Welcome Serena Central users!
The migration of the Serena Central community is happening today. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
236 views

Change of category using LDAP


Hi.

We have a lot of roles we want to change category for.
Is there any reason for not exporting the list in a LDAP tool and change
attribute category and import new list?

Regards
Sondre Johannessen


--
sonjoh
------------------------------------------------------------------------
sonjoh's Profile: https://forums.netiq.com/member.php?userid=8051
View this thread: https://forums.netiq.com/showthread.php?t=51675

Labels (1)
0 Likes
5 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Change of category using LDAP

sonjoh wrote:

>
> We have a lot of roles we want to change category for.
> Is there any reason for not exporting the list in a LDAP tool and change
> attribute category and import new list?


Just to clarify, is this a supported method or are there references in the database that won't be updated if we only change this via LDAP?
The new role category is already defined in role category list and there are no localizations involved.
IDM 4.0.2 UA Patch C

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Knowledge Partner
Knowledge Partner

Re: Change of category using LDAP

On 9/4/2014 11:40 AM, Alex McHugh wrote:
> sonjoh wrote:
>
>>
>> We have a lot of roles we want to change category for.
>> Is there any reason for not exporting the list in a LDAP tool and change
>> attribute category and import new list?

>
> Just to clarify, is this a supported method or are there references in the database that won't be updated if we only change this via LDAP?
> The new role category is already defined in role category list and there are no localizations involved.
> IDM 4.0.2 UA Patch C


Steve is not here right now. (Dunno why he has been away this last
week, but I will guess vacation, so let me put on my Steve hat, since I
am pretty sure he will tell you this would not be supported).

The better way would be to do it via SOAP, if there is such a call.
(Which I honestly have no idea, I suppose I could look...)

Looks like it is in the ROle service, which if I recall, is not quite
listed on the Admin page, at least back in the 4.01 days, and was quite
annoying.

Anyway, the WSDL says something like this SOAP call:

<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ser="http://www.novell.com/role/service">
<soapenv:Header/>
<soapenv:Body>
<ser:modifyRoleRequest>
<!--Optional:-->
<ser:role>
<ser:approvers>
<!--Zero or more repetitions:-->
<ser:approver>
<ser:approverDN>?</ser:approverDN>
<ser:sequence>?</ser:sequence>
</ser:approver>
</ser:approvers>
<ser:associatedRoles>
<!--Zero or more repetitions:-->
<ser:dnstring>
<ser:dn>?</ser:dn>
</ser:dnstring>
</ser:associatedRoles>
<ser:childRoles>
<!--Zero or more repetitions:-->
<ser:dnstring>
<ser:dn>?</ser:dn>
</ser:dnstring>
</ser:childRoles>
<ser:description>?</ser:description>
<ser:entitlementRef>
<!--Zero or more repetitions:-->
<ser:entitlement>
<ser:entitlementDn>?</ser:entitlementDn>
<ser:entitlementParameters>?</ser:entitlementParameters>
</ser:entitlement>
</ser:entitlementRef>
<ser:entityKey>?</ser:entityKey>
<ser:implicitContainers>
<!--Zero or more repetitions:-->
<ser:dnstring>
<ser:dn>?</ser:dn>
</ser:dnstring>
</ser:implicitContainers>
<ser:implicitGroups>
<!--Zero or more repetitions:-->
<ser:dnstring>
<ser:dn>?</ser:dn>
</ser:dnstring>
</ser:implicitGroups>
<ser:name>?</ser:name>
<ser:owners>
<!--Zero or more repetitions:-->
<ser:dnstring>
<ser:dn>?</ser:dn>
</ser:dnstring>
</ser:owners>
<ser:parentRoles>
<!--Zero or more repetitions:-->
<ser:dnstring>
<ser:dn>?</ser:dn>
</ser:dnstring>
</ser:parentRoles>
<ser:quorum>?</ser:quorum>
<ser:requestDef>?</ser:requestDef>
<ser:roleAssignments>
<!--Zero or more repetitions:-->
<ser:roleassignment>
<ser:assignmentType>?</ser:assignmentType>
<ser:causeIdentities>
<!--Zero or more repetitions:-->
<ser:identitytypednmap>
<ser:dns>
<!--Zero or more repetitions:-->
<ser:dnstring>
<ser:dn>?</ser:dn>
</ser:dnstring>
</ser:dns>
<ser:identityType>?</ser:identityType>
</ser:identitytypednmap>
</ser:causeIdentities>
<ser:effectiveDate>?</ser:effectiveDate>
<ser:expirationDate>?</ser:expirationDate>
<ser:explicitIdentities>
<!--Zero or more repetitions:-->
<ser:dnstring>
<ser:dn>?</ser:dn>
</ser:dnstring>
</ser:explicitIdentities>
<ser:role>?</ser:role>
</ser:roleassignment>
</ser:roleAssignments>
<ser:roleCategoryKeys>
<!--Zero or more repetitions:-->
<ser:categorykey>
<ser:categoryKey>?</ser:categoryKey>
</ser:categorykey>
</ser:roleCategoryKeys>
<ser:roleLevel>
<ser:container>?</ser:container>
<ser:description>?</ser:description>
<ser:level>?</ser:level>
<ser:name>?</ser:name>
</ser:roleLevel>
<ser:systemRole>?</ser:systemRole>
</ser:role>
</ser:modifyRoleRequest>
</soapenv:Body>
</soapenv:Envelope>

