and sync for all classes'.
> [05/05/15 09:51:18.292]:**RRSD** ST: (if-operation not-match
> "add|modify|sync") = FALSE.
> [05/05/15 09:51:18.292]:**RRSD** ST: Rule rejected.
> [05/05/15 09:51:18.293]:**RRSD** ST: Evaluating selection criteria for
> rule 'Cleanup the entitlement results for entitlements granted by NRF'.
> [05/05/15 09:51:18.293]:**RRSD** ST: (if-operation equal "modify") =
> TRUE.
> [05/05/15 09:51:18.294]:**RRSD** ST: (if-op-attr
> 'DirXML-EntitlementResult' changing) = FALSE.
> [05/05/15 09:51:18.294]:**RRSD** ST: Rule rejected.
> [05/05/15 09:51:18.294]:**RRSD** ST: Evaluating selection criteria for
> rule 'Convert the event into a custom command to send to the driver'.
> [05/05/15 09:51:18.295]:**RRSD** ST: Rule selected.
> [05/05/15 09:51:18.295]:**RRSD** ST: Applying rule 'Convert the event
> into a custom command to send to the driver'.
> [05/05/15 09:51:18.296]:**RRSD** ST: Action:
> do-set-local-variable("command",scope="policy",token-map("NOVLRSERVB-sub-CommandMappingTable","class-name","command",token-class-name())).
> [05/05/15 09:51:18.297]:**RRSD** ST:
> arg-string(token-map("NOVLRSERVB-sub-CommandMappingTable","class-name","command",token-class-name()))
> [05/05/15 09:51:18.297]:**RRSD** ST:
> token-map("NOVLRSERVB-sub-CommandMappingTable","class-name","command",token-class-name())
> [05/05/15 09:51:18.298]:**RRSD** ST:
> token-map("NOVLRSERVB-sub-CommandMappingTable","class-name","command",token-class-name())
> [05/05/15 09:51:18.299]:**RRSD** ST: token-class-name()
> [05/05/15 09:51:18.299]:**RRSD** ST: Token Value: "User".
> [05/05/15 09:51:18.299]:**RRSD** ST: Arg Value: "User".
> [05/05/15 09:51:18.299]:**RRSD** ST: Token Value: "nrf:identity".
> [05/05/15 09:51:18.300]:**RRSD** ST: Arg Value: "nrf:identity".
> [05/05/15 09:51:18.300]:**RRSD** ST: Action:
> do-append-xml-element("$command$","..").
> [05/05/15 09:51:18.301]:**RRSD** ST: Expanded variable reference
> '$command$' to 'nrf:identity'.
> [05/05/15 09:51:18.301]:**RRSD** ST: Action:
> do-set-xml-attr("dn","../nrf:*",token-xpath("@qualified-src-dn")).
> [05/05/15 09:51:18.302]:**RRSD** ST:
> arg-string(token-xpath("@qualified-src-dn"))
> [05/05/15 09:51:18.302]:**RRSD** ST: token-xpath("@qualified-src-dn")
> [05/05/15 09:51:18.302]:**RRSD** ST: Token Value:
> "O=Customer\OU=Data\OU=Users\CN=ameyer31".
> [05/05/15 09:51:18.303]:**RRSD** ST: Arg Value:
> "O=Customer\OU=Data\OU=Users\CN=ameyer31".
> [05/05/15 09:51:18.303]:**RRSD** ST: Action: do-if().
> [05/05/15 09:51:18.307]:**RRSD** ST: Evaluating conditions.
> [05/05/15 09:51:18.308]:**RRSD** ST: (if-op-attr 'nrfChildRoles'
> changing) = FALSE.
> [05/05/15 09:51:18.308]:**RRSD** ST: Action: do-if().
> [05/05/15 09:51:18.308]:**RRSD** ST: Evaluating conditions.
> [05/05/15 09:51:18.309]:**RRSD** ST: (if-op-attr 'nrfAssignedResources'
> changing) = FALSE.
> [05/05/15 09:51:18.309]:**RRSD** ST: Performing else actions.
> [05/05/15 09:51:18.309]:**RRSD** ST: Evaluating selection criteria for
> rule 'Get rid of any association that might be there and veto the
> original event'.
> [05/05/15 09:51:18.310]:**RRSD** ST: Rule selected.
> [05/05/15 09:51:18.310]:**RRSD** ST: Applying rule 'Get rid of any
> association that might be there and veto the original event'.
> [05/05/15 09:51:18.311]:**RRSD** ST: Action: do-if().
