Anonymous_User Absent Member.
Absent Member.
957 views

Assign Role to Group in a driver


IDM 3.6.1 - RBPM 3.7

For the moment, we have a loopback driver for assign role to user with
ADD-ROLE.

We want to assign role to group, but when the target DN is a group, it
isn't working.

The request is created with nrfCategory 10 in place of 30 to create ans
15 in place of 35 to revoke and the nrfSatus is 80.

If we change the nrfCategory to 30 and nrfStatus to 10, the role is
assigned to the group.

Why it's not possible by a driver?


--
TellierS
------------------------------------------------------------------------
TellierS's Profile: https://forums.netiq.com/member.php?userid=2550
View this thread: https://forums.netiq.com/showthread.php?t=49094

Labels (1)
0 Likes
29 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Assign Role to Group in a driver

On 10/30/2013 09:54 AM, TellierS wrote:
>
> IDM 3.6.1 - RBPM 3.7
>
> For the moment, we have a loopback driver for assign role to user with
> ADD-ROLE.
>
> We want to assign role to group, but when the target DN is a group, it
> isn't working.
>
> The request is created with nrfCategory 10 in place of 30 to create ans
> 15 in place of 35 to revoke and the nrfSatus is 80.
>
> If we change the nrfCategory to 30 and nrfStatus to 10, the role is
> assigned to the group.
>
> Why it's not possible by a driver?
>
>

Greetings,
I would double check the scope that you set in the RRSD for the
user/group container dn. If that does not "cover" your groups then the
behavior you have outlined will be seen.

For example:

ou=groups,o=data
ou=users,o=data

If the RRSD is set to see ou=users,o=data then a role assignment to
group (cn=myGroup,ou=groups,o=data) will not be possible.

--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Knowledge Partner
Knowledge Partner

Re: Assign Role to Group in a driver

On 10/30/2013 10:51 AM, Steven Williams wrote:
> On 10/30/2013 09:54 AM, TellierS wrote:
>>
>> IDM 3.6.1 - RBPM 3.7
>>
>> For the moment, we have a loopback driver for assign role to user with
>> ADD-ROLE.
>>
>> We want to assign role to group, but when the target DN is a group, it
>> isn't working.
>>
>> The request is created with nrfCategory 10 in place of 30 to create ans
>> 15 in place of 35 to revoke and the nrfSatus is 80.
>>
>> If we change the nrfCategory to 30 and nrfStatus to 10, the role is
>> assigned to the group.
>>
>> Why it's not possible by a driver?
>>
>>

> Greetings,
> I would double check the scope that you set in the RRSD for the
> user/group container dn. If that does not "cover" your groups then the
> behavior you have outlined will be seen.
>
> For example:
>
> ou=groups,o=data
> ou=users,o=data
>
> If the RRSD is set to see ou=users,o=data then a role assignment to
> group (cn=myGroup,ou=groups,o=data) will not be possible.


Is there a way to have the RRSD consider two sibling containers as in
scope? Or is the only answer to use the parent container?


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Assign Role to Group in a driver


My RRSD config is good, on top of the tree O=xxx.

The config is right because it works with the UserApp interface.

Serge


--
TellierS
------------------------------------------------------------------------
TellierS's Profile: https://forums.netiq.com/member.php?userid=2550
View this thread: https://forums.netiq.com/showthread.php?t=49094

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Assign Role to Group in a driver

On 10/30/2013 11:25 AM, TellierS wrote:
>
> My RRSD config is good, on top of the tree O=xxx.
>
> The config is right because it works with the UserApp interface.
>
> Serge
>
>

Greetings,
I have not tested from the Driver, but I have a feeling I know the
issue. When you make a Role Request via SOAP (or REST) you have to
specifically outline what kind of Role request it is:

USER_TO_ROLE

GROUP_TO_ROLE

CONTAINER_TO_ROLE

ROLE_TO_ROLE

You need to look at your Policy and the Role Request object. I would
tend to believe that you are passing a Group in to a USER_TO_ROLE
request and that will fail. It must be GROUP_TO_ROLE. If you do not
see that ability in the do-add-role action in the IDM Engine then that
is bug for them to resolve.

--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Assign Role to Group in a driver


Thx Steven

See this link : http://tinyurl.com/mo6snch

No option to manage the role type !!