Anything that says Zero or more reps can be stripped out and the key
thing you care about seems to be this element:

<ser:roleCategoryKeys>
<!--Zero or more repetitions:-->
<ser:categorykey>
<ser:categoryKey>?</ser:categoryKey>
</ser:categorykey>
</ser:roleCategoryKeys>


So you could probably clean up the call to be more simply:

<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ser="http://www.novell.com/role/service">
<soapenv:Header/>
<soapenv:Body>
<ser:modifyRoleRequest>
<!--Optional:-->
<ser:role>
<ser:approvers>
</ser:approvers>
<ser:associatedRoles>
</ser:associatedRoles>
<ser:childRoles>
</ser:childRoles>
<ser:description>?</ser:description>
<ser:entitlementRef>
</ser:entitlementRef>
<ser:entityKey>?</ser:entityKey>
<ser:implicitContainers>
</ser:implicitContainers>
<ser:implicitGroups>
</ser:implicitGroups>
<ser:name>?</ser:name>
<ser:owners>
</ser:owners>
<ser:parentRoles>
</ser:parentRoles>
<ser:quorum>?</ser:quorum>
<ser:requestDef>?</ser:requestDef>
<ser:roleAssignments>
</ser:roleAssignments>
<ser:roleCategoryKeys>
<!--Zero or more repetitions:-->
<ser:categorykey>
<ser:categoryKey>?</ser:categoryKey>
</ser:categorykey>
</ser:roleCategoryKeys>
<ser:roleLevel>
<ser:container>?</ser:container>
<ser:description>?</ser:description>
<ser:level>?</ser:level>
<ser:name>?</ser:name>
</ser:roleLevel>
<ser:systemRole>?</ser:systemRole>
</ser:role>
</ser:modifyRoleRequest>
</soapenv:Body>
</soapenv:Envelope>

It is not 100% clear to me, if the Zero or more rep examples, need the
no-children nodes or not. If not, then more simply:

<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ser="http://www.novell.com/role/service">
<soapenv:Header/>
<soapenv:Body>
<ser:modifyRoleRequest>
<!--Optional:-->
<ser:role>
<ser:entityKey>?</ser:entityKey>
<ser:name>?</ser:name>
<ser:roleCategoryKeys>
<!--Zero or more repetitions:-->
<ser:categorykey>
<ser:categoryKey>?</ser:categoryKey>
</ser:categorykey>
</ser:roleCategoryKeys>
<ser:roleLevel>
<ser:container>?</ser:container>
<ser:description>?</ser:description>
<ser:level>?</ser:level>
<ser:name>?</ser:name>
</ser:roleLevel>
<ser:systemRole>?</ser:systemRole>
</ser:role>
</ser:modifyRoleRequest>
</soapenv:Body>
</soapenv:Envelope>

I forget the format of entityKey but I would guess LDAP DN of the role
object as a first draft. I am not sure what the categoryKey value is
supposed to look like, but I would try a getRole call to see how the
data is returned:

<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ser="http://www.novell.com/role/service">
<soapenv:Header/>
<soapenv:Body>
<ser:getRoleRequest>
<!--Optional:-->
<ser:roleDN>?</ser:roleDN>
</ser:getRoleRequest>
</soapenv:Body>
</soapenv:Envelope>

You can use curl, at the command line to read input from a file to issue
SOAP commands, and a good scripter could probably script it to look at a
file with the SOAP sample doc, and a file with a list of values to
change, and probably do it all on the command line.




