rhaeber Absent Member.
Absent Member.
1354 views

Can't read DirXML-EntitlementRef in LoopBack driver

Jump to solution
Hi,

since a few weeks, probably since the upgrade to Identity Manager 4.7, the attribute DirXML-EntitlementRef can no longer be read in the LoopBack driver. That put us in a lot of trouble.
A rights problem can be excluded, the driver runs in security equivalence to the admin user. It seems to work in the other driver types used. The current workaround is an LDAP query into the identity vault to get the attribute.
Has anyone else had similar experiences and an idea of what is behind it?

Thanks,
Robert
Labels (1)
0 Likes
1 Solution

Accepted Solutions
rmkreddy Absent Member.
Absent Member.

Re: Can't read DirXML-EntitlementRef in LoopBack driver

Jump to solution
In IDM 4.7, the treatment of this attribute is changed. By default, any driver would receive events only on the changes of that driver’s entitlements. If you want a driver to receive events on other driver’s entitlements, set the ECV( Ignore Entitlement Changes of other drivers) to false for that driver(LoopBack driver in this case).

Regards,
Mahesh

View solution in original post

0 Likes
19 Replies
Knowledge Partner
Knowledge Partner

Re: Can't read DirXML-EntitlementRef in LoopBack driver

Jump to solution
On 6/13/2018 8:26 AM, rhaeber wrote:
>
> Hi,
>
> since a few weeks, probably since the upgrade to Identity Manager 4.7,
> the attribute -DirXML-EntitlementRef- can no longer be read in the
> LoopBack driver. That put us in a lot of trouble.
> A rights problem can be excluded, the driver runs in security
> equivalence to the admin user. It seems to work in the other driver
> types used. The current workaround is an LDAP query into the identity
> vault to get the attribute.
> Has anyone else had similar experiences and an idea of what is behind
> it?


So you think it is shim or engine? I.e. Port the code into some oether
driver, does it work?

David Gersic ran into an issue where DirXML-Associations and
DirxML-AssociationsLite do not query quite correctly, the engine tries
to help by cleaning up. Entitlemet Ref would make sense to do something
similar.



0 Likes
rhaeber Absent Member.
Absent Member.

Re: Can't read DirXML-EntitlementRef in LoopBack driver

Jump to solution
Sorry, I was wrong. The issue is that the result of a query for the attribute DirXML-EntitlementRef contain now only the values with reference to the drivers own entitlements.
Since there are no entitlements defined at our LoopBack driver, nothing is returned.

At the one hand this makes it much more manageable to read a trace (not for me because I had already created a package to filter DirXML-EntitlementRef values :cool:), at the other hand it's now more difficult to deal with entitlements of other drivers like the LoopBack does, which provides for us the functionallity of an self made entitlement service driver for linked User and Organizational role objects. But the ldap query will be a good workaround.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Can't read DirXML-EntitlementRef in LoopBack driver

Jump to solution
On 6/13/2018 2:24 PM, rhaeber wrote:
>
> Sorry, I was wrong. The issue is that the result of a query for the
> attribute DirXML-EntitlementRef contain now -only the values with
> reference to the drivers own entitlements-.
> Since there are no entitlements defined at our LoopBack driver, nothing
> is returned.
>
> At the one hand this makes it much more manageable to read a trace (not
> for me because I had already created a package to filter
> DirXML-EntitlementRef values :cool:), at the other hand it's now more
> difficult to deal with entitlements of other drivers like the LoopBack
> does, which provides for us the functionallity of an self made
> entitlement service driver for linked User and Organizational role
> objects. But the ldap query will be a good workaround.


So similar to David's issue they tried to help, in the engine. Which in
general is useful, except for when it isn't.

I would report this in an SR. Some kind of per query add on would be
useful to enable it. (Not an ECV, since to be most useful you would want
to use both approaches in one driver)


0 Likes
Knowledge Partner
Knowledge Partner

Re: Can't read DirXML-EntitlementRef in LoopBack driver

Jump to solution
rhaeber wrote:

> At the one hand this makes it much more manageable to read a trace (not
> for me because I had already created a package to filter
> DirXML-EntitlementRef values :cool:), at the other hand it's now more
> difficult to deal with entitlements of other drivers like the LoopBack
> does, which provides for us the functionallity of an self made
> entitlement service driver for linked User and Organizational role
> objects. But the ldap query will be a good workaround.


I also created a policy/package to filter unnecessary entitlements/assocs (that
dn't relate to current driver)
However this can be useful sometimes and absolutely needs to be an option to
query *everything* even if the default is to filter.

--
If you find this post helpful, and are viewing this using the web, please show
your appreciation by clicking on the star below
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
ethierba Absent Member.
Absent Member.

Re: Can't read DirXML-EntitlementRef in LoopBack driver

Jump to solution
rhaeber;2482451 wrote:
The issue is that the result of a query for the attribute DirXML-EntitlementRef contain now only the values with reference to the drivers own entitlements.
Since there are no entitlements defined at our LoopBack driver, nothing is returned.


We just bumped into this (ouch!), and changing the ECV Mahesh mentioned doesn't seem to affect the query. We still don't get back DirXML-EntitlementRefs referencing other drivers. This worked fine before the 4.7 upgrade.

Anyone have an idea, or is it SR time?

Thanks!
-Ed-
0 Likes
ethierba Absent Member.
Absent Member.

Re: Can't read DirXML-EntitlementRef in LoopBack driver

Jump to solution
ethierba;2487151 wrote:
We just bumped into this (ouch!), and changing the ECV Mahesh mentioned doesn't seem to affect the query. We still don't get back DirXML-EntitlementRefs referencing other drivers. This worked fine before the 4.7 upgrade.
-Ed-


An update for posterity: After restarting our "test case" driver a second time, with the ECV still changed to 'false', our query started getting back all DirXML-EntitlementRefs, restoring pre-4.7 behavior. Doing the same thing with another driver also restored the old behavior.

