Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Absent Member.
Absent Member.
291 views

Entitlement for Scripting Driver is not coming to User App


Hi,

I want to assign a scripting driver (for provisioning to Lync)
entitlement to a user
through roles / resources in the user application. When I created a
resource in the resource catalog in the user
application, the scripting driver does not show up as a possible
entitlement.

I am using IDM 4.0.2 in Linux RHEL6.5

Regards,
Koushik


--
koushikbecit
------------------------------------------------------------------------
koushikbecit's Profile: https://forums.netiq.com/member.php?userid=7598
View this thread: https://forums.netiq.com/showthread.php?t=52685

Labels (1)
0 Likes
4 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

On 1/28/2015 5:36 PM, koushikbecit wrote:
>
> Hi,
>
> I want to assign a scripting driver (for provisioning to Lync)
> entitlement to a user
> through roles / resources in the user application. When I created a
> resource in the resource catalog in the user
> application, the scripting driver does not show up as a possible
> entitlement.


Welcome to the fun world of Resources. This abstraction, which I really
wonder about, has some serious consequences.

First, look under your Driver object. Do you have a DirXML-Resource
object named entitlementConfiguration? You need one with proper
definition for your entitlement.

Look at any shipped NetIQ driver that is properly running, and you can
see a sample. The docs explaining how this all work are mostly
non-existent.

The UA issues a query via LDAP for this object, which it then parses,
finds all the entitlements, queries them via LDAP, then finally issues
some IDM queries Injected into the driver queue to get values, if it is
a valued entitlement.

Have fun.

0 Likes
Absent Member.
Absent Member.

koushikbecit <koushikbecit@no-mx.forums.netiq.com> wrote:
> Hi,
>
> I want to assign a scripting driver (for provisioning to Lync)
> entitlement to a user
> through roles / resources in the user application. When I created a
> resource in the resource catalog in the user
> application, the scripting driver does not show up as a possible
> entitlement.


You need to create an Entitlement Configuration object that tells user app
that this entitlement is enabled for role/resources this hasn't changed
much since the cool solution was written for IDM user app 3.7

Also, you need to find a way to allow the entitlement query (code map
refresh) triggered by the user app to be handled by the scripting driver
shim.

The way I solved this was to copy the approach used in the Active Directory
Entitlements & Exchange 1.x packages and specifically the UserAccount
entitlement. The new HPD uses a different way to tag the user app initiated
query event. Have not tried that yet.

This also required a newer scripting driver patch (included in the 402b
scripting driver ISO) to properly return the response from the query.

> I am using IDM 4.0.2 in Linux RHEL6.5


What scripting driver remote leader/shim version are you using? I guess you
have to use the windows one as you need powershell. If it isn't the latest
4.02 patch for scripting driver then you should update.

--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

> You need to create an Entitlement Configuration object that tells user app
> that this entitlement is enabled for role/resources this hasn't changed
> much since the cool solution was written for IDM user app 3.7


Alex is referring to these two articles:
http://www.novell.com/communities/node/9702/convert-driver-entitlements-new-rbpm-37-resource-model
http://www.novell.com/communities/node/11558/converting-entitlements-resources-more-details


First is how, second is what it is doing, by me.

> Also, you need to find a way to allow the entitlement query (code map
> refresh) triggered by the user app to be handled by the scripting driver
> shim.
>
> The way I solved this was to copy the approach used in the Active Directory
> Entitlements & Exchange 1.x packages and specifically the UserAccount
> entitlement. The new HPD uses a different way to tag the user app initiated
> query event. Have not tried that yet.


Not HPD, but PCRS, if it is what I am thinking you mean.

They write back to the Entitlement object a change to the <query> node,
and add an @event-id="ENTITILEMENT:Group" XML attribute.

But it 'dirties' the Entitlement if packaged, and if you look at it in
Designer, you lose the change. (Which is why they must be modifying it
in policy. I would have prefered a Designer fix, instead of the
workaround, but whatever).

Just use an op-prop, which Designer supports and works fine.

> This also required a newer scripting driver patch (included in the 402b
> scripting driver ISO) to properly return the response from the query.
>
>> I am using IDM 4.0.2 in Linux RHEL6.5

>
> What scripting driver remote leader/shim version are you using? I guess you
> have to use the windows one as you need powershell. If it isn't the latest
> 4.02 patch for scripting driver then you should update.
>


0 Likes
Absent Member.
Absent Member.

Geoffrey Carman wrote:

> > You need to create an Entitlement Configuration object that tells user app
> > that this entitlement is enabled for role/resources this hasn't changed
> > much since the cool solution was written for IDM user app 3.7

>
> Alex is referring to these two articles:
> http://www.novell.com/communities/node/9702/convert-driver-entitlements-new-rbpm-37-resource-model


Yes I was referring to this article specifically.


> They write back to the Entitlement object a change to the <query> node, and add an @event-id="ENTITILEMENT:Group" XML attribute.
>
> But it 'dirties' the Entitlement if packaged, and if you look at it in Designer, you lose the change. (Which is why they must be modifying it in policy. I would have prefered a Designer fix, instead of the workaround, but whatever).
>
> Just use an op-prop, which Designer supports and works fine.


The thing with the op-prop is that when you have policies to replace the query with an operation-property tagged driver ping, some driver shims don't handle restoring the operation property again on the return status/instance.

SOAP, Scripting and Delimited text drivers that I have worked with which initally had this problem, however the latest versions are fixed. I'm sure that there are more.

In my opinion it seems like a smart decision to go with an alternate fix (@event-id="ENTITILEMENT:xxx") that doesn't require fixing every driver shim. That is a better long term approach (as long as they eventually fix the minor Designer issue)
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.