mjg2xw
New Member.
828 views

Automatically creation of resource from AD Groups

Hi

Is there any way on creating "Resources" in UserApp/resource catalog from a corresponding AD group automatically, and assign the Entitlement Value?

/Michael
Labels (1)
0 Likes
11 Replies
Knowledge Partner
Knowledge Partner

Re: Automatically creation of resource from AD Groups

You need to create a policy in the AD driver for this.
There is an create resource token you can use I belive.
0 Likes
mjg2xw
New Member.

Re: Automatically creation of resource from AD Groups

Hi

Many thanks for you reply:)

I will take a closer look on the CPRS stuff.

/michael
0 Likes
iampranavpg
New Member.

Re: Automatically creation of resource from AD Groups

Hi

We have upgraded from 4.6(PCRS) to 4.7(CPRS). It wont create the resource automatically in 4.7. We have manually created dynamic resource for group. CPRS give you two options first compute & then publish . You can chose what all entitlements you want to publish in IDM. I don't find it useful, but still better
0 Likes
mjg2xw
New Member.

Re: Automatically creation of resource from AD Groups

iampranavpg;2497998 wrote:
Hi

We have upgraded from 4.6(PCRS) to 4.7(CPRS). It wont create the resource automatically in 4.7. We have manually created dynamic resource for group. CPRS give you two options first compute & then publish . You can chose what all entitlements you want to publish in IDM. I don't find it useful, but still better



Hi

Thanks for feed-back

/Michael
0 Likes
sma2006 Outstanding Contributor.
Outstanding Contributor.

Re: Automatically creation of resource from AD Groups

Here is a rule that creates a Resource with Entitlement :

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-builder-dtd" "C:\netiq\idm\apps\Designer47\plugins\com.novell.idm.policybuilder_4.0.0.201812171538\DTD\dirxmlscript4.7.2.dtd"><policy>
<rule>
<description>test rule</description>
<conditions>
<and>
<if-op-attr mode="nocase" name="Description" op="changing-to">testres</if-op-attr>
</and>
</conditions>
<actions>
<do-create-resource id="cn=uaadmin,ou=users,o=data" resource-name="group5idm5" time-out="0" url="~UAProvURL~">
<arg-password>
<token-text xml:space="preserve">novell</token-text>
</arg-password>
<arg-string name="description">
<token-text xml:space="preserve">testgroupeb</token-text>
</arg-string>
<arg-string name="display-name">
<token-text xml:space="preserve">testgroupeB</token-text>
</arg-string>
<arg-string name="entitlement-dn">
<token-text xml:space="preserve">cn=Group,cn=Active Directory Driver,cn=driverset,ou=services,o=system</token-text>
</arg-string>
<arg-string name="entitlement-value">
<token-text xml:space="preserve">{"ID":"94ce357c931caa4eb47de7aa7081adef","ID2":"CN=group5idm5,OU=groups,OU=test,DC=demo,DC=com"}</token-text>
</arg-string>
</do-create-resource>
</actions>
</rule>
</policy>

You can set this rule in the publisher channel of your AD driver and get the entitlement value from the AD group.

I already test this rule successfully.

Hope this will help.

Sylvain
0 Likes
mjg2xw
New Member.

Re: Automatically creation of resource from AD Groups

Hi

Many thanks:)

/Michael
0 Likes
sma2006 Outstanding Contributor.
Outstanding Contributor.

Re: Automatically creation of resource from AD Groups

Here is the full rule that create the resource when a AD group is created (in Input Transformation):