SR opened


--
TellierS
------------------------------------------------------------------------
TellierS's Profile: https://forums.netiq.com/member.php?userid=2550
View this thread: https://forums.netiq.com/showthread.php?t=49094

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Assign Role to Group in a driver

On 10/30/2013 01:04 PM, TellierS wrote:
>
> Thx Steven
>
> See this link : http://tinyurl.com/mo6snch
>
> No option to manage the role type !!
>
> SR opened
>
>

Greetings,
Can you please post the Role Request object for this failed request?

--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Knowledge Partner
Knowledge Partner

Re: Assign Role to Group in a driver

On 10/30/2013 1:26 PM, Steven Williams wrote:
> On 10/30/2013 01:04 PM, TellierS wrote:
>>
>> Thx Steven
>>
>> See this link : http://tinyurl.com/mo6snch
>>
>> No option to manage the role type !!
>>
>> SR opened
>>
>>

> Greetings,
> Can you please post the Role Request object for this failed request?


That would be the nrfRequest object in a container under the User App
driver. I think it is
AppConfig
RoleDefs
Requests or some such. (There is a ResourceDef and ResourceRequest as
well).

It is named I think timestamp and then a GUID from the request. LDIF it
out for Steve here.


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Assign Role to Group in a driver


BAD REQUESTS

dn:
cn=20131030161337-5e532467df754ce282cfb4427e34d5a6-0,cn=Requests,cn=Role
Config,cn=AppConfig,cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYS
TEM
objectClass: Top
objectClass: nrfRequest
cn: 20131030161337-5e532467df754ce282cfb4427e34d5a6-0
nrfRequestDate: 20131030151337Z
nrfStatus: 80
nrfApprovalInfo::
PGFwcHJvdmFsPjxzdGFydF90bT4yMDEzMTAzMDE1MTMzOFo8L3N0YXJ0X3
RtPjxwcm9jZXNzX2lkPjMzZGQyNzNkYjI2MTQzOWJiYmE2NTA3MjE0NmQ3MzMwPC9wcm9jZXNzX
2lkPjxhY3Rpdml0eT48dXNlcj5jbj1VQS1hZG1pbixvdT1URkFjY291bnRzLG89RGV2ZWxvcHBl
bWVudDwvdXNlcj48YWN0aW9uPnRpbWVkb3V0PC9hY3Rpb24+PGFjdGlvbl90bT4yMDEzMTAzMDE
1MTM0NFo8L2FjdGlvbl90bT48L2FjdGl2aXR5PjxhY3Rpdml0eT48dXNlcj5jbj1VQS1hZG1pbi
xvdT1URkFjY291bnRzLG89RGV2ZWxvcHBlbWVudDwvdXNlcj48YWN0aW9uPmFwcHJvdmVkPC9hY
3Rpb24+PGFjdGlvbl90bT4yMDEzMTAzMDE1MTM0NFo8L2FjdGlvbl90bT48L2FjdGl2aXR5Pjxl
bmRfdG0+MjAxMzEwMzAxNTEzNDRaPC9lbmRfdG0+PC9hcHByb3ZhbD4=
nrfApprovalProcessId: 33dd273db261439bbba65072146d7330
nrfCategory: 10
nrfCorrelationId: Wed Oct 30 16:13:37 CET 2013
nrfDecisionDate: 20131030151344Z
nrfDescription:
nrfImmediate: FALSE
nrfRequestDef:
cn=CebereRoleRequestNotification,cn=RequestDefs,cn=AppConfig,
cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYSTEM
nrfRequester: cn=UA-admin,ou=TFAccounts,o=Developpement
nrfSourceDN:
cn=Role_1356081683826,cn=Level10,cn=RoleInstances,cn=RoleConfig
,cn=AppConfig,cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYSTEM
nrfStartDate: 20131030151337Z
nrfTargetDN: cn=TestRole2group,ou=populations,o=Developpement


dn:
cn=20131030120729-b8b3c114ea1c4eb9994630bd5d644772-0,cn=Requests,cn=Role
Config,cn=AppConfig,cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYS
TEM
objectClass: Top
objectClass: nrfRequest
cn: 20131030120729-b8b3c114ea1c4eb9994630bd5d644772-0
nrfRequestDate: 20131030110729Z
nrfStatus: 80
nrfCategory: 10
nrfCorrelationId: b4544af502cd44fea34ddf4dc1e30db8
nrfDecisionDate: 20131030110729Z
nrfDescription: Role2OU
nrfImmediate: TRUE
nrfOriginator: USER_APP
nrfRequester: cn=UA-admin,ou=TFAccounts,o=Developpement
nrfSourceDN:
cn=SAP-AQ1CLNT100,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppCo
nfig,cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYSTEM
nrfStartDate: 20131030110729Z
nrfTargetDN: ou=testACL,ou=populations,o=Developpement