> [05/05/15 09:51:18.311]:**RRSD** ST: Evaluating conditions.
> [05/05/15 09:51:18.311]:**RRSD** ST: (if-association available) =
> FALSE.
> [05/05/15 09:51:18.312]:**RRSD** ST: Performing else actions.
> [05/05/15 09:51:18.312]:**RRSD** ST: Action: do-if().
> [05/05/15 09:51:18.312]:**RRSD** ST: Evaluating conditions.
> [05/05/15 09:51:18.313]:**RRSD** ST: (if-xpath true
> "association/@state='migrate'") = FALSE.
> [05/05/15 09:51:18.313]:**RRSD** ST: Action: do-veto().
> [05/05/15 09:51:18.313]:**RRSD** ST:Policy returned:
> [05/05/15 09:51:18.314]:**RRSD** ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.5.0.0">DirXML</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <input>
> <nrf:identity dn="O=Customer\OU=Data\OU=Users\CN=ameyer31"
> xmlns:nrf="urn:dirxml:nrf"/>
> </input>
> </nds>
> [05/05/15 09:51:18.315]:**RRSD** ST:Subscriber processing identity for
> .
> [05/05/15 09:51:18.315]:**RRSD** ST:Submitting unknown event to
> subscriber shim.
> [05/05/15 09:51:18.316]:**RRSD** ST:No command transformation policies.
> [05/05/15 09:51:18.316]:**RRSD** ST:Filtering out notification-only
> attributes.
> [05/05/15 09:51:18.317]:**RRSD** ST:Fixing up association references.
> [05/05/15 09:51:18.317]:**RRSD** ST:No schema mapping policies.
> [05/05/15 09:51:18.317]:**RRSD** ST:No output transformation policies.
> [05/05/15 09:51:18.318]:**RRSD** ST:Submitting document to subscriber
> shim:
> [05/05/15 09:51:18.318]:**RRSD** ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.5.0.0">DirXML</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <input>
> <nrf:identity dn="O=Customer\OU=Data\OU=Users\CN=ameyer31" event-id="0"
> xmlns:nrf="urn:dirxml:nrf"/>
> </input>
> </nds>
> [05/05/15 09:51:18.320]:**RRSD** ST:: Recalculating roles for identity:
> O=Customer\OU=Data\OU=Users\CN=ameyer31
> [05/05/15 09:51:18.324]:**RRSD** ST:: Role sync operation ignored
> because container is out of scope
> Container DN: O=Customer
> User-Group root DN: Customer\Data
> [05/05/15 09:51:18.340]:**RRSD** ST:: Process Equivalent To Me
> Role: Process Equivalent To Me
> Role: O=Customer\OU=services\CN=DriverSet\CN=UserApplica
> tion\CN=AppConfig\CN=RoleConfig\CN=RoleDefs\CN=Lev el30\CN=Primary -
> EMPLOYEE_IT
> Operation: 5
> Identity: O=Customer\OU=Data\OU=Users\CN=ameyer31
> Operation: {1}
> Identity: {2}
> [05/05/15 09:51:18.358]:**RRSD** ST:SubscriptionShim.execute()
> returned:
> [05/05/15 09:51:18.358]:**RRSD** ST:
> <nds dtdversion="4.0">
> <source>
> <product instance="Role and Resource Service Driver"
> version="4.5.0.0">NetIQ Role Service Driver</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <output>
> <status event-id="0" level="error">Error creating resource request
> DN: O=Customer\OU=services\CN=DriverSet\CN=UserApplica
> tion\CN=AppConfig\CN=RoleConfig\CN=ResourceRequest
> s\CN=20150505095118-a72e18ffdd33454f825bcfa12173c764-0
> Reason: novell.jclient.JCException: createEntry -613
> ERR_SYNTAX_VIOLATION</status>
> <status event-id="0" level="error">Error recalculating roles
> Identity: O=Customer\OU=Data\OU=Users\CN=ameyer31
> Reason: novell.jclient.JCException: createEntry -613
> ERR_SYNTAX_VIOLATION</status>
> </output>
> </nds>
>
> I have verified my entitlements are all using IDM4 syntax, as they were
> before adminua was deleted. (i.e. I'm pretty sure it's not the
> entitlement config.)
>
> Any ideas where to look next, or even a simple total fix, appreciated.
> 🙂



--
mjendrisek
------------------------------------------------------------------------
mjendrisek's Profile: https://forums.netiq.com/member.php?userid=8294
View this thread: https://forums.netiq.com/showthread.php?t=53433

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.