0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Change of category using LDAP

Geoffrey Carman wrote:

> On 9/4/2014 11:40 AM, Alex McHugh wrote:
> > sonjoh wrote:
> >
> > >
> > > We have a lot of roles we want to change category for.
> > > Is there any reason for not exporting the list in a LDAP tool and change
> > > attribute category and import new list?

> >
> > Just to clarify, is this a supported method or are there references in the database that won't be updated if we only change this via LDAP?
> > The new role category is already defined in role category list and there are no localizations involved.
> > IDM 4.0.2 UA Patch C

>
> Steve is not here right now. (Dunno why he has been away this last week, but I will guess vacation, so let me put on my Steve hat, since I am pretty sure he will tell you this would not be supported).


This is also my opinion, but Steve is the ultimate authority on such things (and I don't know if it's worth opening a SR just for this).
Sondre is my colleague so he's already heard my opinion on this.

Just to clarify - I'd suggested a null driver that calls a workflow with an integration activity that calls the relevant SOAP call.
That was mostly as it seemed like a good learning opportunity for Sondre to get familiar with workflows and integration activies.

We have ca. 1700 roles with incorrect category value assigned across test and production IDM instances.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Knowledge Partner
Knowledge Partner

Re: Change of category using LDAP


>> Steve is not here right now. (Dunno why he has been away this last week, but I will guess vacation, so let me put on my Steve hat, since I am pretty sure he will tell you this would not be supported).

>
> This is also my opinion, but Steve is the ultimate authority on such things (and I don't know if it's worth opening a SR just for this).
> Sondre is my colleague so he's already heard my opinion on this.


So mistake number 1. Sondre is foolish enough to work with you. 🙂

No worries.

> Just to clarify - I'd suggested a null driver that calls a workflow with an integration activity that calls the relevant SOAP call.
> That was mostly as it seemed like a good learning opportunity for Sondre to get familiar with workflows and integration activies.


That is what I was thinking as well, but that has enough complexity in
it, I did not think it was a 'simple' or 'elegant' to suggest.

But would teach a lot. If so, let me recommend my two articles on that
sort of topic:

http://www.novell.com/communities/node/12187/using-soap-terminate-running-workflow-part-1
http://www.novell.com/communities/node/12200/using-soap-terminate-running-workflow-part-2


> We have ca. 1700 roles with incorrect category value assigned across test and production IDM instances.


Fun! Can your easily predict the proper value, or must you fix them one
by one?


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Change of category using LDAP

On 09/04/2014 02:29 PM, Geoffrey Carman wrote:
>
>>> Steve is not here right now. (Dunno why he has been away this last
>>> week, but I will guess vacation, so let me put on my Steve hat, since
>>> I am pretty sure he will tell you this would not be supported).

>>
>> This is also my opinion, but Steve is the ultimate authority on such
>> things (and I don't know if it's worth opening a SR just for this).
>> Sondre is my colleague so he's already heard my opinion on this.

>
> So mistake number 1. Sondre is foolish enough to work with you. 🙂
>
> No worries.
>
>> Just to clarify - I'd suggested a null driver that calls a workflow
>> with an integration activity that calls the relevant SOAP call.
>> That was mostly as it seemed like a good learning opportunity for
>> Sondre to get familiar with workflows and integration activies.

>
> That is what I was thinking as well, but that has enough complexity in
> it, I did not think it was a 'simple' or 'elegant' to suggest.
>
> But would teach a lot. If so, let me recommend my two articles on that
> sort of topic:
>
> http://www.novell.com/communities/node/12187/using-soap-terminate-running-workflow-part-1
>
> http://www.novell.com/communities/node/12200/using-soap-terminate-running-workflow-part-2
>
>
>
>> We have ca. 1700 roles with incorrect category value assigned across
>> test and production IDM instances.

>
> Fun! Can your easily predict the proper value, or must you fix them one
> by one?
>
>

Greetings,
The only supported ways to modify a Role or Resource are:

User Application UI
User Application SOAP endpoints
User Application REST endpoints
RMA
rra (Catalog Administrator if you have updated to the 4.0.2A release)
Designer



--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.