Highlighted
Absent Member.
Absent Member.
1679 views

Can't read DirXML-EntitlementRef in LoopBack driver

Jump to solution
Hi,

since a few weeks, probably since the upgrade to Identity Manager 4.7, the attribute DirXML-EntitlementRef can no longer be read in the LoopBack driver. That put us in a lot of trouble.
A rights problem can be excluded, the driver runs in security equivalence to the admin user. It seems to work in the other driver types used. The current workaround is an LDAP query into the identity vault to get the attribute.
Has anyone else had similar experiences and an idea of what is behind it?

Thanks,
Robert
Labels (1)
20 Replies
Highlighted
Absent Member.
Absent Member.
In IDM 4.7, the treatment of this attribute is changed. By default, any driver would receive events only on the changes of that driver’s entitlements. If you want a driver to receive events on other driver’s entitlements, set the ECV( Ignore Entitlement Changes of other drivers) to false for that driver(LoopBack driver in this case).

Regards,
Mahesh

View solution in original post

Highlighted
Knowledge Partner
Knowledge Partner
On 6/21/2018 1:54 PM, rmkreddy wrote:
> n IDM 4.7, the treatment of this attribute is changed. By default, any
> driver would receive events only on the changes of that driver�s
> entitlements. If you want a driver to receive events on other driver�s
> entitlements, set the ECV( Ignore Entitlement Changes of other drivers)
> to false for that driver(LoopBack driver in this case).


I was afraid this was the case.

On the one hand, I do like this feature. I do like that it is
configurable, however, I would love a tiny bit more subtlety in the
configuration.

On the one hand, doing it per driver is one thing, but I would prefer, a
way, in a query, perhaps a pseudo attribute that would tell the engine
to return all.

I.e. Query for DirXML-EntitlementRef and return attribute [AllDrivers]
or somesuch to allow you to override it for a specific query. That
would be helpful.

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner
Geoffrey Carman <geoffreycarmanNOSPAM@NOSPAMgmail.com> wrote:
> On 6/21/2018 1:54 PM, rmkreddy wrote:
>> n IDM 4.7, the treatment of this attribute is changed. By default, any
>> driver would receive events only on the changes of that driver�s
>> entitlements. If you want a driver to receive events on other driver�s
>> entitlements, set the ECV( Ignore Entitlement Changes of other drivers)
>> to false for that driver(LoopBack driver in this case).

>
> I was afraid this was the case.
>
> On the one hand, I do like this feature. I do like that it is
> configurable, however, I would love a tiny bit more subtlety in the
> configuration.
>
> On the one hand, doing it per driver is one thing, but I would prefer, a
> way, in a query, perhaps a pseudo attribute that would tell the engine
> to return all.
>
> I.e. Query for DirXML-EntitlementRef and return attribute [AllDrivers]
> or somesuch to allow you to override it for a specific query. That
> would be helpful.
>


I am super happy with this change as-is. It will fix a lot of odd issues in
edge case scenarios.

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
Highlighted
Knowledge Partner
Knowledge Partner
rmkreddy wrote:

> By default, any
> driver would receive events only on the changes of that driver�s
> entitlements.


So even for existing drivers you default to filtered events? That this would
break a lot driver logic seems obvious, almost all of my customers have at
least one driver that reads other driver's associations.
I'd really prefer to see this as a default for new drivers only while any
existing updated driver should stick with the old behavior.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner
Lothar Haeger <lothar.haeger@is4it.de> wrote:
> rmkreddy wrote:
>
> So even for existing drivers you default to filtered events? That this would
> break a lot driver logic seems obvious, almost all of my customers have at
> least one driver that reads other driver's associations.
> I'd really prefer to see this as a default for new drivers only while any
> existing updated driver should stick with the old behavior.
>


This spears to only be for entitlements. At least as mentioned here.

David confused the issue talking about the engine changes for
dirxml-associationslite. Which is a completely different change that
shipped in an earlier IDM release.
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
Highlighted
Knowledge Partner
Knowledge Partner
alexmchugh;2482886 wrote:
Lothar Haeger <lothar.haeger@is4it.de> wrote:
> rmkreddy wrote:
>
> So even for existing drivers you default to filtered events? That this would
> break a lot driver logic seems obvious, almost all of my customers have at
> least one driver that reads other driver's associations.
> I'd really prefer to see this as a default for new drivers only while any
> existing updated driver should stick with the old behavior.
>


This spears to only be for entitlements. At least as mentioned here.

David confused the issue talking about the engine changes for
dirxml-associationslite. Which is a completely different change that
shipped in an earlier IDM release.


Blame Geoff for the thread drift. I just filled in the details.
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner
>> This spears to only be for entitlements. At least as mentioned here.
>>
>> David confused the issue talking about the engine changes for
>> dirxml-associationslite. Which is a completely different change that
>> shipped in an earlier IDM release.

>
> Blame Geoff for the thread drift. I just filled in the details.


Oh sure, blame me. What else is new. 🙂

I am the master of the drift.

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner
Alex McHugh wrote:

> This spears to only be for entitlements. At least as mentioned here.


I'm sorry, mixed up attributes, nothing to do with David's detour, though.
Please ignore. :

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner
On 6/21/2018 4:50 PM, Lothar Haeger wrote:
> Alex McHugh wrote:
>
>> This spears to only be for entitlements. At least as mentioned here.

>
> I'm sorry, mixed up attributes, nothing to do with David's detour, though.
> Please ignore. :


We are used to your being confused. No worries.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.