*GOOD REQUEST* nrfCategory and nrfStatus changed

nrfCategory = 30 for Group
nrfCategory = 40 for OU

nrfStatus = 10 to restart request

dn:
cn=20131030120729-b8b3c114ea1c4eb9994630bd5d644772-0,cn=Requests,cn=Role
Config,cn=AppConfig,cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYS
TEM
objectClass: Top
objectClass: nrfRequest
cn: 20131030120729-b8b3c114ea1c4eb9994630bd5d644772-0
nrfRequestDate: 20131030110729Z
nrfStatus: 50
nrfCategory: 40
nrfCorrelationId: b4544af502cd44fea34ddf4dc1e30db8
nrfDecisionDate: 20131030110729Z
nrfDescription: Role2OU
nrfImmediate: TRUE
nrfOriginator: USER_APP
nrfRequester: cn=UA-admin,ou=TFAccounts,o=Developpement
nrfSourceDN:
cn=SAP-AQ1CLNT100,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppCo
nfig,cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYSTEM
nrfStartDate: 20131030110729Z
nrfTargetDN: ou=testACL,ou=populations,o=Developpement

dn:
cn=20131030111033-5fd8253b1fbf42569fc2fbdbfe8b311e-0,cn=Requests,cn=Role
Config,cn=AppConfig,cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYS
TEM
objectClass: Top
objectClass: nrfRequest
cn: 20131030111033-5fd8253b1fbf42569fc2fbdbfe8b311e-0
nrfRequestDate: 20131030101033Z
nrfStatus: 50
nrfCategory: 30
nrfCorrelationId: 7d456c95e16f40f48e8d23e15784d2c3
nrfDecisionDate: 20131030105631Z
nrfDescription: Test Role2group
nrfImmediate: TRUE
nrfOriginator: USER_APP
nrfRequester: cn=UA-admin,ou=TFAccounts,o=Developpement
nrfSourceDN:
cn=SAP-AQ1CLNT100,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppCo
nfig,cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYSTEM
nrfStartDate: 20131030101033Z
nrfTargetDN:
cn=POP-ETNIC-L10-EXP,ou=AdminsGrp-old,ou=Groups,o=Developpement


--
TellierS
------------------------------------------------------------------------
TellierS's Profile: https://forums.netiq.com/member.php?userid=2550
View this thread: https://forums.netiq.com/showthread.php?t=49094

0 Likes
Knowledge Partner
Knowledge Partner

Re: Assign Role to Group in a driver

Watch me really annoy Steve. 🙂

In the RRsD if you know the scope of the objects you could add a
sub-event policy that transformed the nrfCategory value. 🙂

But steve will note this will invalidate support. 🙂 Just saying....


