Highlighted
Super Contributor.
Super Contributor.
354 views

DirXML-EntitlementResult with Custom Entitlements

I have null driver with the custom entitlements package installed. Based on entitlement values, I call an external web api to set the appropriate permission in the external system. Then I veto the operation.

I would have liked to used the REST driver, but it did not support the OAuth2 JWT flow until about two weeks ago.

Anyways, everything works fine except I cannot figure out how to get the result of the entitlement assignment into the DirXML-EntitlementResult attribute. I looked at other entitlement enabled drivers for examples of how this is done. I see that after looping through the added/removed entitlements, operation data is added to the XDS document with the <entitlement-impl> element. I'm not really sure how, but I believe this is what is processed by the driver shim to actually update DirXML-EntitlementResult.

Geoff's entitlement articles have been helpful, but I still can't figure this out. I'm at a point where I believe my best option is to update DirXML-EntitlementResult directly from policy. Would that be a bad idea? Any other ideas?

I appreciate any help.

Labels (1)
15 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: DirXML-EntitlementResult with Custom Entitlements

The Syntax of the attribute is not obvious.  Shon Vella (Formerly Father Ramon) shared the definitions with a colleague of mine, so I have the info. Of course it is documented somewhere, right?  Sure, sure it is...

I THINK the idea is that the RRSD that grants the Resource, which copies the nrfEntitlementRef value to DirXML-EntitlementRef.

The <entitlement-impl> needs to flow back to the engine (So I wonder if your veto is the issue) so it can convert it to the Result attribute.  I thinkn it might be the engine that sees the event return with the <entitlemet-impl> node and writes the evalue for you.

Why do you need it? What are you using it for?

 

0 Likes
Highlighted
Super Contributor.
Super Contributor.

Re: DirXML-EntitlementResult with Custom Entitlements

I agree that the engine processed the <entitlement-impl> and the veto could be the issue, but the <entitlement-impl> is not getting added to the operation. In the old days, I thought implement entitlement token created it, but now the add and remove should add it. It does in an AD driver. Looping through added/removed entitlements does not add <entitlement-impl> in my driver.

The do i need it is a good question. I thought it would be helpful to have a record of when an entitlement was added and revoked, especially for debugging purpose. I could use nrfResourceHistory but that gets purged every 7 days. Also, i mistakenly thought this would be easy so why not do it since we have this value for every other entitlement enabled driver. Now, i've gone down the entitlement processing rabbit hole.

Highlighted
Knowledge Partner
Knowledge Partner

Re: DirXML-EntitlementResult with Custom Entitlements

So if you For Each over Removed Entitlement or Entitlements, the engine is supposed to add the <entitlement-imp> node. 

Are you still using the loopback I did for you guys?  (I am remembering that correct?)  Or did you switch to the Netiq local group processor?   

0 Likes
Highlighted
Super Contributor.
Super Contributor.

Re: DirXML-EntitlementResult with Custom Entitlements

We are still using the loopback driver.
Highlighted
Knowledge Partner
Knowledge Partner

Re: DirXML-EntitlementResult with Custom Entitlements

The MF one is also a Loopback driver.  🙂  They basically packaged the same basic approach. Which is nice.

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: DirXML-EntitlementResult with Custom Entitlements

The engine needs to process status documents at the end of the input transformation policy set to update DirXML-EntitmentResult. So your veto inteferes with that.

Regarding its purpose: The engine logs this audit event:

0030036

Entitlement Operation

Occurs when the value of the DirXML-EntitmentResult changes.

You can sent it to a log management system if you need it for longer than 7 days.

--
Norbert
Highlighted
Super Contributor.
Super Contributor.

Re: DirXML-EntitlementResult with Custom Entitlements

I agree that the veto would prevent the engine from processing the event that would write the the dirxml-entitlementresult attribute, but the <entitlement-impl> is not being added to the document at all. Just to double check, I turned off the veto and verified this was true. I guess it kind of makes sense for the driver to not bother adding <entitlement-impl> to the XDS at all because the purpose of the null driver is to just send the transactions into a hole.

I'm going to try the loopback driver. Maybe I'll have better luck there.k

Highlighted
Super Contributor.
Super Contributor.

Re: DirXML-EntitlementResult with Custom Entitlements

The loopback driver does not add the <entitlement-impl> either.

Highlighted
Knowledge Partner
Knowledge Partner

Re: DirXML-EntitlementResult with Custom Entitlements

As silly as it sounds,, have you tried appending the XML and letting it flow back to the engine?  I.e. Is it the engine who does it, seeing the <entitlement-impl> node or the shim?

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: DirXML-EntitlementResult with Custom Entitlements

Highlighted
Super Contributor.
Super Contributor.

Re: DirXML-EntitlementResult with Custom Entitlements

It's my understanding that you do not need to do that anymore. Looping through the added and removed entitlements token should do the same thing.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.