Dear MicroFocus: Please, when you add stuff like this, make the default behavior the same as the old behavior. You broke many of our drivers with this.

This is the second major problem we found with 4.7. Let me just say your corporate image is suffering a little in our shop. One manager has already mentioned the dreaded words "another product".

-Ed-
0 Likes
Knowledge Partner
Knowledge Partner

Re: Can't read DirXML-EntitlementRef in LoopBack driver

Jump to solution
geoffc;2482434 wrote:
On 6/13/2018 8:26 AM, rhaeber wrote:
>
> Hi,
>
> since a few weeks, probably since the upgrade to Identity Manager 4.7,
> the attribute -DirXML-EntitlementRef- can no longer be read in the
> LoopBack driver. That put us in a lot of trouble.
> A rights problem can be excluded, the driver runs in security
> equivalence to the admin user. It seems to work in the other driver
> types used. The current workaround is an LDAP query into the identity
> vault to get the attribute.
> Has anyone else had similar experiences and an idea of what is behind
> it?


So you think it is shim or engine? I.e. Port the code into some oether
driver, does it work?

David Gersic ran into an issue where DirXML-Associations and
DirxML-AssociationsLite do not query quite correctly, the engine tries
to help by cleaning up. Entitlemet Ref would make sense to do something
similar.


Yeah, that was fun. I was trying to work around a problem introduced by somebody else's business logic that removes the DirXML-Associations attribute on user terminate. (Side note: I hate this idea, please don't do this.) To get around it, I decided to stash a copy of this driver's association in the DirXML-AssociationsLite attribute, then if I get an unassociated modify, grab the stashed association value, and put it back in to the event so that the otherwise orphaned user in the connected system gets updated correctly.

The problem is that if you query for DirXML-AssociationsLite, the engine tries to help, and instead of giving you what you asked for, it gives you the values of DirXML-Associations. (Side note: I hate it when technology tries to "help" like this. If I asked for a fork, don't give me a claw hammer and claim to have "helped" me.) So, because DirXML-Associations has been removed, my query returned nothing.

Turns out that if you query for DirXML-AssociationsLite and DirXML-Associations, that bypasses the engine being helpful and you get what you asked for. That's an undocumented feature, at least as of when I was working on this.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Can't read DirXML-EntitlementRef in LoopBack driver

Jump to solution
dgersic <dgersic@no-mx.forums.microfocus.com> wrote:
>
>
> Yeah, that was fun. I was trying to work around a problem introduced by

somebody else's business logic that removes the DirXML-Associations
attribute on user terminate. (Side note: I hate this idea, please don't
do this.)

It is sometimes necessary. The licensing model is stupid and encourages one
to stop managing users as soon as possible. Removing associations on
inactive users is generally safe. Yes it does complicate matching and
reactivation somewhat.

I recall there is another (generally unused) attribute that I have seen
others use as a temporarily stash blobs attr. masvAuthorizedRange.
This might make more sense than using two attrs that overlap. (Associations
and AssociationsLite).
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Can't read DirXML-EntitlementRef in LoopBack driver

Jump to solution
On 6/21/2018 5:03 PM, Alex McHugh wrote:
> dgersic <dgersic@no-mx.forums.microfocus.com> wrote:
>>
>>
>> Yeah, that was fun. I was trying to work around a problem introduced by

> somebody else's business logic that removes the DirXML-Associations
> attribute on user terminate. (Side note: I hate this idea, please don't
> do this.)
>
> It is sometimes necessary. The licensing model is stupid and encourages one
> to stop managing users as soon as possible. Removing associations on
> inactive users is generally safe. Yes it does complicate matching and
> reactivation somewhat.
>
> I recall there is another (generally unused) attribute that I have seen
> others use as a temporarily stash blobs attr. masvAuthorizedRange.
> This might make more sense than using two attrs that overlap. (Associations
> and AssociationsLite).


Agreed, the licensing model is kind of painful and dumb.

0 Likes
Knowledge Partner
Knowledge Partner

Re: Can't read DirXML-EntitlementRef in LoopBack driver

Jump to solution
alexmchugh;2482893 wrote:
dgersic <dgersic@no-mx.forums.microfocus.com> wrote:
>
>
> Yeah, that was fun. I was trying to work around a problem introduced by

somebody else's business logic that removes the DirXML-Associations
attribute on user terminate. (Side note: I hate this idea, please don't
do this.)

It is sometimes necessary. The licensing model is stupid and encourages one
to stop managing users as soon as possible. Removing associations on
inactive users is generally safe. Yes it does complicate matching and
reactivation somewhat.

I recall there is another (generally unused) attribute that I have seen
others use as a temporarily stash blobs attr. masvAuthorizedRange.
This might make more sense than using two attrs that overlap. (Associations
and AssociationsLite).


"Necessary" I disagree with. It may be cheaper to do that, but cheaper isn't necessarily better. The association value reflects reality, if the object exists in the connected system, there should be an association there, so that it can be managed or deleted or dealt with. If you want to clean up, remove the connected object, that's the right thing to do. Simply orphaning all of the connected objects is bad practice, IMHO, even if it is cheaper.
0 Likes
rmkreddy Absent Member.
Absent Member.

Re: Can't read DirXML-EntitlementRef in LoopBack driver

Jump to solution
In IDM 4.7, the treatment of this attribute is changed. By default, any driver would receive events only on the changes of that driver’s entitlements. If you want a driver to receive events on other driver’s entitlements, set the ECV( Ignore Entitlement Changes of other drivers) to false for that driver(LoopBack driver in this case).

Regards,
Mahesh

View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.