On 10/30/2013 3:34 PM, TellierS wrote:
>
> BAD REQUESTS
>
> dn:
> cn=20131030161337-5e532467df754ce282cfb4427e34d5a6-0,cn=Requests,cn=Role
> Config,cn=AppConfig,cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYS
> TEM
> objectClass: Top
> objectClass: nrfRequest
> cn: 20131030161337-5e532467df754ce282cfb4427e34d5a6-0
> nrfRequestDate: 20131030151337Z
> nrfStatus: 80
> nrfApprovalInfo::
> PGFwcHJvdmFsPjxzdGFydF90bT4yMDEzMTAzMDE1MTMzOFo8L3N0YXJ0X3
> RtPjxwcm9jZXNzX2lkPjMzZGQyNzNkYjI2MTQzOWJiYmE2NTA3MjE0NmQ3MzMwPC9wcm9jZXNzX
> 2lkPjxhY3Rpdml0eT48dXNlcj5jbj1VQS1hZG1pbixvdT1URkFjY291bnRzLG89RGV2ZWxvcHBl
> bWVudDwvdXNlcj48YWN0aW9uPnRpbWVkb3V0PC9hY3Rpb24+PGFjdGlvbl90bT4yMDEzMTAzMDE
> 1MTM0NFo8L2FjdGlvbl90bT48L2FjdGl2aXR5PjxhY3Rpdml0eT48dXNlcj5jbj1VQS1hZG1pbi
> xvdT1URkFjY291bnRzLG89RGV2ZWxvcHBlbWVudDwvdXNlcj48YWN0aW9uPmFwcHJvdmVkPC9hY
> 3Rpb24+PGFjdGlvbl90bT4yMDEzMTAzMDE1MTM0NFo8L2FjdGlvbl90bT48L2FjdGl2aXR5Pjxl
> bmRfdG0+MjAxMzEwMzAxNTEzNDRaPC9lbmRfdG0+PC9hcHByb3ZhbD4=
> nrfApprovalProcessId: 33dd273db261439bbba65072146d7330
> nrfCategory: 10
> nrfCorrelationId: Wed Oct 30 16:13:37 CET 2013
> nrfDecisionDate: 20131030151344Z
> nrfDescription:
> nrfImmediate: FALSE
> nrfRequestDef:
> cn=CebereRoleRequestNotification,cn=RequestDefs,cn=AppConfig,
> cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYSTEM
> nrfRequester: cn=UA-admin,ou=TFAccounts,o=Developpement
> nrfSourceDN:
> cn=Role_1356081683826,cn=Level10,cn=RoleInstances,cn=RoleConfig
> ,cn=AppConfig,cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYSTEM
> nrfStartDate: 20131030151337Z
> nrfTargetDN: cn=TestRole2group,ou=populations,o=Developpement
>
>
> dn:
> cn=20131030120729-b8b3c114ea1c4eb9994630bd5d644772-0,cn=Requests,cn=Role
> Config,cn=AppConfig,cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYS
> TEM
> objectClass: Top
> objectClass: nrfRequest
> cn: 20131030120729-b8b3c114ea1c4eb9994630bd5d644772-0
> nrfRequestDate: 20131030110729Z
> nrfStatus: 80
> nrfCategory: 10
> nrfCorrelationId: b4544af502cd44fea34ddf4dc1e30db8
> nrfDecisionDate: 20131030110729Z
> nrfDescription: Role2OU
> nrfImmediate: TRUE
> nrfOriginator: USER_APP
> nrfRequester: cn=UA-admin,ou=TFAccounts,o=Developpement
> nrfSourceDN:
> cn=SAP-AQ1CLNT100,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppCo
> nfig,cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYSTEM
> nrfStartDate: 20131030110729Z
> nrfTargetDN: ou=testACL,ou=populations,o=Developpement
>
> *GOOD REQUEST* nrfCategory and nrfStatus changed
>
> nrfCategory = 30 for Group
> nrfCategory = 40 for OU
>
> nrfStatus = 10 to restart request
>
> dn:
> cn=20131030120729-b8b3c114ea1c4eb9994630bd5d644772-0,cn=Requests,cn=Role
> Config,cn=AppConfig,cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYS
> TEM
> objectClass: Top
> objectClass: nrfRequest
> cn: 20131030120729-b8b3c114ea1c4eb9994630bd5d644772-0
> nrfRequestDate: 20131030110729Z
> nrfStatus: 50
> nrfCategory: 40
> nrfCorrelationId: b4544af502cd44fea34ddf4dc1e30db8
> nrfDecisionDate: 20131030110729Z
> nrfDescription: Role2OU
> nrfImmediate: TRUE
> nrfOriginator: USER_APP
> nrfRequester: cn=UA-admin,ou=TFAccounts,o=Developpement
> nrfSourceDN:
> cn=SAP-AQ1CLNT100,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppCo
> nfig,cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYSTEM
> nrfStartDate: 20131030110729Z
> nrfTargetDN: ou=testACL,ou=populations,o=Developpement
>
> dn:
> cn=20131030111033-5fd8253b1fbf42569fc2fbdbfe8b311e-0,cn=Requests,cn=Role
> Config,cn=AppConfig,cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYS
> TEM
> objectClass: Top
> objectClass: nrfRequest
> cn: 20131030111033-5fd8253b1fbf42569fc2fbdbfe8b311e-0
> nrfRequestDate: 20131030101033Z
> nrfStatus: 50
> nrfCategory: 30
> nrfCorrelationId: 7d456c95e16f40f48e8d23e15784d2c3
> nrfDecisionDate: 20131030105631Z
> nrfDescription: Test Role2group
> nrfImmediate: TRUE
> nrfOriginator: USER_APP
> nrfRequester: cn=UA-admin,ou=TFAccounts,o=Developpement
> nrfSourceDN:
> cn=SAP-AQ1CLNT100,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppCo
> nfig,cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYSTEM
> nrfStartDate: 20131030101033Z
> nrfTargetDN:
> cn=POP-ETNIC-L10-EXP,ou=AdminsGrp-old,ou=Groups,o=Developpement
>
>