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE policy PUBLIC "policy-builder-dtd" "C:\netiq\idm\apps\Designer47\plugins\com.novell.idm.policybuilder_4.0.0.201812171538\DTD\dirxmlscript4.7.2.dtd"><policy>
<rule>
<description>Create resource when new group is ADDED - xxxx </description>
<conditions>
<and>
<if-operation mode="nocase" op="equal">add</if-operation>
<if-class-name mode="nocase" op="equal">Group</if-class-name>
<if-src-dn op="in-container">~drv.group.container~</if-src-dn>
</and>
</conditions>
<actions>
<do-set-local-variable name="groupGUID" scope="policy">
<arg-string>
<token-association/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="groupName" scope="policy">
<arg-string>
<token-src-name/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="resourceName" scope="policy">
<arg-string>
<token-text xml:space="preserve">AD_Group_Resource_</token-text>
<token-local-variable name="groupName"/>
</arg-string>
</do-set-local-variable>
<do-create-resource id="cn=uaadmin,ou=users,o=data" resource-name="$resourceName$" time-out="0" url="~UAProvURL~">
<arg-password>
<token-text xml:space="preserve">novell</token-text>
</arg-password>
<arg-string name="description">
<token-text xml:space="preserve">AD_Group_Resource_</token-text>
<token-local-variable name="groupName"/>
</arg-string>
<arg-string name="display-name">
<token-text xml:space="preserve">AD_Group_Resource_</token-text>
<token-local-variable name="groupName"/>
</arg-string>
<arg-string name="entitlement-dn">
<token-text xml:space="preserve">cn=Group,cn=Active Directory Driver,cn=driverset,ou=services,o=system</token-text>
</arg-string>
<arg-string name="entitlement-value">
<token-text xml:space="preserve">{"ID":"</token-text>
<token-local-variable name="groupGUID"/>
<token-text xml:space="preserve">","ID2":"CN=</token-text>
<token-local-variable name="groupName"/>
<token-text xml:space="preserve">,OU=groups,OU=xxxx,DC=demoxxxx,DC=com"}</token-text>
</arg-string>
</do-create-resource>
</actions>
</rule>
</policy>
0 Likes
Knowledge Partner
Knowledge Partner

Re: Automatically creation of resource from AD Groups

mJg2XW <mJg2XW@no-mx.forums.microfocus.com> wrote:
>

Hi
>
> Is there any way on creating "Resources" in UserApp/resource catalog

from a corresponding AD group automatically, and assign the Entitlement
Value?
>


PCRS did most of this for you (now deprecated.) but used dynamic
entitlement assignments (so just one resource).

The replacement CPRS is new in 4.7 and I haven’t tried it out but should do
the same (it is reengineered to handle more groups in AD without choking)


Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Automatically creation of resource from AD Groups

Alex McHugh <alexmchugh@no-mx.forums.microfocus.com> wrote:
> mJg2XW <mJg2XW@no-mx.forums.microfocus.com> wrote:
>>
>>

>
> PCRS did most of this for you (now deprecated.) but used dynamic
> entitlement assignments (so just one resource).
>
> The replacement CPRS is new in 4.7 and I haven’t tried it out but should do
> the same (it is reengineered to handle more groups in AD without choking)
>
>


Note: you should not need to add any policy to your AD driver. Just
configure the relevant GCVs and follow the documented procedures. A good
place to start is here:

https://www.netiq.com/communities/cool-solutions/cprs-controlled-permission-reconciliation-service-understanding-feature-whats-new-advantage-usage/

Still one resource with dynamic entitlements (again scales better). I
prefer to use static entitlements in some scenarios.



Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Automatically creation of resource from AD Groups

On 2019-01-12 18:04, mJg2XW wrote:
>
> Hi
>
> Is there any way on creating "Resources" in UserApp/resource catalog
> from a corresponding AD group automatically, and assign the Entitlement
> Value?
>
> /Michael
>
>

Hello,

We do it with custom policys on the publisher channel that call a
workflow that in turn calls a integration activity that uses SOAP
against the User Application to create the resources.

If you use a modern IDM version you could skip the workflow and create
the resource directly from the policy builder.


-alekz

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Automatically creation of resource from AD Groups

alekz <alekz@no-mx.forums.microfocus.com> wrote:
> On 2019-01-12 18:04, mJg2XW wrote:
>>
>> Hi
>>
>> Is there any way on creating "Resources" in UserApp/resource catalog
>> from a corresponding AD group automatically, and assign the Entitlement
>> Value?
>>
>> /Michael
>>
>>

> Hello,
>
> We do it with custom policys on the publisher channel that call a
> workflow that in turn calls a integration activity that uses SOAP
> against the User Application to create the resources.
>
> If you use a modern IDM version you could skip the workflow and create
> the resource directly from the policy builder.
>


We do similar (WF, integration activity), but move such logic to separate
driver. keeping AD driver for just data transport as much as possible.

There are still some limitations on the tokens vs the soap calls. For
resources IIRC you can’t specify a custom container.

Also, as I said. In theory you only need 1 resource with dynamic
entitlements, but that might not suit your overall design.


Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.