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Assign Role to Group in a driver


Yes I have same idea if the support can't help me because product is end
of life. (with a loopback driver. We have already a rule to prevent when
a nrfStatus is 80 and a mail is sent.)

But I'm pretty sure that issue is on IDM 4.0.x, because we don't see any
rule in designer to make it.


--
TellierS
------------------------------------------------------------------------
TellierS's Profile: https://forums.netiq.com/member.php?userid=2550
View this thread: https://forums.netiq.com/showthread.php?t=49094

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Assign Role to Group in a driver

On 10/30/2013 03:51 PM, Geoffrey Carman wrote:
> Watch me really annoy Steve. 🙂
>
> In the RRsD if you know the scope of the objects you could add a
> sub-event policy that transformed the nrfCategory value. 🙂
>
> But steve will note this will invalidate support. 🙂 Just saying....
>
>
> On 10/30/2013 3:34 PM, TellierS wrote:
>>
>> BAD REQUESTS
>>
>> dn:
>> cn=20131030161337-5e532467df754ce282cfb4427e34d5a6-0,cn=Requests,cn=Role
>> Config,cn=AppConfig,cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYS
>>
>> TEM
>> objectClass: Top
>> objectClass: nrfRequest
>> cn: 20131030161337-5e532467df754ce282cfb4427e34d5a6-0
>> nrfRequestDate: 20131030151337Z
>> nrfStatus: 80
>> nrfApprovalInfo::
>> PGFwcHJvdmFsPjxzdGFydF90bT4yMDEzMTAzMDE1MTMzOFo8L3N0YXJ0X3
>> RtPjxwcm9jZXNzX2lkPjMzZGQyNzNkYjI2MTQzOWJiYmE2NTA3MjE0NmQ3MzMwPC9wcm9jZXNzX
>>
>> 2lkPjxhY3Rpdml0eT48dXNlcj5jbj1VQS1hZG1pbixvdT1URkFjY291bnRzLG89RGV2ZWxvcHBl
>>
>> bWVudDwvdXNlcj48YWN0aW9uPnRpbWVkb3V0PC9hY3Rpb24+PGFjdGlvbl90bT4yMDEzMTAzMDE
>>
>> 1MTM0NFo8L2FjdGlvbl90bT48L2FjdGl2aXR5PjxhY3Rpdml0eT48dXNlcj5jbj1VQS1hZG1pbi
>>
>> xvdT1URkFjY291bnRzLG89RGV2ZWxvcHBlbWVudDwvdXNlcj48YWN0aW9uPmFwcHJvdmVkPC9hY
>>
>> 3Rpb24+PGFjdGlvbl90bT4yMDEzMTAzMDE1MTM0NFo8L2FjdGlvbl90bT48L2FjdGl2aXR5Pjxl
>>
>> bmRfdG0+MjAxMzEwMzAxNTEzNDRaPC9lbmRfdG0+PC9hcHByb3ZhbD4=
>> nrfApprovalProcessId: 33dd273db261439bbba65072146d7330
>> nrfCategory: 10
>> nrfCorrelationId: Wed Oct 30 16:13:37 CET 2013
>> nrfDecisionDate: 20131030151344Z
>> nrfDescription:
>> nrfImmediate: FALSE
>> nrfRequestDef:
>> cn=CebereRoleRequestNotification,cn=RequestDefs,cn=AppConfig,
>> cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYSTEM
>> nrfRequester: cn=UA-admin,ou=TFAccounts,o=Developpement
>> nrfSourceDN:
>> cn=Role_1356081683826,cn=Level10,cn=RoleInstances,cn=RoleConfig
>> ,cn=AppConfig,cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYSTEM
>> nrfStartDate: 20131030151337Z
>> nrfTargetDN: cn=TestRole2group,ou=populations,o=Developpement
>>
>>
>> dn:
>> cn=20131030120729-b8b3c114ea1c4eb9994630bd5d644772-0,cn=Requests,cn=Role
>> Config,cn=AppConfig,cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYS
>>
>> TEM
>> objectClass: Top
>> objectClass: nrfRequest
>> cn: 20131030120729-b8b3c114ea1c4eb9994630bd5d644772-0
>> nrfRequestDate: 20131030110729Z
>> nrfStatus: 80
>> nrfCategory: 10
>> nrfCorrelationId: b4544af502cd44fea34ddf4dc1e30db8
>> nrfDecisionDate: 20131030110729Z
>> nrfDescription: Role2OU
>> nrfImmediate: TRUE
>> nrfOriginator: USER_APP
>> nrfRequester: cn=UA-admin,ou=TFAccounts,o=Developpement
>> nrfSourceDN:
>> cn=SAP-AQ1CLNT100,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppCo
>> nfig,cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYSTEM
>> nrfStartDate: 20131030110729Z
>> nrfTargetDN: ou=testACL,ou=populations,o=Developpement
>>
>> *GOOD REQUEST* nrfCategory and nrfStatus changed
>>
>> nrfCategory = 30 for Group
>> nrfCategory = 40 for OU
>>
>> nrfStatus = 10 to restart request
>>
>> dn:
>> cn=20131030120729-b8b3c114ea1c4eb9994630bd5d644772-0,cn=Requests,cn=Role
>> Config,cn=AppConfig,cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYS
>>
>> TEM
>> objectClass: Top
>> objectClass: nrfRequest
>> cn: 20131030120729-b8b3c114ea1c4eb9994630bd5d644772-0
>> nrfRequestDate: 20131030110729Z
>> nrfStatus: 50
>> nrfCategory: 40
>> nrfCorrelationId: b4544af502cd44fea34ddf4dc1e30db8
>> nrfDecisionDate: 20131030110729Z
>> nrfDescription: Role2OU
>> nrfImmediate: TRUE
>> nrfOriginator: USER_APP
>> nrfRequester: cn=UA-admin,ou=TFAccounts,o=Developpement
>> nrfSourceDN:
>> cn=SAP-AQ1CLNT100,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppCo
>> nfig,cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYSTEM
>> nrfStartDate: 20131030110729Z
>> nrfTargetDN: ou=testACL,ou=populations,o=Developpement
>>
>> dn:
>> cn=20131030111033-5fd8253b1fbf42569fc2fbdbfe8b311e-0,cn=Requests,cn=Role
>> Config,cn=AppConfig,cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYS
>>
>> TEM
>> objectClass: Top
>> objectClass: nrfRequest
>> cn: 20131030111033-5fd8253b1fbf42569fc2fbdbfe8b311e-0
>> nrfRequestDate: 20131030101033Z
>> nrfStatus: 50
>> nrfCategory: 30
>> nrfCorrelationId: 7d456c95e16f40f48e8d23e15784d2c3
>> nrfDecisionDate: 20131030105631Z
>> nrfDescription: Test Role2group
>> nrfImmediate: TRUE
>> nrfOriginator: USER_APP
>> nrfRequester: cn=UA-admin,ou=TFAccounts,o=Developpement
>> nrfSourceDN:
>> cn=SAP-AQ1CLNT100,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppCo
>> nfig,cn=UserApplication-v3_7,cn=DriverSet,ou=RESOURCES,o=SYSTEM
>> nrfStartDate: 20131030101033Z
>> nrfTargetDN:
>> cn=POP-ETNIC-L10-EXP,ou=AdminsGrp-old,ou=Groups,o=Developpement
>>
>>

>

Greetings,
I can reproduce the "problem" using soapUI. In that if outline
USER_TO_ROLE and provide a Group then the Role Request itself will fail
with the 80. If I provide GROUP_TO_ROLE as the assignmentType and
provide a group it works correctly.

This is most definitely is a bug in the IDM add-role action. They need
to allow for all of the correct assignmentType values or outline that
the add and remove role actions can only be used on "users".





--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.